AI Fraud: Protecting your business from deepfake calls

Cybercriminals continue to develop new methods and technologies to commit fraud by gaining access to confidential information and hacking accounts. Beyond using traditional cybercrime methods — like phishing emails and malware — they are exploiting trust, human error and staff vulnerabilities over the telephone. Cybercriminals are increasingly leveraging voice technologies as a way to commit fraud and infiltrate organizations, and the rise of artificial intelligence (AI) is helping them become more effective.

AI-supported fraud is blurring the lines between what’s real and what isn’t. In addition to the threat it poses to a society navigating the digital world, AI fraud has the potential to bring significant reputational, financial and security risks to companies. Particularly concerning is the development of deepfake audio, which is allowing cybercriminals to execute more elaborate social-engineering attacks by phone.

What is deepfake audio?

Deepfake audio uses a machine-learning algorithm to mimic the voice of a real person on the phone. For example, a cybercriminal can fake the voice of a senior executive to trick employees into believing they’re talking to someone in a position of authority and being instructed to carry out legitimate orders, such as facilitating a money transfer or sharing information.

Deepfake audio via voice cloning is one of the most advanced new forms of AI underpinning cyberattacks. The attacker creates a voice model by feeding data into a computer algorithm that contains voice samples of the mimicked individual, which are often collected from public sources such as speeches, presentations, corporate videos and interviews. To support deepfake fraud efforts, the most advanced hackers can create a voice profile by incorporating up to 20 minutes of audio.  
 
Once a sufficiently robust deepfake audio profile is built, it can be used with specialized text-to-speech software to create scripts for the fake voice to read.

What can you do about deepfake fraud?

• Increase awareness, especially among senior executives, of the risk of this type of cyberattack. 
  
• Remind staff that just because a communication appears to come from a senior executive doesn’t mean they should comply immediately, particularly if the request is outside the company’s processes or seems suspicious or extremely urgent. 
  
• Pay attention to any requests for deviations from organizational processes around wiring money or sensitive transactions. 
  
• Ensure that employees who make wire transfers are educated about deepfake audio scams. 
  
• Verify suspicious requests or instructions by calling the person on the phone directly using a recognized number (such as the executive’s desk or personal mobile phone) or by sending them an email to confirm the call is legitimate. 

What is voice phishing (vishing)?

Vishing is the more traditional, and less technical, criminal practice of using social engineering over the telephone to trick people into providing private, personal or financial information, usually with the promise of financial reward. The cybercriminal makes a phone call or leaves a voice message purporting to be from a reputable company to induce individuals to reveal personal information, such as bank details and credit card numbers. Vishing uses the same techniques as phishing emails but is done over the phone.

What can you do about vishing?

• Never provide sensitive information (e.g., your Social Security number, bank account information, addresses or the names of others in your organization) to an unsolicited caller. 
• Always verify the caller by asking for their name and phone number. Verify the authenticity of the request by calling an independently obtained phone number (for example, from your contact database) and confirming the caller is who they say they are.  
• It is acceptable to say to someone who you think is suspicious, “Let me take your name and number and I will get back to you” — especially if they say they are in a rush and are trying to hurry you. 
• Never assume that what appears to be an internal message or caller is legitimate, especially if the caller is asking for sensitive information. Avoid describing reporting relationships and other organizational information, including names of staff members in sensitive areas (e.g., money transfer, HR).  
• These are some telltale signs a caller might be a criminal intending to do harm:  
  • The caller asks for organizational reporting relationships or other sensitive information.
  • The caller says they need the information urgently. Requests that contain a sense of urgency to take some actions are often red flags. Rarely is it urgent to reply to a message immediately, so check to make sure the request is legitimate before responding. 
  • The caller claims to be from a government agency or a technical support team and asks for sensitive, personal information such as passwords to systems and applications.

As technologies continue to advance and allow cybercriminals to use impersonation and AI to increase the effectiveness of fraud through social engineering, companies must prioritize best practices to reduce the risk of falling victim to these schemes. Organizations will need to educate their workforce to be on the lookout for signs of deepfake audio and vishing, among other cyber threats.

At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.