How Financial Institutions Can Combat AI-Deepfake Fraud
Oct 19, 2024
More often than not, hackers are being invited into organizations rather than forcing their way in. I say this because social engineering tactics are the most common first step to a breach. Whether phishing, vishing, smishing, or fishing (just kidding), the myriad of techniques to track and defend against is cumbersome for security professionals.
Couple this with the evolution of generative AI, which is fueling the flame of social engineering, allowing elementary hackers to expand their capabilities with sophisticated, multi-step campaigns against organizations and consumers. This has involved expanding on existing phishing, vishing, and smishing campaigns, by augmenting them with deepfake technology. This has powered new forms of attacks involving videos, chatbots, and mass texts. With phishing well documented and known to vendors and security teams, it seems the next generation of phishing emails is being well looked after. Vishing, on the other hand, is less documented. However, vishing will become one of the top social engineering attack methods against organizations and consumers over the next few years. This is reflected in the numbers. Deepfake fraud is projected to be a $10 Trillion problem by 2025, IT Help Desks are fraud attacks have risen 160% in the last year (just ask MGM), and there was a 700% increase in vishing attacks against financial institutions.
As vishing is and will continue to grow as a massive problem, we’re here to dissect the tactics & techniques for security teams to identify, analyze, and respond to common vishing attacks.
What Is Vishing?
Voice Phishing (vishing) is a form of social engineering that involves deceiving users to provide sensitive information about themselves or their organization. Unlike the more commonly known attack, phishing, vishing relies on calling a user, initiating a sense of trust and urgency, and stealing a person's information. This can include, bank account information, wire instructions, social security numbers, credit card information, or transfer of Venmo money.
Hackers can also exploit a user to steal information that can lead to a wider attack on an organization. A common tactic is to steal user login information, account passwords, or other sensitive organizational information. Now that we’ve looked at vishing at a high level, we’ll dive deeper into the different types of common attack vectors against both individuals and organizations.
Vishing With Deepfakes
The technical term for deepfakes refers to synthetic media in which a person’s likeness (such as their face, voice, or actions) is digitally manipulated or entirely generated using artificial intelligence (AI) and machine learning (ML) techniques. This is made accessible by tools like ElevenLabs, which can synthesize a person’s voice with one or two sample recordings. A simple tool like this can be used to impersonate specific people and generate highly sophisticated vishing attacks. Some common examples include:
Elder Fraud—Hackers can impersonate family members and trick elders into believing they’re being held for ransom. Elders are a primary target as they’re less likely to be suspicious of cybercriminals' capabilities.
Wire Fraud - Cybercriminals can hack bank accounts and initiate wire transfers. Many community banks still use phone calls to confirm larger transactions. Making this an easy target for hackers.
C-Level Impersonation—Executives typically have content on the internet that allows hackers to gather information for impersonation. A recent example occurred with Ferrari executives, when a hacker impersonated the CEO by calling the CFO and attempting to initiate a large wire transfer.
With these voice cloning capabilities in the hands of even elementary hackers, voice cloning is becoming a primary danger to financial based institutions. Recently in the Wall Street Journal, CIO of New York Life, Bill Cassidy, mentioned that “financial institutions are used to fraudulent calls regularly coming into their support teams, but given the proliferation of AI, these models are becoming more sophisticated and can now imitate the actual voice patterns of an individual.”
Pre-Existing Vishing Defense
As we discussed previously, financial institutions face unique challenges regarding fraud. Plus, depending on the State, banks are typically on the hook if customers are frauded. The current defense mechanisms for voice fraud protection typically utilize common fraud & cybersecurity based products to protect systems. Most commonly we see:
Multi Factor Authentication (MFA)
How it helps: MFA adds an extra layer of security by requiring more than just a password to access sensitive accounts or perform high-risk transactions. This prevents fraudsters from gaining access even if they’ve obtained a customer’s login credentials through a vishing attack.
Limitations: Attackers can still manipulate customers to reveal the second factor (e.g., a one-time code sent via SMS) through social engineering.
Fraud Detection and Monitoring Systems
Real-time fraud detection: Banks deploy AI-based monitoring systems that track transaction behaviors and identify anomalies. These systems can flag suspicious activity, such as unusually large wire transfers, and automatically block or review the transaction before completion.
Behavioral biometrics: Some banks use behavioral biometrics to analyze patterns in how a customer interacts with their phone or computer, providing an additional layer of fraud detection.
Limitations: While these systems can detect suspicious patterns, they may not always catch fraud during a real-time phone call.
Voice Biometrics
Voice authentication: Banks are increasingly using voice biometrics to authenticate customers. This technology analyzes the unique characteristics of a person’s voice, making it more difficult for fraudsters to impersonate them over the phone.
Limitations: While voice biometrics improve security, advanced fraudsters are beginning to leverage deepfake technology to mimic the voices of legitimate individuals, complicating detection efforts.
Customer Education and Awareness Campaigns
Awareness programs: Many banks run customer awareness campaigns that inform clients about the dangers of vishing and other forms of fraud. They encourage customers to never share personal information over the phone unless they are certain of the caller's identity.
Limitations: Not all customers heed warnings, and some might still fall victim due to the highly manipulative nature of these attacks.
Although these tactics can be helpful, many have limitations and dodge the question of whether they are a true solution for detecting voice-based fraud attacks.
Even the UK-based bank, Starling Bank, is even warning many of their customers that fraudsters are capable of using AI to replicate a person’s voice from just three seconds of audio. Lisa Grahame, Starling Bank’s Chief Information Security Officer, mentioned that regularly posted content that contains recordings of people’s voices are making them even more vulnerable to fraud and has suggested implementing “safe words” with family and friends to help protect them.
Similarly, deepfake videos have become more sophisticated, allowing attackers to bypass video checks designed to ensure a real person matches their ID photo. We’ve seen these concerns in social media, elections, and the public sector, but now banks and financial services providers are the main target for fraudsters. Many financial leaders are working to safeguard their assets, including Cassidy, who is working diligently to put more guardrails in place to prepare for the newest wave of generative AI attacks. Many large institutions are working with startups, similar to Herd Security, to combat deepfakes. Deepfake technologies pose a serious risk because once an attacker successfully impersonates a customer, they can move all the funds from that customer’s account into wallets or accounts under their control.
The New Era of Vishing Defense
Now that we talked about common tactics that currently exist, let’s talk about a more ideal state for defending vishing. We have learned that the current tactics give solutions, but don’t necessarily go directly at the problem. With this in mind how can banks leverage the latest generation of voice security technology to begin to defend the next-level of threats.
Voice Authentication Systems
Although these aren’t new solutions, there are many new technologies arising that allow for simple voice authentication of customers. This is typically utilized with call center technology and allows for quick user verification before talking through deeper account issues. Incumbents like Pindrop have been involved with this technology for over a decade, but just recently began to focus on deepfakes. Other startups such as Illuma Labs, have won awards for their ease of use for call center authentication.
Voice Based Security Training
New security awareness platforms have added vishing training to their portfolio, allowing users to gain a better understanding of the types of voice attacks that exist and hopefully recognize them before they take shape. Platforms such as KnowBe4 have been at the forefront of these types of educational platforms, and have recently made the move into teaching about deepfake technology.
Voice Detection Platforms
There aren’t many dedicated security detection platforms that specialize in voice recognition. Especially with the rising threat of deepfakes, only some of the latest technology can keep up with the new attack vectors. Companies like Herd Security, are making it easy for banks to protect their customers through voice defense that sits on mobile phones. Instead of just defending at the call center layer, Herd has the ability to sit on customer mobile devices through it’s app or even integrate into pre-existing bank applications. This way, customers are alerted when potential scams are present with Herd’s ability to detect the presence of AI on a call in under 10 seconds of conversation, with no historical context of the users voice. This ability, coupled with threat intelligence feeds and other security alert systems, allow for both users to avoid scams, and security & fraud teams to be alerted if a user is in danger of one.
Building Herd Immunity Against Vishing
As we’ve looked at the other solutions that can be used, we’ve dug into how most beat around the bush and don’t go directly at attacking vishing. Voice Detection Platforms, like Herd Security, can be the most effective way to begin defending against Vishing attacks. Let’s dig into how it works.
Deployment - Many of our banking customers focus on distributing our mobile application to their customers for free. This is either done by offering our mobile app (via Android or iOS) or integrating our technology into a pre-existing bank application.
Detection—Our model detects the presence of AI on live calls and correlates the data with security data to identify a credible threat of vishing. This includes geolocation, spam caller ID, threat intelligence, aggressive conversation flags, and more.
Alerts—When Herd detects a high level of danger, a user is alerted directly on mobile. Fraud teams can also see these alerts in the Herd dashboard and use the data to investigate further.
With this workflow, users and banks share a joint responsibility to stop fraud, allowing for the building of herd immunity through collective intelligence and awareness.
Have You Herd?
To counter sophisticated voice-based attacks against their customers, banks must invest in advanced generative detection platforms. This allows for visibility across their customer base helping to counter multiple forms of fraud including impersonation scams, elder fraud, deepfakes, and executive replication. See Herd’s technology first hand a be a part of the early pilot programs today.
