An American family was recently in the news warning others about how they were the target of a ransom call in which scammers used AI (artificial intelligence) to clone their daughter’s voice to convince the parents they had kidnapped their daughter, with the apparent goal of extorting money.
The rise of deepfake audio scams
DeLynne Bock, the mother of Payton Bock and target of the con, said she feels she can easily spot a fake scam call, but this was on a whole other level.
According to the news story, the scammers called their home, where DeLynne’s husband answered the call. A man on the other end of the line was screaming and using foul language, saying his daughter had caused an accident, hitting his car, and couldn’t find her insurance. From there, he started making threats, saying he had her tied up in the back of his truck.
What made the call so convincing was the deepfake of her daughter’s voice on the other end of the line – pleading for help, crying. Unable to reach her daughter by phone, DeLynne called the police while her husband kept the man on the phone. “I called the police, and they’re saying, ‘This is possibly a scam situation.’ I said, ‘There is no way this is a scam. This is my daughter’s voice,’” DeLynne said. “This wasn’t just some person pretending. As a mother, you know your daughter’s voice, and this was my daughter.”
Apparently, this wasn’t the first time this happened which is how the police were able to suggest it could be a scam. This is just the latest iteration of how hackers are using AI to produce deepfakes to extort money. AI and ChatGPT have been in the news recently for a reason – AI is an extremely powerful tool that, if put in the wrong hands, can do a lot of harm.
How scammers are exploiting AI tools
As these AI tools become more sophisticated cyber criminals are finding ways to take advantage of the technology to make financial gains. Deepfakes have been used to replicate celebrities’ voices and even to access bank accounts.
According to one reporter, a deepfake of his voice was able to trick his bank’s voice authentication access putting into question the security of voice biometric systems.
It’s not a stretch to imagine the use of AI to fake a CEO’s voice, signature or writing style in an e-mail, text, call or instant messaging to trick an employee into sending money or doing things that would severely harm the organisation, such as providing a login or access to the company’s network, data or critical applications. Or similarly use this same type of approach to scam clients or patients into giving up confidential information or payments.
A report released by security experts at Home Security Heroes showed that 51% of common passwords could be cracked in less than one minute using an AI. Both the length and complexity of the passwords factored into the speed of successfully cracking the password, but even a complex password with seven characters using both uppercase and lowercase letters, numbers and symbols took just minutes to crack.
This means it’s hypercritical for all business owners to no longer rely on strong passwords and simple antivirus to protect their organisation.
What does that mean for your business?
Today, all businesses should have some type of security awareness training for their employees. For example, simply sharing this article and others we publish like them can go a long way toward making sure they’re always on high alert for scams; but sharing the occasional article is not enough.
You should have some type of ongoing reminders and formal training so that it’s always top of mind. Employees AREN’T “too smart” to fall for these scams. If someone can trick a mother into believing her daughter has been kidnapped by duping her daughter’s voice, they can trick an employee into clicking on a link, giving them access or transferring funds – and it’s happening right now to a lot of businesses.
Second, you need to work with your IT company to ensure they have implemented robust cyber security tools and protections, as well as disaster recovery protocols so if you are ransomed, you can be sure to recover your data. This is not an area to be cheap about.
Most people stubbornly believe it won’t happen to them, or that it will be a minor inconvenience, not the costly, business-crippling and devastating disaster that a cyber or ransomware attack can have. An ounce of prevention goes a long, long way toward minimising your risk.
I would also recommend being mindful of any urgent calls you receive asking for money, even they seem to be a family member or colleague. Here are a few things to keep in mind:
- Ask personal questions that only the caller would know to verify their identity.
- Try to contact the caller on a different source – say you’ll call them back, or contact them through another channel. The scammers might have been able to fake the number but it’s unlikely they’ll have access to other forms of communication or that they would receive the call back.
- Take a moment to think carefully and analyse the situation – is it possible? Does it make sense?
If you want to make sure your IT services provider is protecting you properly, click here to request a FREE IT Security Risk Assessment. This assessment is not time-consuming, invasive or difficult to do, but will give you the unvarnished truth about your current security and whether or not you will be properly and brilliantly prepared for a cyber-attack.
