How Financial Institutions Can Combat AI-Deepfake Fraud

Oct 11, 2024

Imagine you’ve just landed in Las Vegas, NV for a weekend getaway with your friends. You roll up to your hotel, and the check-in line is out the door. The norm is for 2 pm on a Friday. However, you notice things look different, and people are being checked in with pen and paper. Which delays you for several hours to get to what you want to do, spend time at the roulette table. To your amazement, this delay is not the fault of the staff, but the fault of a voice phishing (vishing) attack. Unfortunately, this type of attack was a reality for MGM in September 2023. A simple, but sophisticated social engineering attack that targeted their IT help desk, resulting in an attacker crippling $12 Billion global hotel business. In reality, this attack wasn’t uncommon. Over 85% of cyber attacks begin with social engineering and an increase of 142% in vishing attacks specifically. In this blog, we’ll discuss the intricacies of vishing and how a security team can gain visibility into the next generation of social engineering targets. 

What is Vishing? 

Let’s start with the basics, most readers are familiar with phishing in relation to emails. Where a hacker will attempt to trick someone into clicking on a malicious link, submitting account credentials, or wiring money based on an email conversation. Voice phishing (vishing), utilizes the same principles of phishing. It targets users, creates a sense of urgency, and tries to trick a human into giving away sensitive information or directly stealing money. Examples of vishing can be a consumer being called by a hacker posing as their bank. They will ask to confirm bank account information or sensitive wire information, making it sound routine. When in fact, they’re looking to steal this information and use it to initiate wire transfers without the user's knowledge. 

Vishing isn’t necessarily new. The first signs of it came in the early 2000’s, when hackers began using automated phone systems to call victims to “verify” personal information. Although this wasn’t sophisticated, the sheer numbers of the attack began to create success in these campaigns. However, it required a massive amount of manual work, pre-recorded scripts, or even live conversations with users. Today, hackers can utilize generative-AI to boost the efficiency of their campaigns, by impersonating people the caller knows or using basic employee information to trick IT help desk into password resets or MFA bypasses. This results in a potential breach in less than two steps from an attacker. Let’s look at this in more detail. 

How Attackers Use Vishing Against Organizations

Let’s go back to our original example of the MGM Resorts hack in 2023. This began with hacker group, Scattered Spider, launching a vishing campaign against MGM systems. They utilized LinkedIn to identify info of MGM Resort Employees, assumed their identity, and called the MGM IT help desk requesting general IT assistance. The result of the call gave the hackers admin access to Okta and Azure tenant environments owned by MGM. Ultimately leading to further information leak and ransomware. Let’s take a look at the vishing tactics in more detail. 

  1. Reconnaissance - In line with the MITRE technique, Scattered Spider used basic research to gather victim org, identity, and other information that could be used in their vishing attacks. This step is simple, as most data is public record, or can be found with active scanning. 

  1. Vishing - Finding an IT Help Desk line is simple. Usually this is public facing or can be found with a little digging. With the right employee information, hackers can get past simple verification of employee ID’s, emails, or names. This is if the help desk verifies them at all. 

  1. Initial Access - After a simple conversation, the two common ways to gain access are with a password reset or MFA reset (or both). This gives the attacker simple access to log into the user's system, and either elevate privileges or access an admin account directly. 

Believe it or not, that’s it. 2-3 simple steps can lead to a hacker getting into an organization. With little time and effort involved. The next step of this evolution is with the usage of deepfake technology. Which allows hackers to bypass voice verification software or impersonate employees more realistically. 

How Deepfakes Will Strengthen Vishing Attempts 

Deepfakes refer to a type of synthetic media, typical videos, images, or audio recordings that leverage AI to impersonate people. Since we’re dealing with Vishing, we’ll only be referring to audio/voice deepfakes for this blog. Deepfakes are very simple to create and cost roughly $1.30 to create. This provides hackers an avenue for a cheap solution with big reward potential. The problem is that most users can’t identify a deepfake from a human. Less than 20% of users claim that they can accurately identify a deepfake. 

This technology is already applying to the financial sector where bank customers are receiving calls from hackers impersonating bank customers. Another common example is in C-Level fraud, where a hacker impersonates a high ranking executive, to get an employee to follow their instructions typically to initiate a wire transfer. It’s essentially the voice equivalent of business email compromise. Generative-AI deepfake technology will continue to fuel the flame of vishing attacks. Making it more accessible for mass production, allowing it to become the new frontier of social engineering attacks. 

Solutions To Combat Vishing 

As social engineering attacks are so complex, it’s hard to pinpoint the exact way to fight it. However, the industry provides several key recommendations: 

  1. Security Awareness Training: Teaching users more about vishing through training is one of the simplest way to start building protection. However, security awareness training alone isn’t enough to consistently deter vishing. 

