Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

LastPass Employee Targeted With Deepfake Calls

LastPass this week revealed that one of its employees was targeted in a phishing attack involving deepfake technology.

Hackers Stole Encrypted Backups, MFA Settings from GoTo, LastPass

A LastPass employee this week was targeted in a phishing attack in which threat actors impersonated the company’s CEO using deepfake technology.

The incident, which occurred on Wednesday, failed because the employee became suspicious of the sense of urgency the threat actors were trying to create, the password manager owned by GoTo says.

Furthermore, the attempted communication was outside of normal business hours and presented signs of social engineering, LastPass says.

“In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp,” LastPass says.

The incident, the company says, had no impact on LastPass, mainly because the employee ignored the communication and reported it to the security team.

“However, we did want to share this incident to raise awareness that deepfakes are increasingly not only the purview of sophisticated nation-state threat actors and are increasingly being leveraged for executive impersonation fraud campaigns,” LastPass notes.

The term ‘deepfake’ describes synthetic media – such as images and audio and video content – meant to create false narratives that seemingly originate from trusted sources. Leveraging AI and ML, deepfakes can be highly realistic.

In September last year, several US government agencies warned of the threat posed by deepfakes, which are used mainly as part of propaganda and misinformation campaigns.

Advertisement. Scroll to continue reading.

In May 2022, Europol warned that, if left unchecked, deepfakes could become the next big weapon in cybercriminals’ arsenal.

According to LastPass, deepfakes have been used in business email compromise (BEC) attacks for at least half a decade, with the employees of at least two companies known to have been tricked via deepfake audio or video calls to transfer funds to cybercriminals.

This week’s failed attempt on LastPass shows once again that deepfakes are increasingly used by threat actors and that employee training is essential in preventing the successful execution of such attacks.

“Impressing the importance of verifying potentially suspicious contacts by individuals claiming to be with your company through established and approved internal communications channels is an important lesson to take away from this attempt,” LastPass notes.

Related: Deepfakes – Significant or Hyped Threat?

Related: Defeating the Deepfake Danger

Related: UK Cybersecurity Center Says ‘Deepfakes’ and Other AI Tools Pose a Threat to the Next Election

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights