A LastPass employee this week was targeted in a phishing attack in which threat actors impersonated the company’s CEO using deepfake technology.
The incident, which occurred on Wednesday, failed because the employee became suspicious of the sense of urgency the threat actors were trying to create, the password manager owned by GoTo says.
Furthermore, the attempted communication was outside of normal business hours and presented signs of social engineering, LastPass says.
“In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp,” LastPass says.
The incident, the company says, had no impact on LastPass, mainly because the employee ignored the communication and reported it to the security team.
“However, we did want to share this incident to raise awareness that deepfakes are increasingly not only the purview of sophisticated nation-state threat actors and are increasingly being leveraged for executive impersonation fraud campaigns,” LastPass notes.
The term ‘deepfake’ describes synthetic media – such as images and audio and video content – meant to create false narratives that seemingly originate from trusted sources. Leveraging AI and ML, deepfakes can be highly realistic.
In September last year, several US government agencies warned of the threat posed by deepfakes, which are used mainly as part of propaganda and misinformation campaigns.
In May 2022, Europol warned that, if left unchecked, deepfakes could become the next big weapon in cybercriminals’ arsenal.
According to LastPass, deepfakes have been used in business email compromise (BEC) attacks for at least half a decade, with the employees of at least two companies known to have been tricked via deepfake audio or video calls to transfer funds to cybercriminals.
This week’s failed attempt on LastPass shows once again that deepfakes are increasingly used by threat actors and that employee training is essential in preventing the successful execution of such attacks.
“Impressing the importance of verifying potentially suspicious contacts by individuals claiming to be with your company through established and approved internal communications channels is an important lesson to take away from this attempt,” LastPass notes.
Related: Deepfakes – Significant or Hyped Threat?
Related: Defeating the Deepfake Danger
Related: UK Cybersecurity Center Says ‘Deepfakes’ and Other AI Tools Pose a Threat to the Next Election
