How ‘Cheap Fakes’ Exploit Our Psychological Vulnerabilities

At a time when sophisticated AI tools such as deepfakes are being deployed by cybercriminals on an increasingly large scale, it’s easy to overlook other forms of deception and manipulation that don’t make as many headlines. From mislabeled media to selectively edited videos, images, and audio files, there are plenty of “cheap fakes” that still fool people into trusting them every day. 

We’ve entered an era in which employees can no longer trust their own eyes or ears, so the ability to identify suspicious activity and accurately assess any media's legitimacy has never been more important. As a result, the core principle that IT professionals must emphasize is verify before you trust. That overarching theme will underpin every human response to the threat landscape moving forward. 

It’s also vital for IT teams to build cybersecurity awareness training programs around the full range of attack vectors. While AI has altered the cyberthreat landscape, cybercriminals will continue using cheap fakes, which require less sophisticated technology and fewer resources. But IT leaders shouldn’t confuse the accessibility of cheap fakes with ineffectiveness: They remain extremely potent tools for deceiving employees and infiltrating companies.  

How Do Cheap Fakes Differ From Deepfakes? 

Related:Secure By Demand: Key Principles for Vendor Assessments

While deepfakes use AI to create or alter video and audio content, cheap fakes rely on editing and mislabeling media to create a false impression. An example of a deepfake was a robocall that impersonated President Joe Biden’s voice before the 2024 New Hampshire Democratic primary. But an example of a cheap fake was an edited 2020 video of former House Speaker Nancy Pelosi speaking in a slurred and awkward way. The video purported to show that Pelosi was intoxicated, but it had been slowed down to create that false impression.  

Misinformation in politics is only part of the problem. There are countless ways cybercriminals can use cheap fakes to deceive people, and IT teams must be aware of how these tactics are deployed. Bad actors can publish and mislabel a real video clip to suggest that it occurred at a different time or place. They can use software like Photoshop or Final Cut to edit images and videos directly. They can combine separate videos or audio recordings to create the illusion of interactions and events that never happened. IT teams must understand that all of these methods can be used to deceive employees and manipulate them into making a mistake. For example, cybercriminals can send employees fake content from a software company that instructs them to change security settings or fool them into clicking on a malicious link with a doctored headline.  

Related:The Importance of Empowering CFOs Against Cyber Threats

Because cheap fakes are so easy to make, cybercriminals of all skill levels are capable of experimenting with them on a large scale. Many cheap fakes reframe or alter authentic content, which gives them a veneer of legitimacy and makes it easier for cybercriminals to convince people that fraudulent content is real. Given all the ways cybercriminals can deploy cheap fakes -- and their continued reliance on these attacks in many contexts -- it’s clear that IT leaders must make them a priority in their awareness training programs.  

Why are Cheap Fakes So Effective?  

Cheap fakes exploit a range of psychological vulnerabilities, like fear, greed, and curiosity. These vulnerabilities make social engineering attacks prevalent across the board -- over two-thirds of data breaches involve a human element -- but cheap fakes are particularly effective at leveraging them. This is because many people are unable to identify manipulated media, particularly when it aligns with their preconceptions and existing biases. 

According to a study published in Science, false news spreads much faster than accurate information on social media. Researchers found several explanations for this phenomenon: false news tends to be more novel than the truth, and the stories elicited “fear, disgust, and surprise in replies.” Cheap fakes rely on these emotions to spread quickly and capture victims’ attention -- they create inflammatory imagery, aim to increase political and social division, and often present fragments of authentic content to produce the illusion of legitimacy.  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

While deepfakes are rapidly improving and becoming easier to create, a 2024 study found that cheap fakes “can be at least as credible as more sophisticated forms of artificial intelligence-driven audiovisual fabrication.” This is why the study reports that cheap fakes are still used more extensively than deepfakes. While this may not continue to be the case as deepfakes become easier to make, IT leaders have to make sure that employees know how to resist both forms of deception.  

Preparing the Workforce To Identify Cheap Fakes 

Cybercriminals are adept at exploiting psychological weaknesses, and they recognize that cheap fakes are among the most powerful weapons they have for deceiving and manipulating people. This is because cheap fakes have a long track record of successfully fooling victims, even though they’re easier and less expensive to produce than AI-generated media. Cheap fakes can also augment more advanced AI cyberattacks by providing false information that promotes and reinforces deepfake content.  

At a time when cheap fakes and deepfakes are rapidly proliferating, IT teams must emphasize a core principle of cybersecurity: Verify before you trust. Employees should be taught to doubt their initial reactions to digital content, particularly when that content is sensational, coercive, or divisive. Employee training is one of the top factors in mitigating the financial damage caused by data breaches, and it’s among the first investments companies make after they suffer a breach. But cybersecurity should never be reactive. All employees have to be aware of how cybercriminals are capable of using their psychological vulnerabilities against them with potent tools like cheapfakes. 

At a time when cyberattacks are on the rise, the cost of data breaches is surging, and social engineering tactics like phishing remain the most common initial attack vectors, the development of a robust awareness training program is critical. These programs must account for the full range of tools and strategies that cybercriminals use. IT leaders have to ensure that training content is personalized on the basis of employees’ unique psychological liabilities and behavioral patterns, which can make them more or less susceptible to cheap fakes.  

Cheap fakes are effective because they target the elements of human nature that make us vulnerable to manipulation, from confirmation bias to universal psychological vulnerabilities like fear and greed. When employees are trained to identify these vulnerabilities in themselves and recognize how they can be exploited by bad actors, they will be capable of distinguishing legitimate content from the cheap fakes that are constantly multiplying across the media landscape.