Voices are a unique way to identify someone. So much so that babies know their mother’s voice early in development and can distinguish it from others. Even years after hearing from a good friend, you’ll likely recognize their voice before they say their name.
Nowadays, voices are one of several biometrics, like fingerprints and faces, used to verify a person’s identity before gaining access to devices and accounts.
We put a lot of trust in what we hear, but as generative artificial intelligence develops and cybercriminals find new ways to use this technology, that faith is quickly turning to doubt. When AI voice cloning is coupled with a phone call, it becomes a powerful tool to manipulate humans into giving up sensitive information and dupe voice verification systems into thinking a hacker is a legitimate account holder.
Understanding how these cyberattacks are carried out and what you need to do to keep sensitive data safe is key to prevent becoming a victim.
What is Social Engineering?
Sometimes called “human hacking,” social engineering is the manipulation of an individual to click on a malicious link to spread malware, send money to a fraudulent account, gain access to another’s personal or financial account, or steal sensitive information. The fraudster poses as someone else, often impersonating an authority figure such as a government official, boss, client, or coworker.
Called phishing, email is one of the most common channels used to initiate these scams, but it can take other forms as well like SMS/Test (smishing), and phone (voice phishing/vishing).
A sense of urgency is created to prevent the victim from second guessing the instructions or requests of the hacker. No sophisticated code is needed, just the ability to play on the emotions of the person on the other end of the line.
We often imagine hackers in black hoodies and dark rooms hunched over computers writing ransomware code, but hacking into your account can be much simpler than that. No computer science experience is needed because hacking human psychology can yield the same results with lower effort.
Hearing is Believing
Now imagine if that hacker has the power to convincingly sound like your family member or your boss? What kind of damage could they create when paired with social engineering tactics?
With voice cloning software powered by artificial intelligence, vishing becomes a far more powerful tool to dupe people into handing over money to scammers.
Over the past few months, news stories of scammers cloning the voices of loved ones in distress and demanding ransom money have emerged more frequently. One mother in Arizona, Jennifer DeStefano recounted her terrifying encounter with the AI scam to a Senate judiciary committee.
While Jennifer’s 15-year-old daughter was away on a ski trip, she received a phone call from an unknown number. Thinking it might be her doctor’s office, she answered the call. Instead, she heard her daughter’s voice on the other end crying, “Mom, I messed up.” At first, she assumed she may have injured herself, but suddenly a man’s voice shouting threats emerged through the sobbing.
“Mom, these bad men have me. Help me! Help me!” her daughter pleaded.
The man who took the phone away started making demands. No cops. $1 million in cash. She would be picked up in a white van with a bag over her head so that she wouldn’t know where she was going. Eventually, she negotiated the amount the $50,000 when she explained it would be impossible to get $1 million in cash. He threatened to kill her and her daughter if she didn’t bring the money.
Another parent with her called 911, and police informed her of AI scams like this. Eventually, DeStefano was able to reach her husband who was with their daughter and confirm she was safe.
Once she was sure it was a scam, she hung up.
Unfortunately, the cops dismissed the incident as a “prank call” when she attempted to file a police report.
Ultimately, the fraudsters failed to collect cash in this case, but other less harrowing versions of this voice cloning tactic have succeeded in defrauding companies.
How Artificial Intelligence Enhances Social Engineering Attacks
A whaling attack is a type of phishing method where cybercriminals impersonate a senior executive at a company to get subordinates to share login credentials or wire money to a fraudulent account. Usually, communication is strictly conducted through email or text with spoofed email addresses or numbers. However, with voice cloning tools, cybercriminals can now initiate this social engineering attack with a phone call. They only need to sample a few minutes of a person’s voice to replicate it, so anyone who’s conducted an interview or filmed a video and posted it publicly to social media can be easily targeted.
In 2019, cybersecurity experts uncovered what might be the first case of a successful whaling attack using artificial intelligence.
The CEO of a U.K.-based energy firm received a call from “the boss” of his firm’s parent company in Germany, asking him to send funds to a Hungarian supplier. The request was urgent; it needed to be completed within the hour.
After $243,000 was sent to the account, the CEO realized he had been tricked too late to recover the funds.
As AI voice cloning technology becomes better and more widely available, law enforcement and cybersecurity experts anticipate that cybercriminals will rely on them more often to execute and enhance the credibility of a social engineering attack.
To make the scam even more convincing, they’ll likely combine AI vishing with email phishing or portal spoofing in what cybersecurity experts call a “hybrid tactic” to get people to click on malicious links or give up login credentials to a private network.
New hires are particularly vulnerable to these tactics, as they are becoming familiar with the names, titles, and voices of their coworkers and the executive leaders. The Photon Research team uncovered a massive hybrid operation in 2020 targeting new employees of companies. Posing as IT support, the cybercriminals offered to troubleshoot VPN access issues over the phone. Employees were then directed to a spoofed VPN access portal to enter their credentials, giving the hackers access to private networks.
Vishing Services on the Dark Web
Like other forms of social engineering, vishing doesn’t require a lot of technical knowledge. The dark web is brimming with services to help cybercriminals execute their scams, including Ransomware-as-Service, playing off the legitimate Software-as-a-Service model where hackers with the coding skills provide access to malicious software for others to use. Voice Closing as-a-Service is the latest offering gaining the interest of those looking for a low effort entry point into cybercrime.
Another option includes purchasing commercially available voice cloning tools or finding free software online and misusing them for nefarious purposes.
As new technology is adopted, people will always find ways to abuse it. Telephone scams existed long before the rise of the internet. As more people started to use computers at the office and at home, fraudsters shifted their focus to these new channels of communication. Shortly after, what we think of as traditional phishing emerged.
Renewed interest in phone scams increased with the introduction of smartphones and VoIP services, allowing scammers to easily spoof familiar phone numbers. Voice cloning is the latest tool being misappropriated by cybercriminals.
Protecting Your Sensitive Data in the Age of AI Voice Cloning
One of the best deterrents of social engineering is to educate yourself on the tactics used. A common red flag is a sense of urgency. If you’re on a phone call with someone and feel pressure to send money or divulge sensitive information, take a minute to confirm the person’s identity. Don’t be afraid to politely hang up and call back using a known number to ensure you’re speaking to the right person.
Another cybersecurity concern spurred on by the rapid advancement of artificial intelligence is the potential rise in voice authentication scams.
Many companies, including financial institutions, use a customer’s voice to confirm an account holder’s identity, but the efficacy of this biometric as a form of authenticating a person’s identity is rapidly degrading in an age of AI voice cloning. Until businesses stop relying on this biometric for authentication, customers should be extremely vigilant in monitoring their personal information.
If personal details like your email, date of birth, or Social Security number are leaked on the dark web, it’s much easier for cybercriminals to take that information and use it in a voice authentication scam to access your personal and financial accounts.
IDSeal provides tools like dark web monitoring to alert you when your email, passwords, Social Security number, and other personal identifying information is found on the dark web. You can also set up financial transaction monitoring to spot any suspicious activity.
In addition to identity and financial monitoring tools, every IDSeal plan comes with a 16-feature device protection app that enhances your online privacy. Features like Ad Blocker, Antivirus, a Virtual Private Network, and more help to make your browsing experience safer and more enjoyable.
To learn more about IDSeal’s features, check out our plans and prices.