  1. Multi-Factor Authentication (MFA): By now, MFA has become a must-have for both compliance and security posture. Protecting from sensitive access to accounts with an extra layer of security is key. However, vishing attacks against IT help desk have allowed hackers to circumvent MFA by initiating resets and bypass codes. 

  1. Call Verification & Safe Words: Recently the CFO of Ferrari was vished with AI. However, he was able to identify the hacker by asking a question he knew only the CEO would know the answer to. Luckily, the company got off unscathed. However, this method is time-consuming and requires user training, as well as the creation of safe words that can’t be easily learned by outsiders. 

  1. Advanced Detection: Similar to other methods of detection, vishing detection requires sophisticated rules, flags, and identifiers to accurately identify malicious intent. With the new threat of deepfakes, detection also requires a way to understand if AI is present on the specific call. All of these checks in real-time, not to delay a call or interaction, is key to a security team's analysis. However, this is a complex solution for teams to create in-house and the current security information event management (SIEM) tools don’t provide these capabilities out of the box. 

Herd Security: Vishing Detection Engine

Herd Security helps security teams defend their organization from Vishing attacks, both on mobile devices and IT help desk VoIP systems. It utilizes advanced detection tools to listen for key vishing tactics as well as detect for the presence of AI on calls. Herd’s AI can detect the presence of AI on a call in 5-10 seconds with no historical context of the user. This can be deployed in a three-step process: 

  1. Integrations: Identify the key mobile devices or call systems that propose the largest threats to Vishing. Typically this is open phone lines that must be manned 24/7. 

  1. Enrollment: In the case of mobile devices, getting users to download & activate the application takes under 10 seconds. With little interaction from the users. 

  1. Setting Policies: Once deployed, the product is ready for the security team’s customizations. Some will want full insight into calls with AI-present, and will have Herd hang up calls that are deemed highly malicious. Some will just want visibility without disturbing the users, and correlate alerts and data into the rest of their security stack. Either way, customizations are open to any organization. 

Have You Herd? 

Herd Security is a Vishing Detection Platform for security teams looking to defend their organizations from voice phishing attacks & AI deepfakes. Our product provides visibility into the vishing attack surface and has helped organizations in banking, finance, healthcare, hospitality, and defense. To see a demo, connect with us today


Imagine you’ve just landed in Las Vegas, NV for a weekend getaway with your friends. You roll up to your hotel, and the check-in line is out the door. The norm is for 2 pm on a Friday. However, you notice things look different, and people are being checked in with pen and paper. Which delays you for several hours to get to what you want to do, spend time at the roulette table. To your amazement, this delay is not the fault of the staff, but the fault of a voice phishing (vishing) attack. Unfortunately, this type of attack was a reality for MGM in September 2023. A simple, but sophisticated social engineering attack that targeted their IT help desk, resulting in an attacker crippling $12 Billion global hotel business. In reality, this attack wasn’t uncommon. Over 85% of cyber attacks begin with social engineering and an increase of 142% in vishing attacks specifically. In this blog, we’ll discuss the intricacies of vishing and how a security team can gain visibility into the next generation of social engineering targets. 

What is Vishing? 

Let’s start with the basics, most readers are familiar with phishing in relation to emails. Where a hacker will attempt to trick someone into clicking on a malicious link, submitting account credentials, or wiring money based on an email conversation. Voice phishing (vishing), utilizes the same principles of phishing. It targets users, creates a sense of urgency, and tries to trick a human into giving away sensitive information or directly stealing money. Examples of vishing can be a consumer being called by a hacker posing as their bank. They will ask to confirm bank account information or sensitive wire information, making it sound routine. When in fact, they’re looking to steal this information and use it to initiate wire transfers without the user's knowledge. 

Vishing isn’t necessarily new. The first signs of it came in the early 2000’s, when hackers began using automated phone systems to call victims to “verify” personal information. Although this wasn’t sophisticated, the sheer numbers of the attack began to create success in these campaigns. However, it required a massive amount of manual work, pre-recorded scripts, or even live conversations with users. Today, hackers can utilize generative-AI to boost the efficiency of their campaigns, by impersonating people the caller knows or using basic employee information to trick IT help desk into password resets or MFA bypasses. This results in a potential breach in less than two steps from an attacker. Let’s look at this in more detail. 

How Attackers Use Vishing Against Organizations

Let’s go back to our original example of the MGM Resorts hack in 2023. This began with hacker group, Scattered Spider, launching a vishing campaign against MGM systems. They utilized LinkedIn to identify info of MGM Resort Employees, assumed their identity, and called the MGM IT help desk requesting general IT assistance. The result of the call gave the hackers admin access to Okta and Azure tenant environments owned by MGM. Ultimately leading to further information leak and ransomware. Let’s take a look at the vishing tactics in more detail. 

