Cybercrime

LastPass Employee Targeted With Deepfake Calls

LastPass this week revealed that one of its employees was targeted in a phishing attack involving deepfake technology.

Published

A LastPass employee this week was targeted in a phishing attack in which threat actors impersonated the company’s CEO using deepfake technology.

The incident, which occurred on Wednesday, failed because the employee became suspicious of the sense of urgency the threat actors were trying to create, the password manager owned by GoTo says.

Furthermore, the attempted communication was outside of normal business hours and presented signs of social engineering, LastPass says.

“In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp,” LastPass says.

The incident, the company says, had no impact on LastPass, mainly because the employee ignored the communication and reported it to the security team.

“However, we did want to share this incident to raise awareness that deepfakes are increasingly not only the purview of sophisticated nation-state threat actors and are increasingly being leveraged for executive impersonation fraud campaigns,” LastPass notes.

The term ‘deepfake’ describes synthetic media – such as images and audio and video content – meant to create false narratives that seemingly originate from trusted sources. Leveraging AI and ML, deepfakes can be highly realistic.

In September last year, several US government agencies warned of the threat posed by deepfakes, which are used mainly as part of propaganda and misinformation campaigns.

Advertisement. Scroll to continue reading.

In May 2022, Europol warned that, if left unchecked, deepfakes could become the next big weapon in cybercriminals’ arsenal.

According to LastPass, deepfakes have been used in business email compromise (BEC) attacks for at least half a decade, with the employees of at least two companies known to have been tricked via deepfake audio or video calls to transfer funds to cybercriminals.

This week’s failed attempt on LastPass shows once again that deepfakes are increasingly used by threat actors and that employee training is essential in preventing the successful execution of such attacks.

“Impressing the importance of verifying potentially suspicious contacts by individuals claiming to be with your company through established and approved internal communications channels is an important lesson to take away from this attempt,” LastPass notes.

Related: Deepfakes – Significant or Hyped Threat?

Related: Defeating the Deepfake Danger

Related: UK Cybersecurity Center Says ‘Deepfakes’ and Other AI Tools Pose a Threat to the Next Election

In this article:

Related Content

AI Safety

Artificial Intelligence

Deepfake of Principal’s Voice Is the Latest Case of AI Being Used for Harm

Everyone — not just politicians and celebrities — should be concerned about this increasingly powerful deep-fake technology, experts say.

May 1, 2024

Artificial Intelligence

UK Cybersecurity Center Says ‘Deepfakes’ and Other AI Tools Pose a Threat to the Next Election

Britain’s cybersecurity agency said that artificial intelligence poses a threat to the country’s next election, and cyberattacks by hostile countries and their proxies are...

November 14, 2023

Fraud & Identity Theft

US Agencies Publish Cybersecurity Report on Deepfake Threats

CISA, FBI and NSA have published a cybersecurity report on deepfakes and recommendations for identifying and responding to such threats.

September 13, 2023

Cyberwarfare

Pre-Deepfake Campaign Targets Putin Critics

Russia is continuing its campaign of disinformation around the Ukraine war through advanced social engineering delivered by a threat group tracked as TA499.

March 7, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version