Emerging Threat - Audio Deepfakes
In the original 80's movie, the T-800 ‘Arnie’ Terminator successfully mimicked voices over the phone to find Sarah Conner. In the sequel, the upgraded T-1000 could mimic both the voice and appearance of other humans. While the threat alert we highlight today may seem like science fiction, it's real and in the wild. So far, the real scammers have not been able to mimic appearance easily, but we do need to beware of voice deepfakes today.
The attack plays out like this:
The financial controller for a company gets a phone call from the boss. The boss requests an immediate wire transfer to facilitate a deal she’s been working on. "Do it now."
The financial controller, recognizing the boss’s voice and even her slight German accent, complies. The money is sent.
Unfortunately, this was a scam. It’s called deepfake audio and it’s real. AI software is used to mimic a human voice based on recordings. This threat has been reported about a dozen or so times, but so far has only hit larger organizations. We can be sure, however, that eventually these threats trickle down and can be a threat to SMBs. In the world of social engineering, the scammers are always looking to new technology to dupe unsuspecting businesses out of their money.
The BBC reported on 3 known cases of deepfake audio in July 2019 but noted that to train the AI to accomplish it, several hours of good quality audio of the victim would be required. It would take a substantial investment of time and money to pull it off. So, a nice theory but in reality, small business probably doesn’t have to worry too much. Fast-forward to November 2020 and thanks to an open-sourced Github project, cloning a voice can be done with as little as 5 seconds of sample audio.
So far this is an emerging threat. There have only been a handful of cases. But cybercriminals are always looking to exploit and weaponize new technology to orchestrate their scams. The paycheck might not be as big with small business, but they are unsuspecting and often low-hanging fruit.
What steps protect us against this kind of cyber attack?
Stay ahead of the curve by making this new scam known to your staff. Here are a few tips to protect you against this type of attack.
Policy is one of the best protection against social engineering tactics. For sensitive transactions, such as requests to move money, there should be a set of processes in place to ensure the request is legit. Confirmations should be made via out-of-band communication. So, if the request is made by email, pick up the phone. If the request is verbal, send them an email or text message. This type of policy should be documented, and all pertinent staff should be aware of it.
Training is another effective protection against social engineering tactics like this one. Security training bolsters awareness and knowledge so that your company has a culture of security. A well-trained employee would automatically red-flag an out-of-the-blue phone call (or email or text) to move money immediately.
Finally, a good security culture comes when training and policy are in place AND management is onboard and follows the rules. Hence, a CEO would know the policy too, and would not cheat and skip process to phone in a request to wire money. Your trained staff would identify this too as a red flag.
According to Terminator lore, It was in the year 2029 that Skynet invented the T-1000 with its mimetic polyalloy ability to clone appearance, so that gives us at least 8-years before we have to defend against liquid metal deepfakes attacking our businesses. Until then, be aware of the less advanced, but still pretty scary, deepfake audio. Have good training, good policy, and make sure management sets the example and follows the rules.
Stay safe and keep the bad guys out!
Fun PS: Chinese scientists develop shape-shifting robot inspired by T-1000 from Terminator