“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we’re talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old.

The “Twain” quote also serves to highlight the difference between misinformation and disinformation. Misinformation is a mistake. It’s false information spread with a benign or, at the very least, non-harmful intent.

Disinformation, on the other hand, is deception. Its intent is to mislead, cause harm, or profit from a falsehood. And as long as lies remain profitable and easy to spread, businesses must learn to be quick on their feet.

The damage done by disinformation

It all boils down to intent: What is the aim of the person or group spreading the information? Real-world examples show the harm these deceptions cause and the seeds they plant for future exploits.

In 2019, scammers used AI software to mimic the voice of a European energy company CEO. They placed a call using the fake voice and urgently asked an employee to send €220,000 ($243,000) to a Hungarian supplier within an hour. The scammers, nervous because the money didn’t arrive as quickly as anticipated, called twice more. This made the employee suspicious. By then, it was too late to recall the funds. The scammers got the money, but fraud insurance protected the company from any monetary loss.

Though little harm was done, this incident foretold future danger. This was the first known time AI was used to mimic a voice to commit fraud. Cybersecurity experts believe the next step will be using AI to mimic voice and facial expressions. If it looks and sounds real enough, no suspicions will be raised. The scam will be harder to detect, and therefore more successful.

Disinformation as a service

Disinformation can have many goals, and the COVID-19 pandemic presented a huge opportunity for scammers. A scam from 2021 showcased the Disinformation-as-a-Service trend, where an outside source pays for social media influences to spread and promote disinformation. Fazze, a PR agency that seems to be backed by the Russian government, asked successful YouTubers to criticize the Pfizer vaccine. Promising big paydays, the firm asked influencers to spread disinformation, not to discuss their sponsorship and to act as if they were just sharing information. The plot blew up when a couple of YouTubers went public about the weird offer. The BBC reported speculation of Russia’s connection to the scheme to promote their own vaccine, Sputnik V, highlighting how nation-state attacks often prompt disinformation campaigns.

SMBs can be targeted as well. Disinformation spread by the fake review market dramatically affects small, local businesses. A study of the direct influence of fake reviews on online spending estimated that fake reviews cost businesses $152 billion globally in 2021. The study mentions an Australian plastic surgeon whose business dropped by 23% in a single week after a fake review was posted. A California-based plumbing business lost 25% of its business when a competitor posted a fake review. In New York, two busing companies found that fake positive reviews successfully diverted business from one company to the other.

How to fight disinformation and misinformation

Disinformation is profitable, which forces businesses of all sizes to contend with it. Luckily there are steps you can take when faced with a disinformation or misinformation attack.

1. Educate your teams. There’s a non-zero chance that malicious actors will target your business. Your CSOs and CISOs need the technical and social skills to combat disinformation. Disinformation is both a security issue and a communications issue, so your comms and marketing teams need training as well.

2. Make a plan. IT teams craft recovery plans for natural and man-made disasters; you need something similar for a disinformation disaster. Define team roles and what steps they should take when disinformation hits. Use likely scenarios to test the plan and find flaws so everyone is ready when disaster strikes.

3. Bring in outside forces. Sometimes the PR and communications mess is too much to manage internally. Your IT and security teams may be unfamiliar with how to mitigate these attacks. Bring in outside teams that know how to fix technical and PR messes sparked by disinformation. Research these companies ahead of time so you know who to call when an attack happens.

4. Use social media monitoring tools. Social media monitoring can’t stop an attack, but it can give you hours or days of advance notice that something is afoot. In the end that can be enough warning to enact your plan and contain the damage.

How to prevent disinformation attacks

Prevention is easier and less costly than fighting against a disinformation campaign that’s out of control. There are a number of preventative steps you can take to further protect yourself.

1. Always look for risks and vulnerabilities. Know the avenues that threats can take. Do you have a well-known CEO? Does your brand take a stand on controversial issues? Are you a small business that lives or dies based on reviews? Any of these can prompt attacks. Look for weaknesses and shore up your defensive posture as soon as possible.

2. Master social media. Monitoring tools may help you know an attack is coming, but social media can be a defensive weapon as well. Know what people are saying about your organization. Track social media conversations that are happening around your brand that you are not driving. If any activity becomes concerning, the communications team can address it.

3. Be proactive. PR, communications and marketing teams should hold continuous and authentic conversations with customers. This builds trust and makes customers more likely to turn to you first with questions rather than spreading false information. Promote partner and vendor conversations for the same reason.

4. Practice good information hygiene. Never spread unverified information. Know who your trusted sources are and how to spot a hacked, compromised or spoofed source. Teach employees how to guard against threats such as phishing and social engineering. Also, communicate expectations about conduct when on company business and how employees should express themselves without putting the company in focus. Lastly, train the C-suite on reputation management and how to navigate tricky situations where their conduct could be videoed and shared.

Disinformation will continue as long as it remains profitable. Above all, your best plan of action as a business is to ensure you’re not an easy mark.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today