More often than not, hackers are being invited into organizations rather than forcing their way in. I say this because social engineering tactics are the most common first step to a breach. Whether phishing, vishing, smishing, or fishing (just kidding), the myriad of techniques to track and defend against is cumbersome for security professionals.
Couple this with the evolution of generative AI, which is fueling the flame of social engineering, allowing elementary hackers to expand their capabilities with sophisticated, multi-step campaigns against organizations and consumers. This has involved expanding on existing phishing, vishing, and smishing campaigns, by augmenting them with deepfake technology. This has powered new forms of attacks involving videos, chatbots, and mass texts. With phishing well documented and known to vendors and security teams, it seems the next generation of phishing emails is being well looked after. Vishing, on the other hand, is less documented. However, vishing will become one of the top social engineering attack methods against organizations and consumers over the next few years. This is reflected in the numbers. Deepfake fraud is projected to be a $10 Trillion problem by 2025, IT Help Desks are fraud attacks have risen 160% in the last year (just ask MGM), and there was a 700% increase in vishing attacks against financial institutions.
As vishing is and will continue to grow as a massive problem, we’re here to dissect the tactics & techniques for security teams to identify, analyze, and respond to common vishing attacks.
What Is Vishing?
Voice Phishing (vishing) is a form of social engineering that involves deceiving users to provide sensitive information about themselves or their organization. Unlike the more commonly known attack, phishing, vishing relies on calling a user, initiating a sense of trust and urgency, and stealing a person's information. This can include, bank account information, wire instructions, social security numbers, credit card information, or transfer of Venmo money.
Hackers can also exploit a user to steal information that can lead to a wider attack on an organization. A common tactic is to steal user login information, account passwords, or other sensitive organizational information. Now that we’ve looked at vishing at a high level, we’ll dive deeper into the different types of common attack vectors against both individuals and organizations.
Vishing With Deepfakes
The technical term for deepfakes refers to synthetic media in which a person’s likeness (such as their face, voice, or actions) is digitally manipulated or entirely generated using artificial intelligence (AI) and machine learning (ML) techniques. This is made accessible by tools like ElevenLabs, which can synthesize a person’s voice with one or two sample recordings. A simple tool like this can be used to impersonate specific people and generate highly sophisticated vishing attacks. Some common examples include:
Elder Fraud—Hackers can impersonate family members and trick elders into believing they’re being held for ransom. Elders are a primary target as they’re less likely to be suspicious of cybercriminals' capabilities.
Wire Fraud - Cybercriminals can hack bank accounts and initiate wire transfers. Many community banks still use phone calls to confirm larger transactions. Making this an easy target for hackers.
C-Level Impersonation—Executives typically have content on the internet that allows hackers to gather information for impersonation. A recent example occurred with Ferrari executives, when a hacker impersonated the CEO by calling the CFO and attempting to initiate a large wire transfer.
With these voice cloning capabilities in the hands of even elementary hackers, voice cloning is becoming a primary danger to financial based institutions. Recently in the Wall Street Journal, CIO of New York Life, Bill Cassidy, mentioned that “financial institutions are used to fraudulent calls regularly coming into their support teams, but given the proliferation of AI, these models are becoming more sophisticated and can now imitate the actual voice patterns of an individual.”
Pre-Existing Vishing Defense
As we discussed previously, financial institutions face unique challenges regarding fraud. Plus, depending on the State, banks are typically on the hook if customers are frauded. The current defense mechanisms for voice fraud protection typically utilize common fraud & cybersecurity based products to protect systems. Most commonly we see:
Multi Factor Authentication (MFA)
How it helps: MFA adds an extra layer of security by requiring more than just a password to access sensitive accounts or perform high-risk transactions. This prevents fraudsters from gaining access even if they’ve obtained a customer’s login credentials through a vishing attack.
Limitations: Attackers can still manipulate customers to reveal the second factor (e.g., a one-time code sent via SMS) through social engineering.
Fraud Detection and Monitoring Systems
Real-time fraud detection: Banks deploy AI-based monitoring systems that track transaction behaviors and identify anomalies. These systems can flag suspicious activity, such as unusually large wire transfers, and automatically block or review the transaction before completion.
Behavioral biometrics: Some banks use behavioral biometrics to analyze patterns in how a customer interacts with their phone or computer, providing an additional layer of fraud detection.
Limitations: While these systems can detect suspicious patterns, they may not always catch fraud during a real-time phone call.
Voice Biometrics
Voice authentication: Banks are increasingly using voice biometrics to authenticate customers. This technology analyzes the unique characteristics of a person’s voice, making it more difficult for fraudsters to impersonate them over the phone.
