For decades now, the cautionary advice of “Don’t believe everything you see on the internet” has been reliably prescient, particularly as image processing software and photoshop became more advanced. AI tools have rapidly improved in their ability to generate incredibly lifelike (though totally artificial) images and video – as reflected in Ethan Mollick’s article ‘The recent history of AI in 32 otters’.
But what happens when this kind of AI generated content breaks the fourth wall, and begins to interact with us in our real lives? Interactive ‘deepfakes’, or ‘vishing’ (‘voice phishing’) now empower fraudsters to clone the appearance and voices of real people, and with relative ease. For lawyers (and many other professional service workers) the implications are enormous – the methods by which funds transfers have previously been verified are no longer secure.
Real-world examples of this already exist. British engineering firm Arup was targeted by cyber criminals using these technologies in February 2024, with devastating results. Using interactive deepfake technology to pose as Arup’s executive team during a videoconference, the fraudsters instructed a senior member of the firm to transfer funds on an urgent basis. The employee, despite being familiar with the appearances and voices of their leadership team, was nonetheless duped, resulting in a $25M USD loss.
These technologies will only become more prevalent, and more easily accessible to cyber criminals. It is virtually an inevitability that members of the legal profession will be victimized by frauds employing these technologies. While no LawPRO claims are known of as of the date of this blog, it is important for lawyers to recognize that LawPRO’s coverage of losses arising from social engineering are subject to sub-limits, and that these in turn are affected by the lawyer’s procedural compliance.
So, what are lawyers to do? The first, and most important element is self-education. Lawyers have a duty of technological competency, as was set out in Justice Myers’ 2021 decision in Worsoff v MTCC 1168 et al, as well as the more general recommendations of the LSO’s Technology Guideline. Lawyers need to have a reasonable level of technological understanding, in order to protect themselves and their clients. CNSL.ai provides these services for firms who are looking to rapidly accelerate their technological acuity, but competence can be built through dedicated self-education, as well.
For the specific challenges posed by fraud related to deepfakes, the expectation that all lawyers and their coworkers become experts in recognizing sophisticated cyber fraud is not realistic. However, simple countermeasures can be surprisingly effective:
- Mandatory Callback Policies: For large, unexpected or unusual requests for transfers, firms should have a mandatory policy of hanging up and calling the client or transferee directly on their trusted phone line.
- Institutional Education: Firms need to mandate education on recognizing red flags such as unnatural lighting or voices, particularly when financial transfers are being requested.
- Asking Probing Questions: Asking quick questions to which only the client would have the answer (“You sent me a photo of your wedding last week – who is in that photo?”)
A minimal amount of time invested in procedures such as these can prevent the losses and reputational damage inflicted by deepfake-powered fraud. But the broader takeaway for lawyers needs to be that education on technology is a necessity – not only as a means of accelerating productivity, but also as a protective measure for you and your clients.
