How Financial Institutions Can Combat AI-Deepfake Fraud

Nov 22, 2024

Plain and simple, voice phishing (vishing) is going to be the next frontier of social engineering attacks. In an eye-opening revelation at TechCrunch Disrupt, Wiz CEO Assaf Rappaport shared how his company—a major player in cloud security—recently became the target of a sophisticated deepfake voice scam. Employees received a voice message impersonating Rappaport, attempting to extract their credentials. This high-level impersonation used public audio from a previous event to mimic Rappaport’s voice. Employees eventually caught on due to subtle differences in tone and context, highlighting the growing challenge of identifying these advanced scams, even for well-trained teams. 

For hackers, voice attacks have been a less common attack vector due to their lack of scalability. Due to this, Voice Phishing (Vishing) is an attack vector that hasn’t received as much attention from security teams in the past, but with the rising tide of deepfakes, voice attacks will become one of the most common social engineering attack vectors in 2025 and beyond.

What Is a Voice Scam?

Voice scams, or vishing (voice phishing), use audio to manipulate individuals into revealing sensitive information, transferring funds, or performing actions compromising security. Unlike traditional phishing scams that come in the form of emails, vishing scams rely on spoken interaction, often over the phone. The most recent successful widespread attack was the 2023 MGM Resorts attacks, where a hacker impersonated a user, called the IT help desk, and got access to an admin-level Okta account. 

With recent advancements in AI technology, attackers can now simulate voices with startling accuracy, mimicking speech patterns, tone, and inflection to deceive targets. The technology behind these scams is built on deep learning and machine learning, allowing attackers to create “deepfakes”—convincing imitations of someone’s voice or appearance. Deepfake voice scams can bypass traditional security measures as they exploit a basic human instinct: trust in familiar voices. By impersonating trusted figures like CEOs, colleagues, or even family members, attackers create a sense of urgency and legitimacy, making their requests hard to question at the moment.

How Voice Scams Are Impacting Various Industries

While Wiz’s encounter with a voice scam demonstrates the cybersecurity sector’s vulnerability, these attacks have been reported across many industries. 

  1. Finance: Financial institutions are increasingly targeted by voice scams that exploit high-level employees or finance teams. In one well-documented case, an attacker used AI-generated audio to impersonate the CEO of a UK-based energy company, instructing an employee to transfer $243,000 to a fraudulent account. Believing the request to be genuine, the employee complied, highlighting how even small lapses in verification can lead to costly consequences.

  2. Healthcare: Healthcare organizations handle sensitive patient information and large financial transactions, making them prime targets for deepfake scams. Attackers have used voice manipulation to impersonate senior healthcare officials, pressuring employees to release patient data or authorize unusual payments. This not only jeopardizes patient confidentiality but also puts institutions at risk of regulatory non-compliance.

  3. Government: Public sector organizations, especially those dealing with national security or emergency response, are frequent targets for voice phishing scams. In these environments, attackers can impersonate trusted voices to issue fake directives, causing operational disruptions. A recent example involved an impersonated police chief issuing unauthorized commands to subordinates, resulting in a chaotic response before the scam was uncovered.

How Organizations Can Combat Vishing

Organizations looking to protect themselves against vishing attacks can begin by implementing a multi-layered approach that combines technology, employee training, and robust verification protocols.

First, companies should invest in AI-driven tools that can detect unusual voice patterns, especially for high-risk roles and scenarios. This shouldn’t be limited to call center-based tools. It’s important to monitor internal employee communications and mobile devices in case of direct initial access attempts or lateral movement once entered. 

Second, frequent training and awareness sessions can also empower employees to recognize potential vishing attempts, such as unfamiliar voice nuances or unusual requests. This isn’t always a part of security awareness training and may require a specific usage. 

Lastly, a robust verification process is equally crucial—employees should be encouraged to confirm any requests for sensitive information or financial transactions through accurate channels such as voice verification, multi-factor authentication, or other authentication methods. 

Establishing these protocols and fostering a culture of caution can significantly reduce the risk of falling victim to voice phishing scams. Additionally, reviewing and updating these security measures frequently ensures that they remain effective against evolving threats, allowing organizations to stay one step ahead of attackers.

