One of the largest stories of the 2016 U.S. presidential election was fake news. Throughout 2016, but rising to a crescendo in the days just before and just after the election, fake news stories dominated and influenced this election like none before it. Did fake new change the results of the election? We will never know the answer to that question. But we can be sure that fake news influenced it.
It is easy to view fake news stories as simply a 2016 election phenomenon, but that would be a mistake. Fake news attacks have been around for a while, slowly growing in importance, and the potential impact on business is very real.
Fake News in Election 2016: Dangerous Cyberattacks
One of the first pieces of fake election news to gain national attention during 2016 was a counterfeit New York Times article that appeared just before the Super Tuesday primaries. The story wrongly proclaimed that Sen. Elizabeth Warren (D-Mass.) had endorsed Bernie Sanders. The most recent piece of prominent fake news occurred following the election, on Nov. 9, in a tweet which claimed that anti-Trump protesters were being bussed into Austin, Texas.
These fake news exploits are cyberattacks. They are a particularly devastating kind of cyberattack – they are easy to create, easy to implement and challenging to stop.
The first of these fakes was a complicated exploit - the fraudulent New York Times article was a near perfect imitation of the real thing, staged on a domain that also imitated the actual New York Times domain.
Who was the victim? This attack targeted Sanders supporters, providing them with the exact news that they had been dreaming about for weeks. Significantly, this “news” broke just before Super Tuesday, one of the most important days of primary voting. Given the sophistication of the fakery and the strategic timing, this appeared to be a carefully planned and brilliantly executed cyberattack.
The second of these fake news attacks was more opportunistic and slower to develop, but it was possibly more prominent.
While anti-Trump protests were going on in Austin, a Trump supporter, Eric Tucker, saw a line of busses parked on a street. His tweet: “Anti-Trump Protests are not as organic as they seem,” experienced a typical Twitter evolution – it was initially tweeted to a few people, and then was retweeted.
Because it carried some key hashtags, including #trump2016, it caught the eye of partisan websites which republished the tweet widely, and it was incorporated into stories running on Trump-leaning media. Unlike the premeditated fake New York Times story, it was a simple, unsubstantiated tweet that unexpectedly went viral.
The Real Economic and Business Impact of Fake News
Fake news attacks didn’t just appear in the 2016 election cycle. They have been serious business risks for a long time. For years, fake news has been a popular and powerful weapon for profiteering cyber criminals looking to gain an unfair advantage in public markets.
Think back to April 23, 2013, when a tweet, apparently posted by the Associated Press, reported that there had been an explosion in the White House and that President Obama had been injured.
It only took two minutes to debunk the message, but during those two minutes the stock markets lost over $125 Billion of value. Although the markets had recovered within six minutes, the fake news posting opened a short window where traders could take advantage of the manipulated prices to gain large profits. So instead of victims, this attack had a small group of beneficiaries. Did some traders know in advance that this tweet was going to be sent out? You bet they did.
Fake news is predictable. It is almost always initially delivered by Twitter or Facebook. It may or may not contain a link to a URL. Fake news is specific – its goal is to fan the flames of discord or to solidify public opinion within a small constituency. Fake news is usually designed to divide opinion, between those that want to believe it, and those that can’t possibly believe it.
The most successful fake news “anticipates” an announcement or “reveals” something that its targets either crave or fear. The stakes are high. The content of the fake news looks legitimate – and the news is so specific and believable (to its target) that it gets forwarded, retweeted, or reposted before it is fact checked. Fake news doesn’t need to go national to be effective – it only has to penetrate the group of key influencers.
However, fake news is not just limited to politics.
Take FingerPrint Cards, a publicly traded Swedish firm (FING-B.ST). In October 2013, the company saw its book value climb by over 30 percent in minutes. Why? A press release had appeared announcing that Fingerprint Cards was going to be acquired by Samsung. In the minutes following the publication of this fake news, the stock price rose by 50 percent. Over the course of the next few hours, the story was debunked – there was no impending acquisition, but that wasn’t the point – the fake news attack gave the conspirators a chance to gain millions of dollars from the stock’s short term rise and fall. But don’t think that this kind of thing is ancient history. Last year, Avon products were targeted in a similar stock manipulation scheme and earlier this month, FitBit saw its stock jump as a result of the very same kind of scam. In all three of these cases, market controls stopped trading of these issues quickly, but news like this doesn’t only influence the stock price of the attacked company, it also impacts the stock prices of key partners and suppliers.
In another variation of a fake news attack, fraudsters launch stories announcing the untimely death or injury of a key corporate executive. One of the most prominent of these exploits occurred in 2009, when a CNN site reported that AT&T CEO Randall Stephenson was "found dead in his multimillion dollar beachfront mansion" under very questionable and compromising circumstances.
