Voice-based cyber attacks have existed for a long time and have wreaked havoc worldwide. They are a low-effort, high-reward attack that can be scaled to extreme heights with very little effort apart from finding phone number lists to call.
This is part of the reason why vishing attacks have seen a 54% increase in 2022. A potentially even more aggravating factor is the recent drastic improvements in AI and deepfake technology.
Ever since vishing attacks started happening, they’ve been seen as a rather easy-to-avoid scam. In the past, they were exclusively done using basic robocall software with automated, choppy dialogue that could easily be spotted.
But the new software being used can create almost undetectable fake voice messages.
This article will go over recent developments in vishing technology and dangerous trends such as vishing-as-a-service and provide actionable tips your organization can deploy to protect itself against these attacks.
What is vishing?
Vishing refers to any phone or voice message-based cyber attack. In most cases, the attacker's goal is to convince their victims they are an authority figure, such as their boss or a bank employee.
Since it is a form of phishing, a high level of social engineering is required for this scam to succeed. For example, people aren't likely to fall for these attacks if the vishing attack doesn't try to portray the bank they do business with.
But gathering enough information on the victim to be believable is only the beginning. With the advent of new AI technology, hackers have been using deepfake technology to carry out their vishing attacks.
Deepfakes refer to AI-manipulated audio or video to portray a specific person. Recent technological improvements have made these clips scarily accurate to the point of being imperceptible.
Vishing Is on The Rise
Vishing attacks have become a lot more popular in the last few months, and there is a concerning trend regarding targeted industries. Over half of all attacks have been targeting the customers of financial institutions and bank security systems directly.
In a recent article, a reporter explained how he managed to deceive a bank’s voice authentication by using a popular AI voice generation website. An increasing amount of companies use Voice ID technology as an alternate form of a password that is more convenient for customers.
Certain internal departments also use this technology to validate employee access. This utilization of Voice ID means that these AI-generated clips could be used to steal customer funds and launch even more devastating attacks by gaining access to a bank’s computer system.
Morgan Stanley customers were also victims of vishing attacks in early 2023. A scammer called multiple customers of the bank pretending to be an employee to ask them to transfer money to his account.
Social media users need to be more vigilant as well. Different social media platforms have been abuzz with a controversial deepfake involving the famous podcast host, Joe Rogan. A company created an extremely accurate video of Rogan talking with another individual and endorsing a specific product.
This manipulated content was created without Rogan’s consent, using a sophisticated AI that replicated his voice perfectly.
This incident opens the possibility of false advertising for cheap or even dangerous products by piggybacking on a celebrity’s reputation.
What is Vishing-as-a-Service?
With new AI websites and services popping up almost monthly, each extremely cheap or even free, vishing attacks can be scaled extremely efficiently. While these AI services aren't marketed towards vishing, they end up allowing a vishing-as-a-service model.
By using these AI purveyors, hackers can almost fully automate the process of these attacks with a terrifying success level. In many cases, these AI services are helpless towards this type of use of their platforms since listening to the clips created by their users would be a breach of privacy.
The Implications of Vishing
Data breaches caused via vishing always have a devastating ripple effect across the targeted industry. In this case, it’s almost always finance. The banking industry is in a very vulnerable position since even a perfectly handled cyber attack can lead to customer distrust and loss of business.
Yet, voice-activated services are very convenient and often well-received by customers and employees alike. Therefore, it’s unlikely that the solution to this rising deepfake vishing issue will revolve around phasing out these features.
The problem doesn’t simply lie with the victims and their preparedness. Telecommunications providers have begun research on detection methods for deepfake audio clips. Ideally, these measures will eventually provide a first line of defense by cutting the call when a deepfake is identified.
Strengthening Cybersecurity Practices to Prevent Vishing
When used correctly, voice activation is a practical and secure way of doing business.
Best Practices for Organizations: Enhancing Voice ID Security
While voice activation is often used as a multi-factor authentication device, it must also have this process in place if the voice is the main password. A simple text message or authenticator code thwarts most vishing attacks, advanced AI methods or not.
There are also several advances in biometrics and advanced voice recognition to consider. These technologies study voice patterns and sentence structure to evaluate a voice clip properly.
Since hackers usually only have a few limited recordings of the person they impersonate, they can’t build a clip convincing enough for biometric verifications.
Educating Employees: Building a Cyber-Aware Culture
Vishing-as-as-service attacks can be difficult to prevent since they are becoming compelling. They will soon be completely impossible to detect as fake, and the only real defense at that moment will be cyber security awareness.
If employees and consumers can notice the signs of a vishing attack and cyber security best practices, the quality of the deepfake won't matter.
Vishing Awareness Is Crucial
While cyber security awareness is the ultimate defense mechanism against vishing attacks, telecommunication companies must continue to take action. They have the best opportunity to nip this issue in the bud by focusing on deepfake detection technologies to prevent vishing attacks at the source.
The best way to protect yourself and your organization against vishing or any cyber attack is to know how to detect the signs and learn cyber security best practices.
Learn about the four pillars of successful security awareness training
Equip your employees with the knowledge and skills to identify and respond to various threats promptly. Download The Definitive Guide to Security Awareness Training for free.