“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we’re talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old.

The “Twain” quote also serves to highlight the difference between misinformation and disinformation. Misinformation is a mistake. It’s false information spread with a benign or, at the very least, non-harmful intent.

Disinformation, on the other hand, is deception. Its intent is to mislead, cause harm, or profit from a falsehood. And as long as lies remain profitable and easy to spread, businesses must learn to be quick on their feet.

The damage done by disinformation

It all boils down to intent: What is the aim of the person or group spreading the information? Real-world examples show the harm these deceptions cause and the seeds they plant for future exploits.

In 2019, scammers used AI software to mimic the voice of a European energy company CEO. They placed a call using the fake voice and urgently asked an employee to send €220,000 ($243,000) to a Hungarian supplier within an hour. The scammers, nervous because the money didn’t arrive as quickly as anticipated, called twice more. This made the employee suspicious. By then, it was too late to recall the funds. The scammers got the money, but fraud insurance protected the company from any monetary loss.

Though little harm was done, this incident foretold future danger. This was the first known time AI was used to mimic a voice to commit fraud. Cybersecurity experts believe the next step will be using AI to mimic voice and facial expressions. If it looks and sounds real enough, no suspicions will be raised. The scam will be harder to detect, and therefore more successful.

Disinformation as a service

Disinformation can have many goals, and the COVID-19 pandemic presented a huge opportunity for scammers. A scam from 2021 showcased the Disinformation-as-a-Service trend, where an outside source pays for social media influences to spread and promote disinformation. Fazze, a PR agency that seems to be backed by the Russian government, asked successful YouTubers to criticize the Pfizer vaccine. Promising big paydays, the firm asked influencers to spread disinformation, not to discuss their sponsorship and to act as if they were just sharing information. The plot blew up when a couple of YouTubers went public about the weird offer. The BBC reported speculation of Russia’s connection to the scheme to promote their own vaccine, Sputnik V, highlighting how nation-state attacks often prompt disinformation campaigns.

SMBs can be targeted as well. Disinformation spread by the fake review market dramatically affects small, local businesses. A study of the direct influence of fake reviews on online spending estimated that fake reviews cost businesses $152 billion globally in 2021. The study mentions an Australian plastic surgeon whose business dropped by 23% in a single week after a fake review was posted. A California-based plumbing business lost 25% of its business when a competitor posted a fake review. In New York, two busing companies found that fake positive reviews successfully diverted business from one company to the other.

How to fight disinformation and misinformation

Disinformation is profitable, which forces businesses of all sizes to contend with it. Luckily there are steps you can take when faced with a disinformation or misinformation attack.

1. Educate your teams. There’s a non-zero chance that malicious actors will target your business. Your CSOs and CISOs need the technical and social skills to combat disinformation. Disinformation is both a security issue and a communications issue, so your comms and marketing teams need training as well.

2. Make a plan. IT teams craft recovery plans for natural and man-made disasters; you need something similar for a disinformation disaster. Define team roles and what steps they should take when disinformation hits. Use likely scenarios to test the plan and find flaws so everyone is ready when disaster strikes.

3. Bring in outside forces. Sometimes the PR and communications mess is too much to manage internally. Your IT and security teams may be unfamiliar with how to mitigate these attacks. Bring in outside teams that know how to fix technical and PR messes sparked by disinformation. Research these companies ahead of time so you know who to call when an attack happens.

4. Use social media monitoring tools. Social media monitoring can’t stop an attack, but it can give you hours or days of advance notice that something is afoot. In the end that can be enough warning to enact your plan and contain the damage.

How to prevent disinformation attacks

Prevention is easier and less costly than fighting against a disinformation campaign that’s out of control. There are a number of preventative steps you can take to further protect yourself.

1. Always look for risks and vulnerabilities. Know the avenues that threats can take. Do you have a well-known CEO? Does your brand take a stand on controversial issues? Are you a small business that lives or dies based on reviews? Any of these can prompt attacks. Look for weaknesses and shore up your defensive posture as soon as possible.

2. Master social media. Monitoring tools may help you know an attack is coming, but social media can be a defensive weapon as well. Know what people are saying about your organization. Track social media conversations that are happening around your brand that you are not driving. If any activity becomes concerning, the communications team can address it.

3. Be proactive. PR, communications and marketing teams should hold continuous and authentic conversations with customers. This builds trust and makes customers more likely to turn to you first with questions rather than spreading false information. Promote partner and vendor conversations for the same reason.

4. Practice good information hygiene. Never spread unverified information. Know who your trusted sources are and how to spot a hacked, compromised or spoofed source. Teach employees how to guard against threats such as phishing and social engineering. Also, communicate expectations about conduct when on company business and how employees should express themselves without putting the company in focus. Lastly, train the C-suite on reputation management and how to navigate tricky situations where their conduct could be videoed and shared.

Disinformation will continue as long as it remains profitable. Above all, your best plan of action as a business is to ensure you’re not an easy mark.

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today