Limitations: While voice biometrics improve security, advanced fraudsters are beginning to leverage deepfake technology to mimic the voices of legitimate individuals, complicating detection efforts.
Customer Education and Awareness Campaigns
Awareness programs: Many banks run customer awareness campaigns that inform clients about the dangers of vishing and other forms of fraud. They encourage customers to never share personal information over the phone unless they are certain of the caller's identity.
Limitations: Not all customers heed warnings, and some might still fall victim due to the highly manipulative nature of these attacks.
Although these tactics can be helpful, many have limitations and dodge the question of whether they are a true solution for detecting voice-based fraud attacks.
Even the UK-based bank, Starling Bank, is even warning many of their customers that fraudsters are capable of using AI to replicate a person’s voice from just three seconds of audio. Lisa Grahame, Starling Bank’s Chief Information Security Officer, mentioned that regularly posted content that contains recordings of people’s voices are making them even more vulnerable to fraud and has suggested implementing “safe words” with family and friends to help protect them.
Similarly, deepfake videos have become more sophisticated, allowing attackers to bypass video checks designed to ensure a real person matches their ID photo. We’ve seen these concerns in social media, elections, and the public sector, but now banks and financial services providers are the main target for fraudsters. Many financial leaders are working to safeguard their assets, including Cassidy, who is working diligently to put more guardrails in place to prepare for the newest wave of generative AI attacks. Many large institutions are working with startups, similar to Herd Security, to combat deepfakes. Deepfake technologies pose a serious risk because once an attacker successfully impersonates a customer, they can move all the funds from that customer’s account into wallets or accounts under their control.
The New Era of Vishing Defense
Now that we talked about common tactics that currently exist, let’s talk about a more ideal state for defending vishing. We have learned that the current tactics give solutions, but don’t necessarily go directly at the problem. With this in mind how can banks leverage the latest generation of voice security technology to begin to defend the next-level of threats.
Voice Authentication Systems
Although these aren’t new solutions, there are many new technologies arising that allow for simple voice authentication of customers. This is typically utilized with call center technology and allows for quick user verification before talking through deeper account issues. Incumbents like Pindrop have been involved with this technology for over a decade, but just recently began to focus on deepfakes. Other startups such as Illuma Labs, have won awards for their ease of use for call center authentication.
Voice Based Security Training
New security awareness platforms have added vishing training to their portfolio, allowing users to gain a better understanding of the types of voice attacks that exist and hopefully recognize them before they take shape. Platforms such as KnowBe4 have been at the forefront of these types of educational platforms, and have recently made the move into teaching about deepfake technology.
Voice Detection Platforms
There aren’t many dedicated security detection platforms that specialize in voice recognition. Especially with the rising threat of deepfakes, only some of the latest technology can keep up with the new attack vectors. Companies like Herd Security, are making it easy for banks to protect their customers through voice defense that sits on mobile phones. Instead of just defending at the call center layer, Herd has the ability to sit on customer mobile devices through it’s app or even integrate into pre-existing bank applications. This way, customers are alerted when potential scams are present with Herd’s ability to detect the presence of AI on a call in under 10 seconds of conversation, with no historical context of the users voice. This ability, coupled with threat intelligence feeds and other security alert systems, allow for both users to avoid scams, and security & fraud teams to be alerted if a user is in danger of one.
Building Herd Immunity Against Vishing
As we’ve looked at the other solutions that can be used, we’ve dug into how most beat around the bush and don’t go directly at attacking vishing. Voice Detection Platforms, like Herd Security, can be the most effective way to begin defending against Vishing attacks. Let’s dig into how it works.
Deployment - Many of our banking customers focus on distributing our mobile application to their customers for free. This is either done by offering our mobile app (via Android or iOS) or integrating our technology into a pre-existing bank application.
Detection—Our model detects the presence of AI on live calls and correlates the data with security data to identify a credible threat of vishing. This includes geolocation, spam caller ID, threat intelligence, aggressive conversation flags, and more.
Alerts—When Herd detects a high level of danger, a user is alerted directly on mobile. Fraud teams can also see these alerts in the Herd dashboard and use the data to investigate further.
With this workflow, users and banks share a joint responsibility to stop fraud, allowing for the building of herd immunity through collective intelligence and awareness.
Have You Herd?
To counter sophisticated voice-based attacks against their customers, banks must invest in advanced generative detection platforms. This allows for visibility across their customer base helping to counter multiple forms of fraud including impersonation scams, elder fraud, deepfakes, and executive replication. See Herd’s technology first hand a be a part of the early pilot programs today.