We’re Worried About Deepfake Voice Scams. How Do We Protect Employees?

[Root] Access is ITPro Today’s dedicated advice column for your questions about IT issues, career decisions, and workplace concerns. Submit your questions here. Note that questions may be edited for publication.

Dear [Root] Access,

Deepfake technology has my team and me worried about the new risks we might face. Even though I’ve known about the deepfake threat for some time, it wasn’t until I read about a recent Ferrari incident that I started to take it seriously. 

With criminals using deepfake tools to create convincing but fraudulent messages and calls, we’re unsure about the best practices for verifying identities and securing our communications. What steps can we take to protect our employees from falling victim to such sophisticated impersonation attempts? 

—Confronting Deepfake Danger 

Dear Confronting Deepfake Danger,

Every organization needs a plan to address deepfake phone scams. It’s becoming alarmingly easy for scammers to impersonate someone over the phone by faking their voice. 

With just a short audio sample, sometimes as short as 10 seconds, scammers can use AI tools to quickly build a model of someone’s voice and mimic it in real time. This puts anyone who has ever had their voice captured, whether during a speech or for a YouTube video, at risk of having their voice cloned by AI. 

Related:Senator Lured Into Deepfake Call With ‘Malign Actor’ Posing as Ukrainian

Although audio impersonation scams may seem far-fetched, they are very real. The Ferrari incident is one high-profile example, but scammers often target everyday people. Just a few months ago, for instance, an elderly relative of mine received a call from someone pretending to be her grandson. Thankfully, the scammer made some blunders, and she quickly realized it was a fraud. 

Interestingly, a phone scammer doesn’t need to impersonate a specific person to hide their identity. There are tools designed originally for video editing that can make the user’s voice sound totally different. A voiceover artist, for example, might use such a tool to give themselves distinct accents or disguise their age and gender, making themselves sound like a 6-year-old girl or an older man.

The bottom line is that scammers have access to lots of sophisticated tools.

So, how can you ensure employees at your company won't fall victim to voice impersonation scams?

The first step is education. Make sure your employees know about these types of scams and just how easily a phone scammer can impersonate someone they know. 

Inform employees that they cannot trust Caller ID. Way back in 2009, I published a book about Office Communications Server, a predecessor to Microsoft Teams. One of the topics I covered was how to program telephone switches, which included programming the Caller ID. In other words, even 15 years ago (and probably long before that), it was possible to make Caller ID display any information you wanted. Given how much technology has advanced since then, consider how easy Caller ID spoofing must be today. 

Related:Fortifying Your Organization Against AI-Driven Injection Attacks

Another step is to create a policy prohibiting employees from sharing sensitive information over the phone. Instead, mandate that employees communicate such information through a trusted, encrypted channel.

In addition, organizations can come up with a code word or phrase to verify caller identity. A scammer outside the company is unlikely to know this code or phrase, particularly if you change it regularly.

One of the most effective strategies against voice impersonation scams – one I encouraged my elderly relative – is to insist on calling the person back. Let’s consider how this could work in a corporate environment. Imagine an employee receiving a call from someone claiming to be from HR, asking them to confirm some personal information. The Caller ID appears correct, and the employee recognizes the voice, so they have no reason to suspect a scam. However, as soon as the caller requests personal information, the employee should follow a protocol of calling back using the phone number listed in the corporate directory. That way, they can confirm they are genuinely speaking to HR and not a scammer posing as an HR representative.

Related:AI Cyber Threats Force 75% of Firms to Change Security Strategies

Learn more about social engineering threats:

[Root] Access is an advice column for IT pros. Submit questions here.