[BreachExchange] AI Could Escalate New Type Of Voice Phishing Cyber Attacks
Destry Winant
destry at riskbasedsecurity.com
Mon Jul 15 09:59:09 EDT 2019
https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks
Earlier this week, the Israel National Cyber Directorate (INCD) issued
a warning of a new type of cyber-attack that leverages artificial
intelligence technology to impersonate senior enterprise executives.
The method instructs company employees to perform transactions
including money transfers and other malicious activity on the network.
There are recent reports of this type of cyber-attack received at the
operational center of the INCD. While business email compromise (BEC)
types of fraud oftentimes use social engineering methods for a more
effective attack, this new method escalates the attack type by using
AI-based software, which makes voice phishing calls to senior
executives.
“Experts have certainly been warning for the past two or three years
about the dangerous side of artificial intelligence, namely that agile
cyber criminals could use it to extend their reach significantly,”
said CNBC Cyber Security Reporter Kate Fazzini.
The attacking software learns to mimic the voice of a person defined
for it and makes a conversation with an employee on behalf of the CEO.
It was also reported that today there are programs that, after
listening to 20 minutes to a particular voice, can speak everything
that the user types in that learned voice.
According to INCD, enterprises that fall prey to such fraud, could
suffer high economic damage. In its announcement, the INCD also issued
suggestions for taking precautions and raising awareness among
organizations — such as training employees, paying attention to
deviations in organizational processes, verifying instructions and
using technological means to prevent misuse of email.
Fazzini adds, “Using voice impersonations to mimic executives on the
phone has obvious implications for wire fraud schemes, which rely on a
criminal’s ability to convince an employee that his or her top
executive is sending instructions for a wire. Most law enforcement
agencies recommend ‘voice verifying’ these wires to ensure they are
coming from a legitimate source. Criminals have already demonstrated
they can spoof and intercept calls, and adding the executive ‘voice’
may override even these safeguards.”
More information about the BreachExchange
mailing list