How Security Teams Combat Disinformation and Misinformation


“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we’re talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. 

The “Twain” quote also serves to highlight the difference between misinformation and disinformation. Misinformation is a mistake. It’s false information spread with a benign or, at the very least, non-harmful intent.

Disinformation, on the other hand, is deception. Its intent is to mislead, cause harm, or profit from a falsehood. And as long as lies remain profitable and easy to spread, businesses must learn to be quick on their feet.

The Damage Done by Disinformation

It all boils down to intent: What is the aim of the person or group spreading the information? Real-world examples show the harm these deceptions cause and the seeds they plant for future exploits.

In 2019, scammers used AI software to mimic the voice of a European energy company CEO. They placed a call using the fake voice and urgently asked an employee to send €220,000 ($243,000) to a Hungarian supplier within an hour. The scammers, nervous because the money didn’t arrive as quickly as anticipated, called twice more. This made the employee suspicious. By then, it was too late to recall the funds. The scammers got the money, but fraud insurance protected the company from any monetary loss.

Though little harm was done, this incident foretold future danger. This was the first known time AI was used to mimic a voice to commit fraud. Cybersecurity experts believe the next step will be using AI to mimic voice and facial expressions. If it looks and sounds real enough, no suspicions will be raised. The scam will be harder to detect, and therefore more successful.

Disinformation as a Service

Disinformation can have many goals, and the COVID-19 pandemic presented a huge opportunity for scammers. A scam from 2021 showcased the Disinformation-as-a-Service trend, where an outside source pays for social media influences to spread and promote disinformation. Fazze, a PR agency that seems to be backed by the Russian government, asked successful YouTubers to criticize the Pfizer vaccine. Promising big paydays, the firm asked influencers to spread disinformation, not to discuss their sponsorship and to act as if they were just sharing information. The plot blew up when a couple of YouTubers went public about the weird offer. The BBC reported speculation of Russia’s connection to the scheme to promote their own vaccine, Sputnik V, highlighting how nation-state attacks often prompt disinformation campaigns.

SMBs can be targeted as well. Disinformation spread by the fake review market dramatically affects small, local businesses. A study of the direct influence of fake reviews on online spending estimated that fake reviews cost businesses $152 billion globally in 2021. The study mentions an Australian plastic surgeon whose business dropped by 23% in a single week after a fake review was posted. A California-based plumbing business lost 25% of its business when a competitor posted a fake review. In New York, two busing companies found that fake positive reviews successfully diverted business from one company to the other.

How to Fight Disinformation and Misinformation

Disinformation is profitable, which forces businesses of all sizes to contend with it. Luckily there are steps you can take when faced with a disinformation or misinformation attack.

1. Educate your teams. There’s a non-zero chance that malicious actors will target your business. Your CSOs and CISOs need the technical and social skills to combat disinformation. Disinformation is both a security issue and a communications issue, so your comms and marketing teams need training as well.

2. Make a plan. IT teams craft recovery plans for natural and man-made disasters; you need something similar for a disinformation disaster. Define team roles and what steps they should take when disinformation hits. Use likely scenarios to test the plan and find flaws so everyone is ready when disaster strikes.

3. Bring in outside forces. Sometimes the PR and communications mess is too much to manage internally. Your IT and security teams may be unfamiliar with how to mitigate these attacks. Bring in outside teams that know how to fix technical and PR messes sparked by disinformation. Research these companies ahead of time so you know who to call when an attack happens.

4. Use social media monitoring tools. Social media monitoring can’t stop an attack, but it can give you hours or days of advance notice that something is afoot. In the end that can be enough warning to enact your plan and contain the damage.

How to Prevent Disinformation Attacks

Prevention is easier and less costly than fighting against a disinformation campaign that’s out of control. There are a number of preventative steps you can take to further protect yourself.

1. Always look for risks and vulnerabilities. Know the avenues that threats can take. Do you have a well-known CEO? Does your brand take a stand on controversial issues? Are you a small business that lives or dies based on reviews? Any of these can prompt attacks. Look for weaknesses and shore up your defensive posture as soon as possible.

2. Master social media. Monitoring tools may help you know an attack is coming, but social media can be a defensive weapon as well. Know what people are saying about your organization. Track social media conversations that are happening around your brand that you are not driving. If any activity becomes concerning, the communications team can address it.

3. Be proactive. PR, communications and marketing teams should hold continuous and authentic conversations with customers. This builds trust and makes customers more likely to turn to you first with questions rather than spreading false information. Promote partner and vendor conversations for the same reason.

4. Practice good information hygiene. Never spread unverified information. Know who your trusted sources are and how to spot a hacked, compromised or spoofed source. Teach employees how to guard against threats such as phishing and social engineering. Also, communicate expectations about conduct when on company business and how employees should express themselves without putting the company in focus. Lastly, train the C-suite on reputation management and how to navigate tricky situations where their conduct could be videoed and shared.

Disinformation will continue as long as it remains profitable. Above all, your best plan of action as a business is to ensure you’re not an easy mark.

The post How Security Teams Combat Disinformation and Misinformation appeared first on Security Intelligence.