关于深度伪造网络风险的通函 (TCRS/2025/06)

实施验证发送者真实性的方法

Implement methods to verify the authenticity of senders

提高员工和客户对深度伪造和生成式AI钓鱼诈骗的认识

Raise staff and customer awareness on deepfakes and GenAI-enabled phishing scams

实施音频深度伪造检测技术

Implement audio deepfake detection techniques

通过协作和信息共享加强行业范围的深度伪造防御

Enhance sector-wide deepfake defence through collaboration and information sharing

加强对高风险交易和高特权角色员工的流程和控制；关键任务职责分离

Strengthen processes and controls for high-risk transactions and for staff in high privileged roles; and separation of duties for critical tasks

实施端点级保护以防止生物识别认证过程中的注入攻击

Implement endpoint-level protection to biometric authentication processes to prevent injection attacks

在事件响应中包含深度伪造攻击场景

Include deepfake attack scenarios in incident response

实施检测深度伪造品牌滥用或冒充监控的工具

Implement tools to detect deepfake-based brand abuse or impersonation monitoring

实施基于端点的深度伪造检测工具，实时识别被操纵的媒体

Implement endpoint-based deepfake detection tools to identify manipulated media in real time

金融机构应关注未来不同生物识别认证用例的风险和缓解措施。

FIs should be mindful of the risks and mitigating measures should different use cases arise in the future leveraging on biometric authentication.

金融机构应使用稳健的方法验证身份证件的真实性，并在验证安全特征时检测篡改迹象。

FIs should use robust methods to verify the authenticity of identification documents and detect signs of alterations during the validation of security features (e.g. holograms, microprinting, or optically variable ink).

金融机构还应检查客户提交的多份文件之间的差异，以及客户不愿或无法提供可验证身份或资料信息的情况。

FIs should also check for discrepancies across multiple documents submitted by the customer, as well as situations where the customer is unwilling or unable to provide verifiable identity or profile information.

应采用图像取证技术识别数字图像中的不一致性，如阴影、光照和反射的异常。

Image forensic techniques should be employed to identify inconsistencies in digital images, such as anomalies in shadows, lighting, and reflections.

金融机构还应使用指纹和水印技术检测文件篡改。

FIs should also use fingerprinting and watermarking to detect tampering of documents.

金融机构应对静态数据实施数据库安全措施，包括强访问控制、字段级加密、防篡改日志记录和安全的密钥管理。

FIs should implement database security through strong access controls, field-level encryption, tamper-evident logging, and secure key management for data at rest.

使用中的数据应通过安全飞地和内存加密进行保护。

Data in use should be protected using secure enclaves and memory encryption.

金融机构可定期对员工进行视频和语音深度伪造模拟演练。

FIs could conduct regular video and voice deepfake simulation exercises on employees.

金融机构员工应接受培训，警惕敏感信息可疑请求及紧急或异常转账要求，并通过独立可信渠道验证来电者身份以应对疑似冒充。

FI staff should also be trained to watch out for suspicious requests for sensitive information as well as urgent or unusual demands for money transfers, and to challenge suspected impersonations by verifying the authenticity of caller through a separate and trusted communication channel.

金融机构应开展教育活动和媒体宣传，提高客户对深度伪造诈骗的认识，包括欺诈者如何利用合成音频和视频冒充可信个人。

FIs should also conduct educational sessions and media campaigns to raise customer awareness of deepfake-enabled scams, including how fraudsters can manipulate synthetic audio and video to impersonate trusted individuals.

金融机构可建议客户和员工使用ScamShield等应用检测和提醒可疑电话及钓鱼信息。

FIs could recommend customers and staff to use applications like ScamShield to detect and alert users to suspicious calls and phishing messages.

金融机构可实施移动应用验证功能，让客户确认来自员工电话的真实性，例如在移动应用中触发安全消息。

FIs could also implement mobile application verification features that allow customers to confirm the authenticity of calls from FI employees, such as triggering a security message in the mobile application.

