How to Combat the Spread of Disinformation-as-a-Service

Corporate communications teams are adept at getting a company’s message out into the world with a variety of content, including websites, blog posts, videos, webinars, e-books, and much more. These professionals already have a lot on their plate. In addition to understanding their company’s offerings and creating useful materials to describe them, they must fend off competitors and others who may try to thwart those efforts through plagiarism, negative messaging, or even flat-out lies.

But none of that comes close to the damage that can be done with a new threat to corporate communications: Disinformation-as-a-Service (DaaS). That’s right, anyone who wants to can purchase a disinformation campaign against your company, complete with fake news and misinformation that can be quickly spread through readily available technologies. The worst part? It’s cheap. Elements of such a campaign can be purchased for as little as $15. 

So, what can you do to ensure that all the hard work your company puts into content development isn’t ruined by someone with something against you and $15 to spare? In the sections below, we list strategies to help you protect your business. But first, we address more about what DaaS is, where it comes from, and how it can hurt your business. 

What Is DaaS?

According to HackerNoon, “[DaaS] is a new model of information warfare where anyone can buy fake news and misinformation campaigns and spread them across the internet. DaaS is made possible by a network of professional trolls, bots, and other online manipulation tools readily available for hire.” 

DaaS operations are like malevolent communications teams that make up negative things about a company rather than provide real information and benefits. That means people or organizations that want to damage your reputation online don’t even have to put in any effort. Instead, they can outsource this activity, similar to how some businesses outsource their marketing or PR. And, like a marketing firm, these services can create a variety of content to prove their point.  

Example of a DaaS Attack

Here’s an example of how it works. Say you are a contractor, and a client becomes dissatisfied with a project you completed for them. You get into a disagreement, and the contract signed by both parties is on your side. But the customer won’t be placated, and they decide to hire a DaaS provider to create false information about your company, demonstrating that it is unreliable. The service might include creating a duplicate website with multiple negative reviews and other content, such as deepfake videos showing you saying things you didn’t actually say. 

By the time you realize what’s going on, it’s too late. The information is already out there, the damage has been done, and there is little you can do to reverse it. 

How It’s Done

The following steps describe how a DaaS attack is carried out.

1. The attacker identifies a target, which could be a business competitor, a political rival, public figure, journalist, ordinary individual, or even an idea such as the effectiveness of vaccines. 
2. The attacker uses the dark web to find and hire a DaaS provider. To access the dark web, they must use a specific browser such as Tor, navigate their way through often confusing addresses, and identify a merchant. According to an article published by consulting firm PwC, costs might be as follows.
   • $15–45 to create a 1,000-character article
   • $65 to contact a media source directly to spread material 
   • $100 for 10 comments to post on a given article or news story
   • $350–550 per month for social media marketing
   • $1,500 for search engine optimization services to promote social media posts and articles over a 10-15-day period
3. The DaaS provider analyzes the target and the audience the attacker wants to reach. They look for things the audience is interested in and vulnerabilities of the target that might coincide with those interests. For example, parents are interested in warnings about products their children might use. In that case, developing a campaign against a toy company saying one or more of its products is dangerous could be highly effective. 
4. The DaaS provider creates primary and supporting stories to be broadcasted to the target audience. These stories may be social media accounts or posts, videos, blog posts, articles, or other content types. The supporting stories serve to make the primary story look more valid. 
5. The DaaS provider releases and promotes false information across predetermined digital platforms.
6. Without knowing the information is false, readers naturally spread it by sharing from their own online platforms, such as blogs, YouTube channels, and social media accounts. Their followers pass it along to their own followers, and so on. The DaaS provider’s and the attacker’s goal is for the information to become viral across many outlets.
7. As a “disinterested party having nothing to do with the information itself,” the attacker may react to it by calling for a boycott or performing other actions to build on the disinformation campaign.

Why It’s Worse Than Other Fraud

The PwC article notes three ways DaaS attacks differ from other types of fraud: amplification via superspreaders, technology that makes it more difficult to tell what’s real and true, and lack of regulation.

• Amplification. Initiating a DaaS campaign on a social media site is similar to putting poison in the water supply for an entire community. All you need are a few drops, and the properties of the supply do the rest. In the case of social media, one lie stated by a user with many followers rapidly spreads. Additionally, according to a study conducted by MIT, false statements spread more readily than true ones. Yet, to the untrained eye, they look exactly the same. 
• Technology. One of the best ways to spread disinformation is to make it look as real as possible. Deepfake technology enables attackers to create videos of their targets presenting untrue events but looking real. Given that this technology is becoming more advanced all the time, viewers don’t have any way to distinguish the truth from the false.
• Regulation. No federal legislation has been passed to restrict the creation and use of deepfakes and other disinformation modalities. Thus, attackers have little incentive to discontinue creating more effective tools and techniques.

Where DaaS Comes From 

DaaS providers commonly do business from countries, like Russia, with little to no regulation. They make use of the following sources.

• Bots. These automated social media accounts spread the disinformation created by trolls. 
• Fake news sites. These websites may look like legitimate news sites, but they exist to publish untrue stories designed to spread rumors and lies. 
• Influencers. You may think of influencers as people who promote things like beauty products online. But some influencers promote other things, such as false information and ideas.
• Social media platforms. Even with a robust effort, no social media platform can completely prevent the spread of disinformation. The challenge is that most put forth a less than robust effort, meaning these sites are prime places for lies to gather strength. 
• The dark web. This underbelly of the internet hosts marketplaces, which can’t be found through common web browsers and where illicit items (such as drugs and weapons) and services, including DaaS, can be purchased. They operate anonymously, making it difficult to know who is behind them. The following video demonstrates how the dark web works.

