AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he's having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

A shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone's voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve "Grandparent scams," where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee's keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
2. Establish firm business protocols.?At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper's end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
3. Train, train, train.?The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company's policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks.