[Root] Access is an advice column for IT professionals.

We’re Worried About Deepfake Voice Scams. How Do We Protect Employees?

Scammers can mimic someone's voice with as little as a 10-second audio sample, using AI tools to create convincing deepfake phone calls.

Brien Posey

October 4, 2024

4 Min Read
a phone call between two business people reveals that one of them is a deepfake scammer

[Root] Access is an advice column for questions about IT issues, career moves, and workplace concerns.

Submit questions anonymously using this form.

Dear [Root] Access,

Deepfake technology has my team and me worried about the new risks we might face. Even though I’ve known about the deepfake threat for some time, it wasn’t until I read about a recent Ferrari incident that I started to take it seriously. 

With criminals using deepfake tools to create convincing but fraudulent messages and calls, we’re unsure about the best practices for verifying identities and securing our communications. What steps can we take to protect our employees from falling victim to such sophisticated impersonation attempts? 

—Confronting Deepfake Danger 

Dear Confronting Deepfake Danger,

Every organization needs a plan to address deepfake phone scams. It’s becoming alarmingly easy for scammers to impersonate someone over the phone by faking their voice. 

With just a short audio sample, sometimes as short as 10 seconds, scammers can use AI tools to quickly build a model of someone’s voice and mimic it in real time. This puts anyone who has ever had their voice captured, whether during a speech or for a YouTube video, at risk of having their voice cloned by AI. 

Although audio impersonation scams may seem far-fetched, they are very real. The Ferrari incident is one high-profile example, but scammers often target everyday people. Just a few months ago, for instance, an elderly relative of mine received a call from someone pretending to be her grandson. Thankfully, the scammer made some blunders, and she quickly realized it was a fraud. 

Related:Senator Lured Into Deepfake Call With ‘Malign Actor’ Posing as Ukrainian

Interestingly, a phone scammer doesn’t need to impersonate a specific person to hide their identity. There are tools designed originally for video editing that can make the user’s voice sound totally different. A voiceover artist, for example, might use such a tool to give themselves distinct accents or disguise their age and gender, making themselves sound like a 6-year-old girl or an older man.

chart with tips for spotting deepfake calls

The bottom line is that scammers have access to lots of sophisticated tools.

So, how can you ensure employees at your company won't fall victim to voice impersonation scams?

The first step is education. Make sure your employees know about these types of scams and just how easily a phone scammer can impersonate someone they know. 

Inform employees that they cannot trust Caller ID. Way back in 2009, I published a book about Office Communications Server, a predecessor to Microsoft Teams. One of the topics I covered was how to program telephone switches, which included programming the Caller ID. In other words, even 15 years ago (and probably long before that), it was possible to make Caller ID display any information you wanted. Given how much technology has advanced since then, consider how easy Caller ID spoofing must be today. 

Related:Fortifying Your Organization Against AI-Driven Injection Attacks

Another step is to create a policy prohibiting employees from sharing sensitive information over the phone. Instead, mandate that employees communicate such information through a trusted, encrypted channel.

In addition, organizations can come up with a code word or phrase to verify caller identity. A scammer outside the company is unlikely to know this code or phrase, particularly if you change it regularly.

One of the most effective strategies against voice impersonation scams – one I encouraged my elderly relative – is to insist on calling the person back. Let’s consider how this could work in a corporate environment. Imagine an employee receiving a call from someone claiming to be from HR, asking them to confirm some personal information. The Caller ID appears correct, and the employee recognizes the voice, so they have no reason to suspect a scam. However, as soon as the caller requests personal information, the employee should follow a protocol of calling back using the phone number listed in the corporate directory. That way, they can confirm they are genuinely speaking to HR and not a scammer posing as an HR representative.

Related:AI Cyber Threats Force 75% of Firms to Change Security Strategies

infographic with tips on how to protect staff from deepfake scammers

Learn more about social engineering threats:

Click here to submit a question to the [Root] Access advice column.

About the Author

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

http://brienposey.com/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like