The CNN/ATT story highlights another major fake news challenge – the “announcement” of Mr. Stepenson’s “passing” was published on a special CNN site for “citizen journalists,” iReport. This site and many others like it are repositories for user-generated-content, which is, basically, uncurated, un-fact-checked announcements. Fake news can originate practically anywhere on the Internet, including not just sites like iReport or Reddit, but tweets, posts, blogs, wikis, discussion forums, chats, podcasts, digital images, video, audio files, advertisements and more. End-users can directly publish their views or their content to any of these forums without fact-checking, editing, or any other kind of content-curation.
Clearly this is a problem. The entire breadth of the Internet is now a source for fictitious content-based attacks. Significantly, these cyberattacks don’t touch company infrastructure at all. They exist completely outside the firewall, beyond the traditional perimeter. But even without touching the targeted company directly these attacks can have huge impacts on a company’s revenues, operations, and reputations.
How to Fight Back Against Fake News
Within most corporate organizations, these kinds of attacks set off a chain reaction that ripples through the company. For example, when a fake story that could impact the stock markets is detected, the first time most companies hear about it is after the fact – the stock price is already moving. The investor relations department sees an unusual stock price movement or a volume spike. The phone rings and it is the stock exchange or worse, the SEC, trying to understand what is happening. They need answers quickly. At most companies the investor relations and CFO teams go on full alert, and work closely with the marketing teams, to sort through the mess. They are playing catch-up.
Realistically, only one organization is in place that has the expertise and the mindset to deal with attacks like these in real time – the security department. Security teams are accustomed to the rigors of real time monitoring and continuous threat evaluation. But while most security teams know the ins and outs of full-time monitoring, the kind of monitoring that is required to defend against false news, or content-centric attacks is quite different from the kinds of network and firewall-centric monitoring that security departments customarily perform.
In fact, in a research report commissioned by BrandProtect, and conducted by the renowned Ponemon Institute, over 500 enterprises were asked to evaluate their security maturity when it came to these kinds of external threats.
While there was consistent awareness across security departments of the exposure of companies to these kinds of Internet-based threats, few companies have a formal process in place to monitor for potentially harmful online activities and statements. In fact, almost 40 percent of companies surveyed do not monitor the Internet at all. This is a shocking result in today’s threat environment. Most companies still deal with these threats in an ad hoc, reactionary way. Only 17 percent of the security professionals polled say they have a formal external threat monitoring and escalation process in place that is applied consistently across their companies.
Against those findings, it’s understandable that 83 percent of respondents believed their organizations were not effective in monitoring the Internet and social media. The security teams are facing something outside their traditional experience – these threats exist entirely outside the corporate perimeter, they never directly touch company infrastructure or resources. For the moment, security is behind the eight ball – their teams lack risk awareness (50 percent of respondents), staff knowledgeable about external risks (45 percent of respondents) and lack of technologies and tools (43 percent of respondents).
But in today’s environment of near instantaneous content distribution, social media amplification, and near real-time market responses to news, enterprises will have to make adjustments. Fake news and all of its cousins confront companies, particularly publicly-traded companies, with a set of threats that can no longer be ignored.
As security teams map out initiatives for 2017 and beyond, it is time for security teams to fully address the external threat gap. The first step in an action plan is to conduct an internal assessment of departments within the enterprise that have implemented department level efforts to understand and analyze third-party Internet activity. These groups will range from compliance departments monitoring external dealers and agents; marketing departments tracking social media responses to externally facing campaigns, customer services departments who are looking for disgruntled end-users, and PR and product teams who are looking for reactions to company news, and industry developments. All of these efforts are important, and all provide pieces to the external threat story.
Alongside the internal processes audit, enterprises should conduct a thorough external threat audit. Basically, this effort provides the organization with an understanding of how much their enterprise, their executives, their key brands, and their other key assets and initiatives are being discussed by third parties online. This audit should extend across all external threat sources, not just social networks, blog sites, wikis, discussion forums, and video sites, but also paid placement advertising, mobile app stores, online marketplaces and domains.
Finally, following these audits, initiating a comprehensive external monitoring programs will help ensure that the enterprise has the earliest possible warning about threatening online activities. Remember, whenever any third party is discussing your business online it creates a risk. If that third party is providing the online universe with information about the enterprise that is not true, it creates a severe risk.
Now that the elections are over, the steady stream of fake campaign news should fade into the background. Unfortunately, the elections provided all threat actors with a master class on how to use fake news and other fake end-user content to manipulate the public. These exploits and attacks will not be going away any time soon. Fake news about M&A activity, clinical trials, product announcements, plant closings, earnings, executive appointment, product delays, partnerships, or headcount reductions can take only minutes to debunk, but can impact revenues, operations and business reputations for weeks. Only by proactively and constantly monitoring the Internet for unauthorized, fraudulent or just plain fake postings, announcements, and stories, can an enterprise protect its most important assets from devastating damage.
About the Author:
Greg Mancusi-Ungaro is CMO at BrandProtect, which provides a comprehensive suite of cyber risk detection, intelligence, and threat mitigation solutions for enterprises. Greg was recently named a Fellow of the Ponemon Research Institute. A passionate evangelist for emerging technologies, business practices, and customer-centricity, Greg has been leading and advising world class marketing initiatives, teams and organizations for more than 25 years.
