How are you updating your security awareness training to address deepfakes, synthetic media or other tactics? Are you adding specific modules to educate staff on these risks (or other emerging attack methods)?

ID- anurana.saluja@sutherlandglobal.com We’ve seen campaigns targeting our users where they receive text messages or WhatsApp messages featuring our CEO’s or CFO’s display picture, often taken from social media. These messages typically ask the recipient to take specific actions, such as calling a number or performing a task. Over time, our executives have become more aware and now report these incidents to us. While we haven’t yet experienced a deepfake attack firsthand, I am aware of organizations that have been impacted by deepfakes, both in video format and through AI-generated personas joining Zoom calls. In some cases, people joined meetings where some participants were entirely AI-generated, leading to serious consequences.

To address this, we have introduced an awareness component in our training, informing staff that these scenarios are possible. We are also evaluating products to enhance our defenses. One interesting solution we looked at is called Adaptive Security, which demonstrated how SMS-based messages and voice messages could be convincingly faked. For example, they used our CIO’s voice from a public talk to create an authentic-sounding voice message. This demonstration highlighted the sophistication of current threats and reinforced the need to upgrade our phishing, vishing, and AI-phishing training.

This is an interesting area for us. Typically, I don’t have executives requesting phishing campaigns, but our CFO specifically asked me to target employees who handle wire transfers, attempting to trick them into thinking a request was coming from him. He would never actually make such a request, so the exercise was really centered around common sense rather than just spotting suspicious URLs or anomalies in emails. The outcome was very positive, and the staff involved received targeted training.

I’ve assigned someone to design these phishing campaigns to make them challenging, as some can be too easy. For one campaign, our team member created a training video using AI, so it wasn’t actually him in the video—it just looked and sounded like him. We leveraged these tools to create a realistic scenario, though in our environment, a video from the CFO would be unusual and likely raise suspicion. Looking ahead, as deepfake technology becomes more interactive, I anticipate we’ll need to be even more aggressive in our approach. We recently ran another campaign with our HR team, again crafting a scenario that was specific and unlikely to be a genuine request from the head of HR. Our focus is on training staff to use common sense, not just to look for anomalies in emails.

We use KnowBe4 as the foundation for our phishing campaigns and much of our training. However, we’re finding that we need more tailored training, such as modules specific to how we conduct financial wire transfers. Customization has become more important, but KnowBe4 remains a solid platform for us.