  1. Reconnaissance - In line with the MITRE technique, Scattered Spider used basic research to gather victim org, identity, and other information that could be used in their vishing attacks. This step is simple, as most data is public record, or can be found with active scanning. 

  1. Vishing - Finding an IT Help Desk line is simple. Usually this is public facing or can be found with a little digging. With the right employee information, hackers can get past simple verification of employee ID’s, emails, or names. This is if the help desk verifies them at all. 

  1. Initial Access - After a simple conversation, the two common ways to gain access are with a password reset or MFA reset (or both). This gives the attacker simple access to log into the user's system, and either elevate privileges or access an admin account directly. 

Believe it or not, that’s it. 2-3 simple steps can lead to a hacker getting into an organization. With little time and effort involved. The next step of this evolution is with the usage of deepfake technology. Which allows hackers to bypass voice verification software or impersonate employees more realistically. 

How Deepfakes Will Strengthen Vishing Attempts 

Deepfakes refer to a type of synthetic media, typical videos, images, or audio recordings that leverage AI to impersonate people. Since we’re dealing with Vishing, we’ll only be referring to audio/voice deepfakes for this blog. Deepfakes are very simple to create and cost roughly $1.30 to create. This provides hackers an avenue for a cheap solution with big reward potential. The problem is that most users can’t identify a deepfake from a human. Less than 20% of users claim that they can accurately identify a deepfake. 

This technology is already applying to the financial sector where bank customers are receiving calls from hackers impersonating bank customers. Another common example is in C-Level fraud, where a hacker impersonates a high ranking executive, to get an employee to follow their instructions typically to initiate a wire transfer. It’s essentially the voice equivalent of business email compromise. Generative-AI deepfake technology will continue to fuel the flame of vishing attacks. Making it more accessible for mass production, allowing it to become the new frontier of social engineering attacks. 

Solutions To Combat Vishing 

As social engineering attacks are so complex, it’s hard to pinpoint the exact way to fight it. However, the industry provides several key recommendations: 

  1. Security Awareness Training: Teaching users more about vishing through training is one of the simplest way to start building protection. However, security awareness training alone isn’t enough to consistently deter vishing. 

  1. Multi-Factor Authentication (MFA): By now, MFA has become a must-have for both compliance and security posture. Protecting from sensitive access to accounts with an extra layer of security is key. However, vishing attacks against IT help desk have allowed hackers to circumvent MFA by initiating resets and bypass codes. 

  1. Call Verification & Safe Words: Recently the CFO of Ferrari was vished with AI. However, he was able to identify the hacker by asking a question he knew only the CEO would know the answer to. Luckily, the company got off unscathed. However, this method is time-consuming and requires user training, as well as the creation of safe words that can’t be easily learned by outsiders. 

  1. Advanced Detection: Similar to other methods of detection, vishing detection requires sophisticated rules, flags, and identifiers to accurately identify malicious intent. With the new threat of deepfakes, detection also requires a way to understand if AI is present on the specific call. All of these checks in real-time, not to delay a call or interaction, is key to a security team's analysis. However, this is a complex solution for teams to create in-house and the current security information event management (SIEM) tools don’t provide these capabilities out of the box. 

Herd Security: Vishing Detection Engine

Herd Security helps security teams defend their organization from Vishing attacks, both on mobile devices and IT help desk VoIP systems. It utilizes advanced detection tools to listen for key vishing tactics as well as detect for the presence of AI on calls. Herd’s AI can detect the presence of AI on a call in 5-10 seconds with no historical context of the user. This can be deployed in a three-step process: 

  1. Integrations: Identify the key mobile devices or call systems that propose the largest threats to Vishing. Typically this is open phone lines that must be manned 24/7. 

  1. Enrollment: In the case of mobile devices, getting users to download & activate the application takes under 10 seconds. With little interaction from the users. 

  1. Setting Policies: Once deployed, the product is ready for the security team’s customizations. Some will want full insight into calls with AI-present, and will have Herd hang up calls that are deemed highly malicious. Some will just want visibility without disturbing the users, and correlate alerts and data into the rest of their security stack. Either way, customizations are open to any organization. 

Have You Herd? 

Herd Security is a Vishing Detection Platform for security teams looking to defend their organizations from voice phishing attacks & AI deepfakes. Our product provides visibility into the vishing attack surface and has helped organizations in banking, finance, healthcare, hospitality, and defense. To see a demo, connect with us today


Herd Security | Copyright© 2024

Herd Security | Copyright© 2024