The public should create secret passwords with their family and friends to help them identify whether they are really interacting with them or an AI-generated deepfake impersonating them, a cyber security expert has said.
Cody Barrow, chief executive of cyber security firm EclecticIQ and a former adviser to the US government, said the rise of artificial intelligence has made impersonation scams easier to create.
He told the PA news agency that AI was helping to “lower the barrier to entry” for cybercriminals, and extra precautions beyond basic online security were needed to combat it.
“AI is huge. It’s not just hype. It’s very easy to dismiss it as such, but it’s really not,” Mr Barrow said.
“My wife and I were actually just discussing this – in recent months, we have (created) a secret code that we use that only the real me or the real her would know, so that if one of us ever receives a FaceTime video or WhatsApp video that looks and sounds like us, asking for money, asking for help – something very scary – we can use that code to verify that we’re the right person.
“So the fact that I’m doing that indicates what I think of it, right? I think it’s very real.
“We will see that it is much easier to generate deepfakes to fool people, to write phishing emails that look real. So I think it does lower the barrier to entry. It may also open the door to non-English speaking threat actors.”
Mr Barrow added that such an approach was necessary because the sheer number of data breaches in recent years meant the majority of people online would have had their personal details compromised at some point, so additional security was needed.
He said creating secret passwords among friends and family was especially important for older and younger users who may not have the best digital skills.
Mr Barrow added: “It may sound dramatic here in May 2025, but I’m quite confident that within a number of years, if not months, people will look back and say, absolutely yes, I should have done that, and I do think everyone should do it, especially if you have either more elderly family members or younger family members – because we have a lot of younger people who don’t actually understand this stuff either.
“Just about every human who’s used a computer or the internet has an old email account that’s been compromised at some stage when they had a non-secure password, which probably most people still do, and that email was compromised and someone stole their contact list.
“Then from that contact list, it’s not hard to generate malicious tooling that can duplicate the likeness of someone on that list and then send you some sort of scam that makes it look like it’s actually from that person.
“So I very much think everyone should have a secret password.”
Mr Barrow’s warning comes in the wake of a string of cyber attacks on UK retailers, including Marks and Spencer and the Co-op.
Earlier this week, M&S said its breach had been caused by “human error” after hackers were able to gain access via a third party, after using social engineering – human error or misjudgment – in order to get into the retailer’s systems.
Mr Barrow said that the hackers in this attack were likely to have taken advantage of the fact they are reportedly native English speakers to help scam their way into M&S’s systems.
But he also warned that predictable security set-ups, such as using two-factor authentication, may have also aided the cybercriminals in creating a realistic looking scam.
“The landscape that we’re seeing now is that we’re seeing a lot of people are really immunised and used to the security procedures they have to follow,” he said.
“They’re used to having to enter their phone authenticator code and do all the prompts. And so it was relatively trivial for this threat actor, which speaks native English, to really trick people into going through those motions and abusing multi-factor authentication to get into these outlets.”