Adding Vishing Detection & Response

One of the first yet hardest components of organizational vishing defense is to find a reliable detection platform specifically designed to identify the nuances of voice-based threats, such as malicious account takeover attempts, deepfakes, and fraudulent transaction requests. Vishing attacks often mimic the voices of known executives or high-ranking employees to create a sense of urgency, making it challenging for teams to detect deception without the right tools. Many organizations struggle to find solutions that go beyond conventional voice recognition to include contextual analysis and detection of abnormal voice patterns.

A comprehensive vishing defense should incorporate advanced AI technologies that detect discrepancies in vocal tone, pace, and phrasing that may go unnoticed by the human ear. In addition to technology, equipping employees with knowledge about common vishing tactics is essential. Training sessions should encourage employees to verify unusual requests through secure, alternative communication channels, even if the voice seems familiar. Beyond employee vigilance, organizations benefit from an integrated solution that can continuously monitor for subtle yet critical signs of voice impersonation in real-time.

This is where Herd Security’s vishing detection platform makes a difference. With the ability to specifically monitor all voice communication within an organization, Herd can identify attempts of malicious AI voice deepfakes, attempts of account takeover, and C-level spoofing. By leveraging deep-learning algorithms, Herd Security’s platform can analyze voice characteristics with remarkable accuracy, detecting anomalies within 10-15 seconds of a conversation. Unlike general-purpose AI tools, Herd is crafted specifically for vishing detection, providing both high sensitivity to vocal inconsistencies and a user-friendly experience for security teams. With Herd Security, organizations gain more confidence, knowing they have a dedicated partner in the fight against sophisticated voice scams.

Have You Herd? 

The incident at Wiz underscores a fundamental truth: no organization, regardless of its size or focus, is immune to AI-powered attacks. As attackers become increasingly sophisticated, cybersecurity must evolve. Defenses must be as dynamic as the threats they combat, especially when it comes to AI-driven scams that exploit trusted voices to bypass security measures.

Voice phishing, or vishing, is no longer an isolated threat. As AI tools continue to advance, the ability to mimic voices with stunning realism will only improve. Companies across all industries must prepare, adapt, and prioritize voice-based security solutions as a standard part of their cybersecurity strategy. At Herd Security, we’re here to help organizations tackle these challenges head-on, ensuring that they can trust the voices they hear and safeguard their most valuable assets against an ever-evolving threat landscape. Be a part of our pilot program today.

Plain and simple, voice phishing (vishing) is going to be the next frontier of social engineering attacks. In an eye-opening revelation at TechCrunch Disrupt, Wiz CEO Assaf Rappaport shared how his company—a major player in cloud security—recently became the target of a sophisticated deepfake voice scam. Employees received a voice message impersonating Rappaport, attempting to extract their credentials. This high-level impersonation used public audio from a previous event to mimic Rappaport’s voice. Employees eventually caught on due to subtle differences in tone and context, highlighting the growing challenge of identifying these advanced scams, even for well-trained teams. 

For hackers, voice attacks have been a less common attack vector due to their lack of scalability. Due to this, Voice Phishing (Vishing) is an attack vector that hasn’t received as much attention from security teams in the past, but with the rising tide of deepfakes, voice attacks will become one of the most common social engineering attack vectors in 2025 and beyond.

What Is a Voice Scam?

Voice scams, or vishing (voice phishing), use audio to manipulate individuals into revealing sensitive information, transferring funds, or performing actions compromising security. Unlike traditional phishing scams that come in the form of emails, vishing scams rely on spoken interaction, often over the phone. The most recent successful widespread attack was the 2023 MGM Resorts attacks, where a hacker impersonated a user, called the IT help desk, and got access to an admin-level Okta account. 

With recent advancements in AI technology, attackers can now simulate voices with startling accuracy, mimicking speech patterns, tone, and inflection to deceive targets. The technology behind these scams is built on deep learning and machine learning, allowing attackers to create “deepfakes”—convincing imitations of someone’s voice or appearance. Deepfake voice scams can bypass traditional security measures as they exploit a basic human instinct: trust in familiar voices. By impersonating trusted figures like CEOs, colleagues, or even family members, attackers create a sense of urgency and legitimacy, making their requests hard to question at the moment.

How Voice Scams Are Impacting Various Industries

While Wiz’s encounter with a voice scam demonstrates the cybersecurity sector’s vulnerability, these attacks have been reported across many industries. 

  1. Finance: Financial institutions are increasingly targeted by voice scams that exploit high-level employees or finance teams. In one well-documented case, an attacker used AI-generated audio to impersonate the CEO of a UK-based energy company, instructing an employee to transfer $243,000 to a fraudulent account. Believing the request to be genuine, the employee complied, highlighting how even small lapses in verification can lead to costly consequences.

