They are cloning bosses, aren’t they?!

The head of OpenAI, Sam Altman, recently warned that a wave of fraud driven by artificial intelligence is coming very soon. However, we must correct Sam and say that this wave has already arrived and is already hitting wherever it can – whether on ordinary citizens or on institutions, banks, companies, and corporations: from various phishing attacks, social engineering, computer fraud, malware, to identity theft, which may be the worst or most difficult form of fraud for the average citizen.

Taking Over Roles

Identity theft is no longer an episode from an American crime series, but the everyday reality of many people around the world. Once, thieves and criminals had to break into an apartment to obtain someone else’s data by stealing a wallet, ID, or driver’s license to take over your role in real life. With those documents, they could withdraw money, open an account, or commit a crime in your name. The victim would only find out later that someone else had acted as them when they perhaps applied for a loan or contracted a service they never wanted. Identity was then stolen through physical items, a piece of plastic and paper that represented our ‘self’.

Today, it is much easier and simpler – if you know what you are doing.

Identity theft is no longer limited to lost documents or stolen cards. Today, hackers and fraudsters combine phishing emails, fake websites, and social engineering to obtain personal data. It is enough for a user to unknowingly click on a link, enter a password or card details, and the door is open. Moreover, data breaches have become almost commonplace. From large tech companies to government registries, millions of user accounts end up on the black market, making it quite easy to collect someone else’s data.

Digital Footprint – More Valuable Than Us

– Documents are no longer the key point. Identity is stolen by collecting and combining personal data available on the internet. Every post, photo, comment, biographical detail, email address, or phone number is part of our digital footprint. It is enough for attackers to connect these fragments to create a faithful, albeit false, digital copy of us – says cybersecurity consultant Marko Gulan, adding that many believe that closing an old user account and opening a new one can solve at least part of the problem.

However, as he points out, this does not eliminate the problem but only deepens it.

– The digital footprint does not disappear by deleting accounts; it becomes even harder to control, and old data remains permanently in archives, backups, or copies made by fraudsters. In this way, we lose control, and criminals gain additional space to manipulate our data without our knowledge – he explains.

We all leave a digital footprint on the internet; it is the fingerprint of all our posts, messages, images, and interactions. Once it was just an addition to our real life, but today that footprint is becoming more real, and soon it could be more relevant than ourselves.

– In the midst of the development of AI tools, we must ask ourselves how much of ourselves, our emotions, fears, and weaknesses we give to the network every day; how much data we leave unconsciously, not thinking that they are precisely what creates the mosaic of our digital identity. That identity can be exploited, sold, stolen, and is worth much more than any subscription we pay. Therefore, it is crucial to realize today that control over our own digital footprint is not a luxury but a necessity – Gulan explains.

If we do not protect and take care of it, the consequences of identity theft can be diverse, not just financial, which are the most common. Thus, victims of identity theft may face blocked accounts, lengthy processes to prove they are not responsible for incurred debts, and even problems with employment or credit. Due to such events, trust in institutions and digital services drastically declines, and once deceived, a user is unlikely to return to online banking or online shopping. In the worst-case scenario, a stolen identity can be used for criminal activities, which is why the victim themselves finds themselves under investigation.

Deepfake: False, Yet Real

Technology has accelerated our lives, simplified it, and made it more efficient. But precisely because we are so connected and share so much, threats are becoming more intense and sophisticated. The clearest symbol of today’s threat is deepfake technology, fake but convincingly authentic videos and audio recordings. When a fake voice and face look like the original, the possibility of secure recognition is lost.

– For example, in early 2024, the British engineering company Arup became a victim of a deepfake fraud: an employee was convinced during a video call that they were talking to senior management and carried out multiple transactions, transferring about twenty million dollars to the fraudsters’ accounts. The voices and faces were cloned, and the company’s reputation and finances were seriously shaken – says Gulan.

He emphasizes that we should not create a false sense of security that such frauds happen somewhere else.

– This is evidenced by a case from October 2024, in which our Fortenova was also a victim of an attack. The attacker used deepfake technology to clone and synthesize the voice of the president and board members and continued the action by targeting employees, to whom the requests for urgent payments seemed legitimate. Fortenova labeled this campaign as an attempt at social engineering and reported it to the relevant authorities – Gulan explains.

That deepfakes or digital forgeries pose a danger to citizens has recently been recognized by Denmark, which wants to protect its citizens through copyright. Namely, it is considering expanding copyright laws. According to the new legislative proposal, every citizen could request social networks to remove deepfake content in which their likeness or voice appears.

Previous laws in Europe and the world have mostly tried to mitigate damage through criminal law and prosecution of perpetrators after damage occurs. Denmark now offers a different path: to amend copyright law to make it illegal to share most deepfake content without the consent of the person depicted.

– Technology has outpaced our legislation – admits Danish Minister of Culture Jakob Engel-Schmidt.

The new proposal, he adds, is an attempt to ‘ensure fundamental rights’ in the digital age, which constantly shifts the boundaries of privacy.

The Boundaries of Trust Are Disappearing

As the boundaries of privacy shift, i.e., privacy is becoming less and less, the boundaries of technology are also shifting, making the line between real and fake on the internet almost invisible. Supporting this is research by the digital security company Jumio, which showed that as many as 69 percent of respondents worldwide believe that AI-based fraud poses a greater threat to their personal security than traditional forms of identity theft. Even more alarmingly, 71 percent of respondents believe that AI fraud is harder to detect than usual, which significantly and directly undermines trust in the digital space. Additionally, two-thirds of surveyed consumers stated that they are more skeptical about what they see on the internet this year than last year, and only one-third still believes that social media profiles are mostly authentic; trust in online news has dropped to 36 percent. Interestingly, when it comes to trust, consumers trust themselves the most.

As many as 93 percent of respondents believe that they themselves are the best protection against AI fraud, while slightly fewer rely on government institutions (85%) and large tech companies (88%). When it comes to who should take responsibility, 43 percent of respondents point their fingers at Big Tech, while only 18 percent believe it is their personal responsibility.

The Only Protection – Knowledge

With the emergence of artificial intelligence, the situation has become much more complex. Generative algorithms allow for the creation of perfectly convincing fake documents, voice messages, and videos that can deceive even the most cautious users. Moreover, fraudsters no longer need to be technological geniuses, as there are now entire fraud-as-a-service packages available on the dark web ready for use like a regular application. This leads us to a situation where it is no longer a question of whether someone will try to steal your identity, but when and how convincingly it will be executed. And in this battle, the highest stake is not just money but also trust: in digital services, in the security of online transactions, and ultimately, in the very idea that the internet is a space where we can move freely and safely. Also, knowledge is power and the first line of defense against this type of crime.

– Behind every identity theft, whether classic or digital, lies the same principle: social engineering. It is the skill of manipulating people to reveal information or take actions against their own interests. Cybercriminals do not rely solely on technology; they rely on our emotions: fear, trust, panic, curiosity. A false message ‘Your account is blocked, please enter your details immediately’ or a phone call imitating the boss’s voice are all examples of social engineering. That is why investing in the knowledge and resilience of employees and citizens is more important today than ever. Technology can help, but without critical thinking and user awareness, any protection falls apart – concludes Gulan.