• Troll farms. These groups of professional trolls made famous during the 2016 U.S. presidential campaign do their worst by generating fake news stories. 

How DaaS Can Hurt Your Business

DaaS attackers commonly perform their services to cause various problems for a company, as described below. 

• Financial loss. A ding to a company’s reputation could cause them to lose business if customers defect based on false news. Investors could shy away. The situation could even cause attrition as employees reevaluate whether they want to work for the company, resulting in the high cost of a talent search. Not to mention the costs of re-establishing a positive reputation, a process that could take years of concerted promotional effort. 
• Reputational damage. An attacker may diminish a company’s or its leaders’ credibility by spreading lies or making confidential information from the target company public. Such actions may result in lost business, reduced investment, and failed partnerships.
• Stock price manipulation. A competitor may want to drive down the value of a target company’s stock to create the illusion that the company is doing badly and make itself look more successful in comparison.
• Suspicion. The COVID-19 pandemic provided an example of what can happen when ideas become the target of misinformation campaigns. Those who believed the lies spread about vaccines, masks, and other prevention efforts subsequently made decisions that impacted their behavior, including how they interacted with specific companies. 
• Operational disruption. All the other factors listed here can lead to operational disruption, meaning team members are distracted, and work may not get done in the usual way. If suppliers, vendors, or other partners believe the disinformation, the company may have trouble with logistics and other practical matters.

Since false statements on social media are more likely to be reposted than true ones, disinformation can spread rapidly and cause the problems listed here very quickly. 

How to Protect Your Business

While DaaS attacks do present a tricky challenge, there are things you can do to prepare for them and mitigate their effect.

Determine risk. It may seem like a terrible thing to have to think about, but who are your enemies? Who are your competitors, and how determined are they to outperform you? Who else could benefit from your company’s demise or damage? What are your vulnerabilities or things you might not be proud of?

According to the PwC article, “certain types of organizations are more susceptible targets for disinformation campaigns.” They include those with “celebrity” CEOs, those that are vocal about controversial issues, those that are pursuing an IPO or other important transition, or those that are experiencing a surge in demand.

Get out ahead of it. Start thinking of ways to be proactive about messaging that could counteract anything negative those parties might want to say about you. If you know of something true about your company that could be damaging, find a way to communicate it and turn it into a positive. For example, you might come out with the results of a survey finding a pattern of discrimination toward women along with the announcement of an initiative to support and promote them.

In fact, it’s a good idea to be as transparent as possible on all matters to build trust and gain customer loyalty. Another way to be proactive is to have your own “superspreaders” — allies with large social media followings — who might be able to counteract any disinformation campaigns.

Monitor the internet. Monitor social media and other online platforms to detect DaaS campaigns in their early stages, especially specific accounts likeliest to spread disinformation. There are tools available to help automate this process. Even setting up some Google Alerts for the business name and related terms could be helpful for smaller companies.

Educate employees. Just as the modern business environment requires you to train employees about cybersecurity and what to watch for, it also requires you to teach them about DaaS, especially marketing and communications professionals. Make sure they have the tools and resources to look for signs of a negative campaign and encourage them to report suspicious activity.

Implement technology solutions. Use technology solutions to support your efforts in combating DaaS attacks. In addition to the internet monitoring tools already mentioned, businesses can install platforms specifically designed to detect disinformation. 

Support fact-checking. Organizations such as the News Literacy Project take on all forms of online disinformation by providing fact-checking services. You can donate to such organizations and join them to participate in their efforts. 

Build your reputation. Counter any disinformation that may be spread about your company in advance by proactively building your reputation. Some ways to do so include exceeding expectations, getting involved with your community, quickly addressing mistakes, engaging with customers, building your online footprint with a website and other digital assets, giving to worthy organizations, and treating employees well.

Develop a recovery plan. Based on the information you compiled in the “determine risk” step, prepare countervailing content based on the different messages that could be used to attack you. Create a list of stakeholders to contact directly, such as customers, vendors, business partners, and board members. In the event of an attack, you will want to move quickly to let them know the false information isn’t true. 

Take legal action. You might not always know who is responsible for a DaaS attack, but if you do know or suspect, you can work with law enforcement agencies and other legal channels to file a lawsuit if necessary. 

Hire a risk officer. A chief risk officer (CRO) plays a similar role to a CIO, CTO, CDO, or other C-Suite positions in that this person is responsible for mitigating risk for the entire company. That includes the risk of a disinformation attack toward you and other risks that may threaten operations, strategies, finances, the ability to comply with regulations, and the ability to compete. Because each industry and company is different, the specific initiatives might vary.

To avoid or reduce risk, the CRO might perform tasks such as conducting risk assessments, updating policies and procedures, guiding recovery planning, developing reports, educating employees, developing budgets, guiding decisions and implementing plans in the event of any kind of threat. In today’s business environment, many risks exist. For companies that can afford it, CRO can help keep them at bay.

Don’t Let Lies Turn Into Facts

A lie can be told millions of times in today’s online environment very rapidly. However, that doesn’t mean it must become a reality. While DaaS campaigns can be very powerful, you have control of another powerful weapon in this fight in the form of your digital assets. Years’ worth of blog posts, a solid website, PR campaigns that feature third parties saying good things about your company, and other existing documentation can’t be overlooked.

While you may incur some damage in the event of a DaaS attack, remember it is possible to bounce back and take advantage of the fast dissemination of information, which also means today’s news is tomorrow’s old news. With the next shocking revelation combined with your continued efforts to repair your reputation, people may just forget about a brief dump of rumors that, as far as they know, may or may not have been true.