  2. Healthcare: Healthcare organizations handle sensitive patient information and large financial transactions, making them prime targets for deepfake scams. Attackers have used voice manipulation to impersonate senior healthcare officials, pressuring employees to release patient data or authorize unusual payments. This not only jeopardizes patient confidentiality but also puts institutions at risk of regulatory non-compliance.

  3. Government: Public sector organizations, especially those dealing with national security or emergency response, are frequent targets for voice phishing scams. In these environments, attackers can impersonate trusted voices to issue fake directives, causing operational disruptions. A recent example involved an impersonated police chief issuing unauthorized commands to subordinates, resulting in a chaotic response before the scam was uncovered.

How Organizations Can Combat Vishing

Organizations looking to protect themselves against vishing attacks can begin by implementing a multi-layered approach that combines technology, employee training, and robust verification protocols.

First, companies should invest in AI-driven tools that can detect unusual voice patterns, especially for high-risk roles and scenarios. This shouldn’t be limited to call center-based tools. It’s important to monitor internal employee communications and mobile devices in case of direct initial access attempts or lateral movement once entered. 

Second, frequent training and awareness sessions can also empower employees to recognize potential vishing attempts, such as unfamiliar voice nuances or unusual requests. This isn’t always a part of security awareness training and may require a specific usage. 

Lastly, a robust verification process is equally crucial—employees should be encouraged to confirm any requests for sensitive information or financial transactions through accurate channels such as voice verification, multi-factor authentication, or other authentication methods. 

Establishing these protocols and fostering a culture of caution can significantly reduce the risk of falling victim to voice phishing scams. Additionally, reviewing and updating these security measures frequently ensures that they remain effective against evolving threats, allowing organizations to stay one step ahead of attackers.

Adding Vishing Detection & Response

One of the first yet hardest components of organizational vishing defense is to find a reliable detection platform specifically designed to identify the nuances of voice-based threats, such as malicious account takeover attempts, deepfakes, and fraudulent transaction requests. Vishing attacks often mimic the voices of known executives or high-ranking employees to create a sense of urgency, making it challenging for teams to detect deception without the right tools. Many organizations struggle to find solutions that go beyond conventional voice recognition to include contextual analysis and detection of abnormal voice patterns.

A comprehensive vishing defense should incorporate advanced AI technologies that detect discrepancies in vocal tone, pace, and phrasing that may go unnoticed by the human ear. In addition to technology, equipping employees with knowledge about common vishing tactics is essential. Training sessions should encourage employees to verify unusual requests through secure, alternative communication channels, even if the voice seems familiar. Beyond employee vigilance, organizations benefit from an integrated solution that can continuously monitor for subtle yet critical signs of voice impersonation in real-time.

This is where Herd Security’s vishing detection platform makes a difference. With the ability to specifically monitor all voice communication within an organization, Herd can identify attempts of malicious AI voice deepfakes, attempts of account takeover, and C-level spoofing. By leveraging deep-learning algorithms, Herd Security’s platform can analyze voice characteristics with remarkable accuracy, detecting anomalies within 10-15 seconds of a conversation. Unlike general-purpose AI tools, Herd is crafted specifically for vishing detection, providing both high sensitivity to vocal inconsistencies and a user-friendly experience for security teams. With Herd Security, organizations gain more confidence, knowing they have a dedicated partner in the fight against sophisticated voice scams.

Have You Herd? 

The incident at Wiz underscores a fundamental truth: no organization, regardless of its size or focus, is immune to AI-powered attacks. As attackers become increasingly sophisticated, cybersecurity must evolve. Defenses must be as dynamic as the threats they combat, especially when it comes to AI-driven scams that exploit trusted voices to bypass security measures.

Voice phishing, or vishing, is no longer an isolated threat. As AI tools continue to advance, the ability to mimic voices with stunning realism will only improve. Companies across all industries must prepare, adapt, and prioritize voice-based security solutions as a standard part of their cybersecurity strategy. At Herd Security, we’re here to help organizations tackle these challenges head-on, ensuring that they can trust the voices they hear and safeguard their most valuable assets against an ever-evolving threat landscape. Be a part of our pilot program today.

Herd Security | Copyright© 2024

Herd Security | Copyright© 2024