Synthetic Audio Scams a Growing Concern for Businesses

August 17, 2020

With evolving technology come evolving scams. In their White Papers section, managed-intelligence firm Nisos examines a growing trend in, “The Rise of Synthetic Audio Deepfakes.” During a recent investigation, the company analyzed the synthetic audio used in a fraud attempt. The bad actors had mimicked the voice of their client’s CEO, asking an employee to dial a number and “finalize an urgent business deal.” See the write-up for some technical details of that analysis. Fortunately, the worker did not fall for the trick and alerted their legal department instead. Some companies, however, are not so lucky. The article tells us:

“The most famous use of deep fake synthetic audio technology in criminal fraud was a September 2019 incident involving a British energy company. The criminals reportedly used voice-mimicking software to imitate the British executive’s speech and trick his subordinate into sending hundreds of thousands of dollars to a secret account. The managing director of this company, believing his boss was on the phone, followed orders to wire more than $240,000 to an account in Hungary.

“Symantec security researchers reported in February on three cases of audio deepfakes used against private companies by impersonating the voice of the business’s CEO. The criminals reportedly trained machine learning engines from audio obtained on conference calls, YouTube, social media updates and even TED talks, to copy the voice patterns of company bosses. They created audio deepfakes replicating the CEO’s voice and called senior members of the finance department to ask for funds to be sent urgently. There was no additional reporting on which companies these were, whether the techniques were successful, or whether Symantec was able to obtain recordings of the deepfakes themselves.”

As synthetic manipulation gets more sophisticated, these schemes will only get more difficult to recognize. However, they have a distinct weakness—they must manage to trick a subject into taking action. Businesses can protect themselves by adopting certain best practices. If a request seems suspicious, an employee should call the supposed source on a known number to confirm it was them; the technology is not (yet) able to mimic an entire phone call. Predetermined challenge questions, using information not known to the public, are also a good idea. A word to managers and executives—employees may hesitate to “challenge” what sounds like their boss. We advise you assure them you will not get irritated when they do so. (And follow through.)

Cynthia Murrell, August 17, 2020

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta