How Financial Institutions Can Combat AI-Deepfake Fraud

Oct 19, 2024

Stop and Think, when was the last time someone told you not to click on an email link, or that text I got came from a weird number? If you’ve experienced any of these, then you know what a social engineering attack is. An attempt to trick you into giving away sensitive information. Whether it be about yourself or the organization you work for. The most common avenue where people are attacked is via phishing. An attempt via email to get a user to provide sensitive information to an attacker. However as security is changing with the rise in generative-ai, a less common social engineering tactic known as voice phishing (vishing) is becoming more widely adopted. As a cheaper and simpler attack vector than phishing, hackers have begun to leverage it in more detail to pull off sophisticated attacks against banks, hospitals, hotel chains, and tech businesses. In this blog, we’ll overview the differences between vishing and phishing, as well as dig into how to defend against vishing. 

What is Phishing? 

The technical definition of phishing is a form of social engineering attack in which an attacker poses as a trusted entity to trick individuals into divulging sensitive information. This is commonly done via email but can be extended to SMS, instant messaging, and social media messages. The most common tactic is a hacker will send a mass amount of emails, into an organization, posing as a specific part of the company. Typically accounting or finance creates a sense of urgency for the user. “Open this to review/confirm your monthly bonus.” 

What is Vishing? 

The term vishing comes from the combination of the words voice & phishing. Showing that it’s a branch of phishing that has formed more over the last 5 years. In the Mitre Att&ck framework, vishing isn’t even mentioned. Only the term voice phishing is a subset of phishing. Even so, this doesn’t diminish how critical vishing is as an attack vector. Vishing has become a more common social engineering tactic with hackers realizing the ease of infiltrating an organization by going after employees & IT help desk. The most common real-world example is the 2023 MGM Cyber Attack, which hacker group, Scattered Spider used vished IT help desks while posing as employees. This led to initial access of admin privileges into Okta, and the rest is history. 

Unlike Phishing, Vishing has been affected more by generative-ai technology via deepfakes, particularly with hackers being able to impersonate executives and high ranking business officials with less than 3 seconds of audio. This has caused attacks to be more direct to financial departments and employees, where hackers leverage fear from their bosses to push for sensitive information or wire fraud info. 

Key Differences Between Vishing and Phishing

Although both of these attacks fall under social engineering, as well as the same category of the Mitre Attack Framework, they’re different in the way they’re delivered to users. The principles of creating urgency, tricking a user, and falsifying information are the same in both cases. However, phishing can be done indirectly, through words, fake websites, and attachments that require a hacker to build tools and visuals to fool an individual. For example, a user can receive an email from a fake TicketMaster account saying that a user needs to verify their account information or risk losing tickets to a Taylor Swift concert that they just bought. With that urgency in mind, the user clicks on the page and enters their username and password, unknowingly giving this to a fake Ticketmaster webpage. This allows the hacker to steal the credentials and access tickets, credit cards, and other personal information. 

This setup requires knowledge of the reconnaissance of the user beforehand. The fact they had a ticketmaster account, email address, and that they recently bought tickets, helps for the email to be personalized making the attack more realistic. With the need to setup a fake domain, website page, etc, this attack has more steps to complete, making it cost more money and time for hackers. 

With vishing, this is different, as it requires the hacker to gather information and impersonate a user, bank, or institution in order to trick a user. This requires less creation, as hackers create a facade through what they say, rather than what they make. For example, tricking a user into giving up bank account information likely starts with a simple SMS text saying “Suspicious Transaction, you’ll be contacted by your bank shortly.” This giving the impression of something very real happening with the bank following up to help a person. This is followed by a call, that now can use AI, to impersonate a trusted voice (like your known banker) or at least sound like someone that is from your area (maybe a regional US accent). From there, they will ask you to verify account information before unlocking the account. Making it seem like a mandatory task with urgency. More often than not, the user complies. 

These steps focus deeper on actions, impersonation, and information vs creating fake emails, malicious attachments, and login sites. Making it more accessible for non-technical hackers. 

How To Defend Your Organization From Vishing and Phishing

Organizations of all sizes are affected by both phishing and vishing attacks. There are many ways to create a multi-layered approach to stop social engineering. Let’s start with looking at phishing. 

  1. Email Security - Having an email security or gateway platform is an efficient way to get started against phishing. Although not every phish will be combatted, it’s key to understand it’s the first layer of defense to a wholistic strategy. New-age solutions like Sublime Security, give organizations tons of cheap and extensive flexibility with email detections. 

  1. Multi-Factor Authentication (MFA) - More of a failsafe than a stop to phishing, but this ensures that if account credentials are stolen, there’s an added layer of protection to authenticate into corporate systems. MFA tools, such as Duo Security, have become so popular that they have business and consumer use across a myriad of industries. 

  1. Endpoint Security - As emails can lead to malicious attachments being downloaded onto endpoints, having a good detection system present is key. The industry favorite, and my personal one, is Crowdstrike. Despite the recent error that caused the Microsoft shut down. 

These systems only offer a layered approach and still leave room for margins of errors as no detection system is perfect. Even with these solutions, people are still able to break through organizational and personal defenses. However with Vishing, it’s even less straightforward. 

Outside of the use of multi-factor authentication, there are not direct tools to detect or defend against voice phishing (vishing) making it a much greater challenge than phishing. Coupled with the rise of deepfakes, security teams can only setup barriers after initial breaches have occurred. Let’s look at common solutions that could work for vishing. 

  1. Multi-Factor Authentication (MFA) - Similarly to phishing, it provides another layer of protection, but doesn’t stop stolen credentials from occurring. Vishing can be used to impersonate employees or trusted organizations to trick IT Help Desk members or consumers to resetting MFA credentials to hackers mistakenly. 

  1. Security Awareness Training - I think we all know that if we go straight to awareness training as the solution, there’s a problem. SAT should be a supplement to any good detection platform, not the standard. 

What To Do About Vishing? 

Vishing requires less technical expertise, costs less to create deepfakes, and takes less steps to execute than phishing. With the rise in generative tools, it costs less than $2 to create an effective deepfake impersonation. Even without AI, it is still extremely dangerous, as gathering public information and impersonation trusted sources is easier than ever. Only requiring a simple phone call to potentially steal account credentials, reset passwords, reset MFA devices, or take bank account information. There’s a true need for a voice-based detection platform that addresses vishing at the source. 

Have You Herd? 

Herd Security is a first-of-its-kind vishing detection platform that focuses on protecting users at the source of any vishing attack. With the ability to integrate directly with mobile devices, Herd gives customers the ease and flexibility to distribute the system quickly and provide real-time analysis from the source. In addition to using threat intelligence, searching for conversation flags, and other key malicious identifiers, Herd has the ability to detect the presence of AI on any call within 10 seconds, without any historical data of a person’s individual identity. Keeping it away from using or storing private user information. 

See it for yourself and be a part of our pilot program. 

Stop and Think, when was the last time someone told you not to click on an email link, or that text I got came from a weird number? If you’ve experienced any of these, then you know what a social engineering attack is. An attempt to trick you into giving away sensitive information. Whether it be about yourself or the organization you work for. The most common avenue where people are attacked is via phishing. An attempt via email to get a user to provide sensitive information to an attacker. However as security is changing with the rise in generative-ai, a less common social engineering tactic known as voice phishing (vishing) is becoming more widely adopted. As a cheaper and simpler attack vector than phishing, hackers have begun to leverage it in more detail to pull off sophisticated attacks against banks, hospitals, hotel chains, and tech businesses. In this blog, we’ll overview the differences between vishing and phishing, as well as dig into how to defend against vishing. 

What is Phishing? 

The technical definition of phishing is a form of social engineering attack in which an attacker poses as a trusted entity to trick individuals into divulging sensitive information. This is commonly done via email but can be extended to SMS, instant messaging, and social media messages. The most common tactic is a hacker will send a mass amount of emails, into an organization, posing as a specific part of the company. Typically accounting or finance creates a sense of urgency for the user. “Open this to review/confirm your monthly bonus.” 

What is Vishing? 

The term vishing comes from the combination of the words voice & phishing. Showing that it’s a branch of phishing that has formed more over the last 5 years. In the Mitre Att&ck framework, vishing isn’t even mentioned. Only the term voice phishing is a subset of phishing. Even so, this doesn’t diminish how critical vishing is as an attack vector. Vishing has become a more common social engineering tactic with hackers realizing the ease of infiltrating an organization by going after employees & IT help desk. The most common real-world example is the 2023 MGM Cyber Attack, which hacker group, Scattered Spider used vished IT help desks while posing as employees. This led to initial access of admin privileges into Okta, and the rest is history. 

Unlike Phishing, Vishing has been affected more by generative-ai technology via deepfakes, particularly with hackers being able to impersonate executives and high ranking business officials with less than 3 seconds of audio. This has caused attacks to be more direct to financial departments and employees, where hackers leverage fear from their bosses to push for sensitive information or wire fraud info. 