实施可取消生物识别技术，以防止生物识别数据泄露和重用。

Implement cancellable biometrics to protect against biometric data compromise and reuse.

职责分离可通过实施基于角色的访问控制、双重控制和定期审计来进一步支持。

SoD can be further supported by implementing role-based access control ("RBAC"), dual control, and conducting regular audits.

金融机构应通过将关键职责分配给不同个人或部门来实施职责分离，以减少个人因深度伪造冒充攻击而能够代表整个组织执行交易的可能性。

FIs should enforce SoD by dividing critical responsibilities among different individuals or departments to reduce the potential for a single individual being able to execute transactions on behalf of the entire organisation the minute he or she falls prey to a deepfake impersonation attack.

应特别关注通过专用监控服务保护高级管理人员，检测冒充行为。

Special attention should be given to protecting senior executives through dedicated monitoring services to detect impersonation attempts.

这些工具应包含异常检测和深度伪造特定算法，以识别不一致性并验证内容。

These tools should incorporate anomaly detection and deepfake-specific algorithms to identify inconsistencies, such as manipulated visuals, synthetic audio or misleading narratives, and verify content against multiple trusted sources to mitigate misinformation risks and ensure data reliability for decision-making.

检测工作应扩展到AI生成的网红或伪造的高管访谈等威胁，并触发快速升级和删除程序。

Detection efforts should extend to threats such as AI-generated influencers or fabricated interviews featuring executives, with alerts triggering swift escalation and takedown procedures.

实施监控工具，检测针对金融机构的深度伪造品牌滥用和冒充行为。

Implement monitoring tools to detect deepfake-based brand abuse and impersonation attempts targeting the FI across digital channels, including social media, websites, video platforms and news sources.

在事件响应中纳入深度伪造攻击场景。

Include deepfake attack scenarios in incident response.

危机管理计划应包括针对深度伪造驱动的虚假信息活动的具体响应计划或剧本，详细说明与监管机构、媒体和执法部门的协调。

Crisis management plans should include specific response plans or playbooks for responding to deepfake-driven disinformation campaigns, detailing coordination with regulators, media, and law enforcement.

该策略应包括发布澄清、新闻稿和社交媒体更新以反驳虚假叙述的指南。

This strategy should include guidelines for issuing clarifications, press releases, and social media updates to counter false narratives.

金融机构还应建立内部升级渠道，在错误信息传播前迅速核实和揭穿潜在的深度伪造威胁。

FIs should also establish internal escalation channels to rapidly verify and debunk potential deepfake threats before misinformation spreads.

金融机构还应开发可信且经过认证的沟通渠道，及时告知公众、客户、员工和其他利益相关者已确认或疑似深度伪造事件。

FIs should also develop trusted and authenticated communications channels to promptly inform the public, customers, employees and other stakeholders of confirmed or suspected deepfake incidents.

金融机构应建立明确的协议来处理深度伪造攻击，包括报告事件、进行调查、与利益相关者沟通以及删除深度伪造内容。

FIs should establish clear protocols to address deepfake attacks, including reporting incidents, conducting investigations, communicating with stakeholders, and taking down deepfake content.

主动与监管机构、行业同行和情报共享网络（如信息共享与分析中心（ISAC）和行业协会常务委员会）接触。

Proactive engagement with regulators, industry peers and intelligence-sharing networks, such as Information Sharing and Analysis Centres ("ISACs") and industry associations' Standing Committee.

通过协作和信息共享加强全行业的深度伪造防御。

Enhance sector-wide deepfake defence through collaboration and information sharing.

金融机构应实施稳健的防御措施，以检测并适当应对不断演变的深度伪造技术。

FIs should implement robust defence measures to detect and appropriately respond to evolving deepfake technology.

