A Business Was Framed For a Crime They Didn’t Commit: A Case Study

What follows is a case study of a fictitious incident about a business framed for a crime they didn’t commit.

We want to understand the effects of disinformation on a business and any collateral damage.

Before we get into things, let’s have a conversation about disinformation.

Misinformation vs. Disinformation

Over the past several years the terms misinformation and disinformation crept into public discourse. This is by and large to due this stuff being tied to politics and fake news. We need to define the two terms as we’ve seen news outlets incorrectly use the word misinformation.

Misinformation is information that is incorrect that’s spread to others where the intention isn’t necessarily malicious. This can occur when a person that’s misinforming someone doesn’t have all the facts about something and they don’t know they don’t have all the facts.

Disinformation on the the other hand is the deliberate fabrication of information with the intent mislead and confuse others. This is a malicious act. A perfect recent example is a tweet about a fake explosion at the Pentagon. This fake incident had an alleged material effect on the US stock market. [Source: ArsTechnica] While this attack felt more politically motivated, it did affect businesses and investors. This fake tweet used a generative AI platform like Midjourney or Stable Diffusion to create a deepfake of the incident. For an adversary, deepfakes help, in a way, to automate the process of creating disinformation. Deepfakes can also come in the form of audio/video where the target is saying/doing things they normally wouldn’t. A benign example is deepfake Tom Cruise. On the opposite end of things, you have cheap/shallow fakes. This is using photo or video editing software to make a person or business look bad. Even a meme could cause damage. Going this route is the “low tech” way of doing things.

When it comes to organizations, disinformation targeting them is not new. What we typically see in the news are companies that have a national reach and/or they’re publicly traded. Sometimes these companies aren’t even the main target. Anecdotally, we’ve seen local businesses get caught up in false accusations and reported to the social media platform they’re using or even making false claims to different local government agencies.

The scenario

A fake news article that’s published to social media claims that a local business did something criminal, or someone at the business committed crimes. This small business has multiple employees and is well established in the community they operate in. They are headquartered in what could be considered a small city. If someone heard of the name, those locally would recognize it, but they aren’t known beyond the geographic boundaries they operate in. Let’s say the business is an accounting firm. This accounting firm has several employees (20) and they offer several services like business accounting, tax preparation for individuals and businesses, audits, and advisory services.

The reason we’re choosing an accounting firm as the target:

• The type of sensitive information they need to collect.
• How varied their clients are. They may have business clients that represent many different industries and the size of the business clients may vary too. For the individuals they help, the range of income varies for these clients.
• They are targets for cybercriminals because of the data collected and the potential that the bad actors may gain access to the firm’s clients to launch attacks against them. In other words, a supply chain attack.

The disinformation attack

The disinformation is a screenshot of a fake news article from a reputable regional news source. The screenshot is posted to social media via a fake account under the control of a bad actor. The text included along with the screenshot is just the news headline. There’s also a shortened URL link. The link directs the reader to a URL to the actual news site that doesn’t exist. In other words, the reader is greeted with something like “Oops! We’re sorry. This page doesn’t exist.” when they visit the web page.

The false accusation

The bad actor states that one of the accountants of the firm stole sensitive data from clients and embezzled funds.

The potential fall out of this disinformation campaign

• People on social media may share the fake post without reading because of their bias toward the accounting firm or because the platform incentivizes sharing. Those they share it with have the same bias and therefore also share the post without investigating or are also compelled to share due to the design of the social media platform. Those who are shocked at the fake allegations may also share. At some point this message amplifies. Once the disinformation is out there, the damage is done.
• As the volume of the post shares increase, clients of the accounting firm may see it on social media or a connection of the client may say to them “Hey, don’t you have this accounting firm helping you?”
• Some of the accounting firm’s clients may jump ship.
• Those clients that jump ship, if they don’t dig into the the fake post, may voice some negative opinions about the firm. Would they go so far as to sue? We don’t know. The only plausible way we can think of a client suing is if the disinformation campaign causes the them to lose customers if they’re a business.
• While this is going on, because the fake social media post is making the rounds, it may still continue to grow because of the reputation of the legitimate news source.
• The accounting firm is scrambling to put the fire out. It’s trying to track down the original source of the social media post, it’s pulling resources to respond to where ever they see the content. Maybe they’ve engaged with someone who does PR to help address the disinformation. They’ve also engaged with an attorney to handle the situation.
• The reputable news organization, an unwitting victim, catches wind of this, and are also dedicating resources to track things down, get the posts removed, and look for the original poster. They too are also engaging with their attorney to figure out how to deal with the situation.
• As some of the accounting firm’s clients leave, this affects their revenue. People are going to believe what they want to believe regardless if the facts show the post was fake. These people may avoid seeking the services of the accounting firm if they ever have a need for this kind of help. They may even tell others in their circles to not use the company. This makes it more difficult for the accounting company to generate new business.
• The news source’s reputation may also take a hit. Because it’s name and likeness was used as a vehicle to spread disinformation, some readers may not trust their reporting again. Less readers means less revenue.

What we don’t know

Since this is a made up scenario it’s difficult to imagine what the financial and reputational impact is for the main target, the accounting firm, it’s employees, and those that are collateral damage, such as the news outlet.

We also don’t know how far or how quickly the disinformation would spread. Would the disinformation spread more quickly if it was a widely recognized brand as opposed to a local business?

We also don’t have the financial costs associated with combating an incident like this. How much for marketing and PR efforts? How much for legal help? Does any insurance policy cover for something like this? If so, how would this incident affect the accounting firm’s rates or the news outlet’s rates?

What we do know

The bad actor, more likely than not, created a fake social media account in a way that would make it difficult for someone find much information about them. In this case, a subpoena to the social media platform may be the only way to get any information about the account.

We also know that in this fictitious incident, the accounting firm and news outlet should look for this stuff proactively. Now it’s costing them much more in an attempt to clean up the mess.

How Bsquared Intel helps

As part of our external risk/threat assessments, we look for stuff like this. We can also customize our service to specifically focus on looking for things that affect your brand’s reputation. Or if you’ve already come across an incident and want our help to pick things apart, we’re happy to help.

For any attorneys reading this, and have cases dealing with disinformation, our social media and website forensic service may be of help. There are limitations, so definitely have a conversation with us.

To learn more, fill out the contact form below and let’s talk.  Also, while you’re here, sign up for our newsletter.