AI Could Escalate New Type Of Voice Phishing Cyber Attacks

Earlier this week, the Israel National Cyber Directorate (INCD) issued a warning of a new type of cyber-attack that leverages artificial intelligence technology to impersonate senior enterprise executives. The method instructs company employees to perform transactions including money transfers and other malicious activity on the network.

There are recent reports of this type of cyber-attack received at the operational center of the INCD. While business email compromise (BEC) types of fraud oftentimes use social engineering methods for a more effective attack, this new method escalates the attack type by using AI-based software, which makes voice phishing calls to senior executives.

“Experts have certainly been warning for the past two or three years about the dangerous side of artificial intelligence, namely that agile cyber criminals could use it to extend their reach significantly,” said CNBC Cyber Security Reporter Kate Fazzini.

The attacking software learns to mimic the voice of a person defined for it and makes a conversation with an employee on behalf of the CEO. It was also reported that today there are programs that, after listening to 20 minutes to a particular voice, can speak everything that the user types in that learned voice.

According to INCD, enterprises that fall prey to such fraud, could suffer high economic damage. In its announcement, the INCD also issued suggestions for taking precautions and raising awareness among organizations — such as training employees, paying attention to deviations in organizational processes, verifying instructions and using technological means to prevent misuse of email.

Fazzini adds, “Using voice impersonations to mimic executives on the phone has obvious implications for wire fraud schemes, which rely on a criminal’s ability to convince an employee that his or her top executive is sending instructions for a wire. Most law enforcement agencies recommend ‘voice verifying’ these wires to ensure they are coming from a legitimate source. Criminals have already demonstrated they can spoof and intercept calls, and adding the executive ‘voice’ may override even these safeguards.”

See Related: “The Phishing Phenomenon: How To Keep Your Head Above Water”