Deepfakes, data breaches and democracy 

AI-generated deepfakes are increasingly being used maliciously for common scams and fraudulent schemes. 

Earlier this month, a Hong Kong-based firm lost around $25 million to a deepfake scam. A finance employee at the firm received a message about a confidential transaction and was asked to virtually meet with the UK-based CFO and other team members. The CFO and all other attendees were deepfakes created using artificial intelligence. While sceptical at first, following the virtual meeting the finance employee agreed to remit the large sum of money for the secret transaction. The employee realised this was a scam when later contacting the organisation’s head office. While this case has been handed over to Hong Kong police, the investigation is ongoing.

In its 2023 annual review, the National Cyber Security Centre (NCSC) warned that increased sophistication of AI-powered tools will make the spread of disinformation easier. Those with influence and access to sensitive information, including CFOs and other executive figures in organisations, are more likely to be used as leverage in cyber-attacks using deepfake technology. To protect from these threats, individuals may reconsider how much personal information is shared on social media. Beware of accepting unknown connections that may be seeking to cause reputational damage or trick individuals into revealing sensitive information. The UK National Protective Security Authority also has guidance on how to spot false profiles. 

Southern Water recently announced that the organisation had been a victim of a cyber-attack. The company has estimated that data belonging to around 5% to 10% of its customer base, including personal and financial information such as bank account details, may have been stolen for sale on the dark web. This incident was reported to the Information Commissioner’s Office (ICO) and is currently under investigation. Individuals and businesses concerned about a breach of their details have been advised to contact the ICO. 

The ICO has outlined how organisations can use security measures to manage data protection in a beginner’s guide. 

Several US bodies, including the US National Security Agency, have reported that a Chinese hacking group known as Volt Typhoon has had access to critical US infrastructure. This has raised wider concerns. The NCSC has in turn raised further warnings about state-sponsored cyber-attacks. Cyber-criminals are now using sophisticated techniques, known as ‘living off the land’, to hide their activity on infiltrated networks by blending in with the system and network behaviour.

In response to this threat, the Cybersecurity and Infrastructure Security Agency in the US has launched guidance on how to identify and mitigate ‘living off the land’ techniques with recommendations that include creating a baseline of activity and regularly reviewing logs to note unexpected activity and behaviour. 

Learning from lessons

Cybersecurity AI leader Darktrace has released a report reviewing the cyber threat trends in the second half of 2023. The findings show that Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) were most consistently used in cyber-attacks during this period. MaaS was mostly used to harvest data which was then sold, or as an initial attack which resulted in more damaging malware and ransomware attacks. 

One of the most prevalent ransomware strains includes LockBit, which is believed to be Russian-based. Cyber-criminals can purchase and use LockBit’s services to hack into the computers of organisations and lock out users until a ransom is paid. It is estimated that around 25% of all ransomware attacks in 2023 were conducted using LockBit. This month, in an operation led by the UK’s National Crime Agency (NCA), enforcement authorities were able to disrupt and infiltrate LockBit’s systems. With access to data on LockBit’s activities, the NCA hopes to prevent the return of the hacking group.

Many companies that are victims of ransomware attacks choose not to report the attacks and simply pay the ransom. While there are many reasons why they may do this, including coverage by insurance companies, sharing this information and reporting attacks can be important to help protect organisations from future attacks. The NCSC encourages the reporting of cyber incidents. It also provides an early warning service to inform organisations of potential cyber-attacks as soon as possible.

ICAEW’s Corporate Finance faculty also recently launched a Cyber Security in Corporate Finance guide to help organisations manage cyber risk and improve governance in the context of a corporate finance transaction. 

Online Safety Act launched 

New criminal offences in the Online Safety Act took effect from the end of January this year. The new offences aim to protect people, particularly children, from a wide range of abuse and harm when using online user-to-user services. 

The Online Safety Act intends to hold tech companies and online platforms to account for the content hosted on their sites. It does this by appointing Ofcom as the online safety regulator, giving it powers to restrict access to the services if it finds organisations are not meeting their duties as outlined in the legislation. 

These changes illustrate how embedding proactive risk management as part of a company’s broader approach to governance and compliance will be necessary. Organisations with online services will need to consider and represent user safety at all levels of the organisation. 

You can read more about the act and the new changes here. 

Want to learn more about cyber security?

Attend ICAEW’s cyber security immersion event on 6 June 2024. This hands-on approach to cyber risk management will be held in person. More details and pricing are available here.

Got an interesting cyber story for us? Email techfac@icaew.com