Key Differences Between Vishing and Phishing

Although both of these attacks fall under social engineering, as well as the same category of the Mitre Attack Framework, they’re different in the way they’re delivered to users. The principles of creating urgency, tricking a user, and falsifying information are the same in both cases. However, phishing can be done indirectly, through words, fake websites, and attachments that require a hacker to build tools and visuals to fool an individual. For example, a user can receive an email from a fake TicketMaster account saying that a user needs to verify their account information or risk losing tickets to a Taylor Swift concert that they just bought. With that urgency in mind, the user clicks on the page and enters their username and password, unknowingly giving this to a fake Ticketmaster webpage. This allows the hacker to steal the credentials and access tickets, credit cards, and other personal information. 

This setup requires knowledge of the reconnaissance of the user beforehand. The fact they had a ticketmaster account, email address, and that they recently bought tickets, helps for the email to be personalized making the attack more realistic. With the need to setup a fake domain, website page, etc, this attack has more steps to complete, making it cost more money and time for hackers. 

With vishing, this is different, as it requires the hacker to gather information and impersonate a user, bank, or institution in order to trick a user. This requires less creation, as hackers create a facade through what they say, rather than what they make. For example, tricking a user into giving up bank account information likely starts with a simple SMS text saying “Suspicious Transaction, you’ll be contacted by your bank shortly.” This giving the impression of something very real happening with the bank following up to help a person. This is followed by a call, that now can use AI, to impersonate a trusted voice (like your known banker) or at least sound like someone that is from your area (maybe a regional US accent). From there, they will ask you to verify account information before unlocking the account. Making it seem like a mandatory task with urgency. More often than not, the user complies. 

These steps focus deeper on actions, impersonation, and information vs creating fake emails, malicious attachments, and login sites. Making it more accessible for non-technical hackers. 

How To Defend Your Organization From Vishing and Phishing

Organizations of all sizes are affected by both phishing and vishing attacks. There are many ways to create a multi-layered approach to stop social engineering. Let’s start with looking at phishing. 

  1. Email Security - Having an email security or gateway platform is an efficient way to get started against phishing. Although not every phish will be combatted, it’s key to understand it’s the first layer of defense to a wholistic strategy. New-age solutions like Sublime Security, give organizations tons of cheap and extensive flexibility with email detections. 

  1. Multi-Factor Authentication (MFA) - More of a failsafe than a stop to phishing, but this ensures that if account credentials are stolen, there’s an added layer of protection to authenticate into corporate systems. MFA tools, such as Duo Security, have become so popular that they have business and consumer use across a myriad of industries. 

  1. Endpoint Security - As emails can lead to malicious attachments being downloaded onto endpoints, having a good detection system present is key. The industry favorite, and my personal one, is Crowdstrike. Despite the recent error that caused the Microsoft shut down. 

These systems only offer a layered approach and still leave room for margins of errors as no detection system is perfect. Even with these solutions, people are still able to break through organizational and personal defenses. However with Vishing, it’s even less straightforward. 

Outside of the use of multi-factor authentication, there are not direct tools to detect or defend against voice phishing (vishing) making it a much greater challenge than phishing. Coupled with the rise of deepfakes, security teams can only setup barriers after initial breaches have occurred. Let’s look at common solutions that could work for vishing. 

  1. Multi-Factor Authentication (MFA) - Similarly to phishing, it provides another layer of protection, but doesn’t stop stolen credentials from occurring. Vishing can be used to impersonate employees or trusted organizations to trick IT Help Desk members or consumers to resetting MFA credentials to hackers mistakenly. 

  1. Security Awareness Training - I think we all know that if we go straight to awareness training as the solution, there’s a problem. SAT should be a supplement to any good detection platform, not the standard. 

What To Do About Vishing? 

Vishing requires less technical expertise, costs less to create deepfakes, and takes less steps to execute than phishing. With the rise in generative tools, it costs less than $2 to create an effective deepfake impersonation. Even without AI, it is still extremely dangerous, as gathering public information and impersonation trusted sources is easier than ever. Only requiring a simple phone call to potentially steal account credentials, reset passwords, reset MFA devices, or take bank account information. There’s a true need for a voice-based detection platform that addresses vishing at the source. 

Have You Herd? 

Herd Security is a first-of-its-kind vishing detection platform that focuses on protecting users at the source of any vishing attack. With the ability to integrate directly with mobile devices, Herd gives customers the ease and flexibility to distribute the system quickly and provide real-time analysis from the source. In addition to using threat intelligence, searching for conversation flags, and other key malicious identifiers, Herd has the ability to detect the presence of AI on any call within 10 seconds, without any historical data of a person’s individual identity. Keeping it away from using or storing private user information. 

See it for yourself and be a part of our pilot program. 

Herd Security | Copyright© 2024

Herd Security | Copyright© 2024