Just when you think you’re reasonably on top of all the cyberthreats out there, new ones emerge. Say hello to voice cloning. Or don’t say hello to it because you don’t want a scammer to have your voice.
Voice cloning made headlines recently when scammers called a frantic mom saying they had kidnapped her daughter and demanded $1 million in ransom. They “put her on the phone” and the mother was certain it was her daughter on the other end. It wasn’t her daughter, but it was her daughter’s voice.
The incident was described in a CNN report which illustrates the wider threat voice cloning poses: Sometimes, the caller reaches out to grandparents and says their grandchild has been in an accident and needs money. Fake kidnappers have used generic recordings of people screaming.
But federal officials warn such schemes are getting more sophisticated, and that some recent ones have one thing in common: cloned voices. The growth of cheap, accessible artificial intelligence (AI) programs has allowed con artists to clone voices and create snippets of dialogue that sound like their purported captives.
The next big threat – in reverse
This same type of voice cloning can be used to breach the perimeter of cyber defenses. “This really is the next big thing – in reverse,” explains Jamie Johnson, a cybersecurity expert in Chicago. Johnson says that voice technology was going to add an extra layer of security to systems, but now that inexpensive AI is available, hackers can weaponize voice.
“Voice cloning is now so authentic, if your boss called you and asked for some passwords or access, would the average employee risk their job by refusing?” Johnson questions. The best cyber defenses could succumb if someone unwittingly gives out a password to someone who sounds exactly like their supervisors.
Johnson also warns that because the threat from voice cloning is so new, many cybersecurity experts simply aren’t equipped to handle it.
The emerging technology is opening cybercrime to a whole new cohort of criminals that wouldn’t typically have operated in the space. “A criminal with few computer skills can now use AI to create malicious code, spread spam, or writing phishing emails, this is already happening,” Johnson warns.
Johnson recommends a few best practices for MSPs, and other security specialists:
Be aware of the threat. The first step is to be aware of the threat of voice cloning. Scammers are using this technology to impersonate people they know, such as your boss, your doctor, or your bank, to trick you into giving them money or sensitive information. “This is where user training goes a long way, a lot of people simply aren’t aware this threat exists,” Johnson explains.
Be suspicious of unexpected calls or emails. MSPs need to train clients that if someone receives a call or email from someone they don’t know, or from someone they know but who is asking for something unusual, to be suspicious and not give out any personal information or financial information unless they are sure of the person they are talking to. “If your boss never calls you, but suddenly, out of the blue, he or she calls and asks you for access or passwords or to transfer funds, red flags should go up,” he says.
Social Media Awareness: Employees need to be aware that when they place an audio clip of themselves sampling sushi or cheering on their favorite sports team, their voice can be cloned and used against them, Johnson warns. “It only takes a short, short snippet of audio for a cybercriminal to clone it, maybe 10 to 15 seconds.”
What Can MSPs Do?
“MSPs are on the front lines of this emerging threat, so raising awareness is probably the top task,” Johnson says. Beyond awareness, here are some other tips Johnson offers to MSPs trying to get a handle on this new threat:
- Use a secure phone system. A secure phone system will have features that make it more difficult for attackers to eavesdrop on calls or intercept data. “Or, better yet, don’t use the phone if you don’t have to, I don’t like to encourage people living and working in fear, but until we get a better handle on this threat, texting and emailing or work apps like Slack can eliminate the voice threat,” Johnson says.
- Use a firewall. A firewall can help to block unauthorized access to networks and devices. “This is cybersecurity 101, I would hope an MSP would be doing this regardless,” he adds.
- Educate employees about security best practices. Employees should be aware of the risks that voice cloning poses. “Unfortunately, voice cloning is here, and it is a real threat, so cybersecurity specialists will have to adapt accordingly,” Johnson advises.
Photo: ArtemisDiana / Shutterstock
These tactics have been used for quite some time, but recently I believe has become far more alarming. With easily available tools like 11 Labs, the ability to voice clone is now essentially ‘mainstream’. Complex network and phone infiltrations are no longer necessary. One only needs about 2 minutes of someone speaking to be able to replicate an entire vocabulary. So, think twice before you upload those videos to social media!
Alarming to say the least, but seems it’s always been around. Great article!
great info to share and broaden the scope of what is out there
Great article. There are always new threats that we have to adapt to.
Vishing alone used to trick people. now with voice cloning, that will trick even more people.
This is crazy
I think this will be very hard to defend against. Employee training will only go so far. Even with training some will fall for phishing emails. How many more will fall for a phishing voice call, or better yet, a combination of the two where a phishing email is followed up shortly by a voice call seemingly from the VIP. Spoofing CallerID is trivial.
The only defense I see is dual controls on financial transactions and maybe some sort of one time authentication codes.
Great article!
Glad to see that using slack may help reduce the threat of this exploit.
Thank you for sharing this insight into another new threat to be on the lookout for.
Incredibly useful article, but pretty scary at the same time.
We need to keep on training and spread awareness that this is a very real threat, so that employees stick to the identity verification