LastPass employee avoids disaster by sniffing out his CEO’s WhatsApp call was a deepfake

LastPass narrowly avoids the trap of a deepfake by WhatsApp thanks to the vigilance of one of its employees and internal security protocols.

Password management company LastPass came close to disaster. She actually faced a phishing attempt with a voice deepfake, some of which are so sophisticated that they manage to deceive voice authentication systems. A hacker used deepfake audio to imitate the company’s CEO, Karim Toubba, in order to defraud an employee.

This attack, which took place on WhatsApp, was quickly spotted by its unusual nature and the alleged urgency of the call. The targeted employee exercised good judgment by ignoring the requests and alerting LastPass security.

The attack was quickly neutralized, but gave LastPass the opportunity to raise awareness among its employees of the risks of deepfakes.

A deepfake narrowly sniffed out

Deepfakes, these hyper-realistic imitations generated by artificial intelligence, are increasingly used by cyberhackers to deceive and manipulate their victims, most of the time to extort money from them. In the case of LastPass, the deepfake audio was so convincing that it nearly fooled the targeted employee’s heightened awareness.

The latter, after being bombarded with calls and voice messages from his alleged CEO, was able to recognize the red flags of an attempted fraud: the use of an unconventional communication channel at LastPass such as WhatsApp , the pressure of an unwarranted urgency in the text messages he received and the calls outside of normal working hours.

So many red lights led the employee to ignore the fake CEO’s attempts to contact him and, at the same time, report the incident to LastPass security.

Recommendations against the growing threat of deepfakes

This mishap had a happy ending, but shook the LastPass community. “ To be clear, this had no impact on our business. However, we wanted to share this incident to raise awareness that deepfakes are not only the purview of sophisticated nation-state level threat actors, but are increasingly being exploited for impersonation fraud campaigns of leaders “, explains Mike Kosak, cyber threat intelligence specialist, on the LastPass website.

Deepfakes are a growing concern globally. A study from University College London showed that human ability to detect these hoaxes is currently limited. In February 2024, fraudsters used deepfake technology to organize a fake video conference and trick a multinational employee into paying them $25 million.

Large IT organizations recognize the threat posed by deepfakes. At least 20 of them, including Google, Meta Platforms, Microsoft and OpenAI, have signed a new “ technology agreement » aimed at preventing deepfakes during the 2024 global election period.

Clubic, for its part, recommends that you exercise the greatest caution in the face of voice deepfakes, a trap into which more and more of you are unfortunately falling. For example, we offer you a tool to protect the manipulation of your photos by the malicious misuse of AI, or the help of Apate, this chatbot programmed to hold the leg of crooks while they try to scam you by phone .

Sources: Bleeping Computer, LastPass, University College of London