Is HR the Next Big Target for Deepfake Hackers?
Workspan Daily
July 23, 2024
Key Takeaways

  • HR is vulnerable to deepfakes. Evolving AI technology provides new ways to target human resources departments, which guard a wealth of valuable employee data.
  • Deepfakes are increasingly believable. Hackers’ latest tools are so convincing, you may think you’re talking to your boss or an employee or job candidate.
  • Multi-faceted solutions. Act now to mitigate risk in this area. Work with other departments, use technology and don’t discount the human factor. 

Artificial intelligence (AI) technology is experiencing a “quantum-level evolution,” according to cybersecurity expert Michael Marcotte, making human resources departments vulnerable to new levels of cyberattacks.

But HR can also be part of the solution.

Webinar: Should Cyber Security Metrics Be Linked to Executive Pay?

Intensifying the risk for organizations today is the continual evolution of deepfakes — deceptive or manipulated video and audio content created through AI, often resulting in lifelike imitations of real people. That technology, combined with the here-to-stay ubiquity of remote work, signals a necessary reinvention for HR departments, said Marcotte, the co-founder of the National Cybersecurity Center, and currently the chairman and CEO of security management firm artius.iD.

“The AI tools we’ve had in the background for literally decades now have been exposed to the general public,” Marcotte said. “They’re relatively easy to use, and that has opened up a new fleet of what I’d call neophyte hackers with powerful tools in their hands. That poses a new threat assessment on the [HR] environment that we’ve not seen before.”

HR departments, he added, may be particularly vulnerable because they typically assume they’re not a likely target. Here’s how they can shore up their defenses.

A Gateway to the Organization

HR departments are a common entry into an organization for scammers, both because HR frequently interacts with outside individuals via video and receives downloadable documents such as resumes, and because the function holds valuable employee data.

Confronted with a deepfake, HR professionals may be communicating with an entity (via videoconferencing call, voicemail, email or text) that looks, sounds and/or corresponds remarkably like a job candidate, an outside organization such as the Internal Revenue Service, a familiar coworker or their boss — even to the extent of being able to answer their questions.

Successful scams could result in the theft of organizational funds, the release or illicit use of corporate information, and/or the theft of employee identities.

All Hands on Deck

Protecting against HR-related scams and attacks likely should involve collaborating with colleagues in the information technology, legal, risk management or compliance, finance, and communications departments.

In this protection partnership, HR’s strength lies in its role not as a cybersecurity subject matter expert but as a diplomat and facilitator, Marcotte said.

For instance, HR needs to get the chief financial officer on board with financing cybersecurity measures, said Dave Walton, partner and chair of the Artificial Intelligence Practice Group at Fisher Phillips LLP.

“Data security doesn’t generate revenue and, in other circumstances, it may be hard to get funding for data security,” Walton said. “But if you don’t spend money to protect your data, it can expose you to all types of liability and all types of business problems.”

Gird for an Attack and Limit the Spoils 

HR departments should not save or store video recordings of employees, or pictures of employee IDs or passports used for biometric authentication, since both types of media can be used to create deepfakes, Marcotte said. Missteps in this area may make a successful cyberattack much more fraught — hackers likely would not only have access to data typically held by HR and total rewards professionals (e.g., addresses, Social Security numbers, dates of birth, banking information), but hackers may also be able to create believable video or audio of those employees to impersonate them more easily.

Marcotte also urged organizations to develop a crisis management plan that, in the case of a cyberattack, would guide cybersecurity breach protocols, strategy for a public response and the initiation of legal mechanisms — which first should consider the employees whose information was accessed or leaked.

“In protecting the individuals who have been compromised, you’ve protected the company as well against a lawsuit,” Marcotte said.

Consider the Human Element

Utilizing the latest protective technology such as deepfake detectors can help protect against HR cyberattacks, but those tools can be hacked or overpowered in what Walton described as an imminent “arms battle between the deepfake detectors and the deepfake makers — and the bad guys are always better.”

The best protection likely lies in augmenting technological safeguards with human vigilance, particularly since the simplest way for a scammer to gain access to an organization is by tricking an individual person, said Perry Carpenter, the chief human risk management strategist at KnowBe4, a cybersecurity company focused on awareness training.

In his book, “FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation and AI-Generated Deceptions,” slated for release in October, Carpenter shares scammers successfully trick people through confirmation bias (saying something they want or expect to hear), appealing to emotion or preying on digital illiteracy. Effective education about cyberattacks should show workers how realistic scams may appear.

According to Carpenter, employees who feel overworked or stressed often will rush to clear a task off their to-do list without thinking of two-factor authentication or confirming a request with the source.

“In a healthy organizational culture, if you delay [sending data or money] to verify the request is legitimate, most people are going to congratulate you,” he said. “Even if they did send that email, they’ll be thankful you checked rather than blindly following that instruction. Part of the discussion has to be, ‘How do we help people slow down?’ HR departments are good at asking questions like that.”

Editor’s Note: Additional Content

For more information and resources related to this article, see the pages below, which offer quick access to all WorldatWork content on these topics:


Related WorldatWork Resources
Workspan Daily News Bytes for Dec. 6, 2024
Reflections and Fresh Starts
Compensation Staff Size: Finding the Sweet Spot
Related WorldatWork Courses
Strategic Communication in Total Rewards
Executive Compensation Immersion Program
Improving Performance with Variable Pay