The Federal Bureau of Investigation has issued a warning to businesses due to an increasing number of complaints received by its Internet Crime Complaint Center (IC3) about the use of deepfakes in applications for remote working and work-from-home positions.
Deepfakes of images, video, and audio files can be very convincing and difficult to distinguish from genuine content. Deepfakes are often created using AI/machine learning algorithms, and the technology for creating deepfakes is becoming cheaper and more widely available. Deepfakes have been used to create non-consensual pornography, or revenge porn, against previous partners. There have also been cases of deepfakes being used on video conferencing platforms for CEO fraud/BEC attacks, in which employees are tricked into believing they are communicating with the CEO and are asked to make financial transactions.
Complaints received by IC3 include applicants who have used voice spoofing, which may have involved the use of voice deepfakes during online job interviews. There have been cases where the audio does not match the individual on camera, with lip movements not matching what is visually presented, and auditory actions such as coughs and sneezes not reflected in the videos.
There have been several complaints made about the use of stolen personally identifiable information by individuals fraudulently trying to gain employment. Background checks have revealed some of the PII submitted by applicants belonged to other people.
According to IC3, the complaints have mainly been filed by businesses in the Information Technology sector and have been related to applications for computer programming, database, and software-related jobs. The aim appears to be to obtain employment for the access a position will provide to the corporate network, which in many cases will involve access to sensitive proprietary data, financial information, corporate IT databases, and customer information.
IC3 is encouraging all businesses to be aware of these techniques and exercise caution and report any instances where job applicants are suspected of using stolen PII or deepfakes to IC3.