Images on school websites and social media accounts are being leveraged by cybercriminals to create sexually explicit deepfakes of students, which are then used to extort the schools in paying money to prevent the deepfake images from being released. 

According to the Internet Watch Foundation (IWF), a school in the United Kingdom was recently targeted with a blackmail attempt after images were taken from its website and/or social media. With the use of AI deepfake tools, the cybercriminals transformed those photos into child sexual abuse material (CSAM), sent the materials to the school, and threatened to release them online if money was not sent. 

The IWF deployed a digital tool to turn the blackmail material into a “hash” (digital fingerprint) and distributed it to technology platforms to prevent the materials from being uploaded. In all, 150 of the images from this blackmail attempt could be categorized as CSAM under law in the UK. 

This event, which occurred late last year, is not the only instance of this type of blackmail. 

Schools are encouraged to reconsider the need for posting student photos publicly online in the first place, but if photos are to be posted, schools should: 

• Avoid labelling photos with students’ full names
• Apply privacy settings to websites and social media 
• Regularly audit student imagery on websites, social media or other promotional content 
• Require consistent resigning of image consent agreements 

In an era of AI deepfakes, schools must reconsider the way they display their students online. The consequences could be significant.