应定期更新和测试事件响应计划，以确保对不断演变的深度伪造风险有效。

Incident response plans should be regularly updated and tested to ensure effectiveness against the evolving risks of deepfakes.

金融机构应定期监控深度伪造生成和检测工具的技术进步，以了解最新发展和新兴对策。

FIs should regularly monitor technological advances in deepfake generation and detection capabilities of tools to stay informed of developments and emerging countermeasures in this space.

金融机构应评估深度伪造对其业务和客户互动的风险，并实施适当的防御措施。

FIs should assess the risks of deepfakes to their specific business operations and customer interactions and implement appropriate defensive measures accordingly.

金融机构应在面部生物识别认证系统中实施活体检测能力，通过运动分析、纹理分析、热成像、3D深度分析和行为分析来检测被操纵的视频。

FIs should implement liveness detection capabilities in facial biometric authentication systems to detect manipulated videos through motion analysis, texture analysis, thermal imaging, 3D Depth analysis and behavioural analysis.

对于使用其他生物识别模态（如指纹或掌静脉识别）并利用非接触式成像技术的金融机构，活体检测技术应专门定制，以检测相应生物特征的合成复制品，如人工脊线图案或模拟静脉结构。

For FIs using other biometric modalities such as fingerprint or palm vein recognition leveraging on contactless imaging technologies, liveness detection techniques should be specifically tailored to detect synthetic reproductions of the respective biometric characteristics, such as artificial ridge patterns or simulated vein structures.

金融机构也可以在验证过程中提示用户执行特定动作或对刺激做出反应，以确保主体的活体性或“在场证明”。

FIs could also prompt the user to perform specific actions or respond to stimuli during verification to ensure liveliness or ‘proof-of-presence’ of the subject.

金融机构应定期测试其活体检测机制对抗深度伪造的有效性，通过使用深度伪造样本测试其生物识别系统，或与专门从事生物识别认证测试的供应商合作，或通过模拟真实攻击场景的内部红队演练。

FIs should regularly test the effectiveness of their liveness detection mechanism against deepfakes by testing their biometric systems against deepfake samples, either with vendors specialising in biometric authentication testing or through in-house red team exercises that mimic real-world attack scenarios.

也可使用运行时应用自我保护（RASP）解决方案，主动监控应用程序并在执行期间阻止恶意活动。

Runtime Application Self-Protection (“RASP”) solutions can also be used to actively monitor applications and block malicious activities during execution.

金融机构应实施实时注入检测SDK，以识别验证过程中的可疑模式和异常。

FIs should implement real-time injection detection Software Development Kits (“SDKs”) to identify suspicious patterns and anomalies during verification attempts.

应实施证书固定以防止中间人攻击。

Certificate pinning should be implemented to prevent man-in-the-middle attacks.

金融机构应实施加密协议，特别是TLS和HTTPS，以保护端点间传输的生物识别数据。

FIs should implement encryption protocols, particularly Transport Layer Security (“TLS”) and Hypertext Transfer Protocol Secure (“HTTPS”), to secure biometric data during transmission between endpoints.

金融机构应考虑实施能够实时分析视频或语音通话中视觉和音频元素的工具，以识别操纵迹象。

FIs should consider implementing tools that can analyse visual and audio elements in real time, such as during a video or voice call, to identify signs of manipulation.

检测到深度伪造后，系统应立即通知用户并标记事件以供金融机构内部进一步调查。

Upon detection of deepfakes, the system could notify the user immediately and flag the incident for further investigation within the FI.

检测到此类情况时，金融机构应监控更广泛的攻击模式，进行详细调查，并采取应对措施以减轻与深度伪造社会工程或网络钓鱼尝试相关的风险。

When such cases are detected, FIs should monitor for broader patterns of attack, conduct detailed investigations, and respond to mitigate risks associated with deepfake-enabled social engineering or phishing attempts.

金融机构应对高权限用户账户实施多因素认证。

FIs should implement multi-factor authentication for high-privilege user accounts, such as