How is Voice Cloning Used by Cybercriminals to Trick Employees and Steal Money?

AI-enabled voice fraud is on the rise. Research from McAfee found that 1 in 4 adults had been victims of this type of crime, with 77% of those individuals losing money.

Organizations need to know how is voice cloning used by cybercriminals, if they want to safeguard their financial information and confidential data. Cybercriminals have moved away from sending e-mails that seem suspicious to leveraging highly accurate voice deepfakes to replicate the voices of executives, vendors, trusted co-workers, or people the employee knows personally, and then put pressure on their targets to make urgent decisions.

AI-based voice deepfakes are so realistic that they are able to circumvent traditional doubts and scepticism. Therefore, AI-based voice deepfakes represent the fastest-growing category of business fraud today.

What Exactly is Voice Cloning?

Using recorded audio samples, voice cloning uses artificial intelligence to mimic a person’s voice. Basically, software evaluates how a person produces sounds, including tone, speed, accent, and pauses, in order to create new speech that sounds like the original speaker.

Many people seem surprised by how few audio samples are necessary; in some cases, less than one minute of audio can be used to generate a deepfake voice model of a person.

Cybercriminals frequently gather samples from any public source, including:

• Corporate presentation
• LinkedIn video
• YouTube interview
• Podcast
• Recorded webinar

Once cybercriminals obtain a person’s voice samples, they can use them to create a deepfake AI voice capable of saying anything an attacker wants.

Many companies are still not fully prepared for advanced cyber threats. According to a recent cybersecurity preparedness report, many organizations remain vulnerable to modern attacks.

How is Voice Cloning Used by Cybercriminals in Real Situations

To comprehend how voice cloning is used by cybercriminals, we can better understand this from the perspective of attacking real-world organizations.

Executive Impersonation

A finance department worker may receive a call from someone who sounds exactly like the company CEO.

The caller will typically sound quiet yet rushed. The caller will relay a message, such as:

• Please process my payment today. I am out of the office and unable to access the system.
• At first glance, everything sounds normal, the voice is familiar and the request seems reasonable.
• The employee will only find out later that the real CEO never made this call.

These imposter calls show just how realistic a deepfake voice attack can appear when combined with social engineering.

These attacks are similar to Business Email Compromise attacks, where cybercriminals impersonate executives to steal money from organizations.

Urgent Financial Requests

Most voice deep fakes rely on urgency to trick viewers into believing that the request is really from the employer requesting immediate payment.

• An example would be: “This must be completed today,” or “This is confidential,” or “I will explain later,” or “Please don’t delay.”
• The urgency of processing the request will prevent the employee from verifying whether it is from their boss. Since the urgent request came through as an AI deep fake voice, employees are much less likely to question it.
• These telecommunication scams utilizing voice deep fakes have become widespread among companies and are now seen as one of the largest sources of voice scam fraud against businesses.

Vendor or Supplier Impersonation

Attacks involving vendor or supplier impersonation are also fairly common. The attacker would typically call you and state that their bank information has changed. They then ask for payment to be sent to a new bank account going forward. Because the impersonated vendor sounds like your regular contact and the request seems routine, it is often approved without verifying the change. Often, the organization learns about the fraud only after many payments have already been made.

Information Extraction

Not all attacks are about directly sending money. Criminals may also use the cloned voice of someone at your organization to extract confidential information. For example, they may request:

• username/password
• One-Time Password (OTP) codes
• employee records
• internal reports

Even with a strong focus on data security, a well-designed AI voice deepfake could lead your employees to let their guard down.

Why Voice Cloning Scams Are Hard to Detect

• Voice cloning scams work by exploiting our natural tendency to trust what we hear from others, especially when they use a familiar voice. Most employees have been taught to be wary of suspicious emails, but few will expect to be a victim of a fraud that is perpetrated via a familiar voice. 
• The instant someone hears a voice that they know, their brain automatically gives the voice “trust.” Often people give credibility to that voice until something arises to make them question it.
• Technological advancements have also led to better quality deepfake voice technologies that generate speech patterns that have normal pauses between words and an emotionally charged tone to them. As a result, the voice speaks in a manner that is no longer robotic or unnatural sounding.

Organizations of all shapes and sizes need to have an understanding of how is voice cloning used by cybercriminals

How Businesses Can Protect Themselves

Despite the advancements in voice cloning technology, effective deterrence often relies on a basic level of vigilance.

Always Verify Financial Requests

Do not rely solely on voice communication to verify that an employee has requested money.

Employees must verify with at least one other method before making any payment request.

• For example:
• Official e-mail
• Business messaging
• Calling back via a known number

Even though the greatest, and most realistic-sounding, deepfake voices cannot circumvent good verification.

Establish Clear Approval Procedures

To reduce the opportunity for voice scams to succeed, organizations need to establish rules for how they will approve financial transactions.

For example, companies will establish:

• Dual authorization for all transfers
• Written authorizations
• Vendor verification processes
• Using clearly defined, well-organized processes to execute financial transactions makes it harder for voice cloning to defraud firms.

Educate Employees About Voice Scams

Many employees are unaware that voice cloning technology exists.

• Employees should attended training sessions regarding:
• How AI technology can be used to create voice clones
• Common signs that someone may be using a voice clone to commit fraud
• Acts of verification to show who requested what

Simply making more employees aware of voice cloning will help deter many scams.

Reduce Public Voice Exposure

• Voice cloning technology relies on having extensive audio samples available to create a voice clone.
• Organizations may want to consider establishing policies to limit audio recordings uploaded online of their CEOs and other senior executives.
• Even very small short clips from either a webinar or an interview could be used to generate a voice clone.

Overall, simply limiting the number of these types of recordings available increases the possibility that an organization is going to be targeted with Voice Cloning technology. Organizations should also follow proper cybersecurity best practices to reduce the risk of voice cloning attacks.

FAQs