Criminals are using AI-generated audio to impersonate a CEO’s voice and con subordinates into transferring funds to a scammer’s account.
So-called deepfake voice attacks could be the next frontier in a scam that’s cost US businesses almost $2bn over the past two years using fraudulent email.
The Wall Street Journal reports that the CEO of an unnamed UK-based energy company thought he was talking on the phone with his boss, the CEO of the German parent company, who’d asked him to urgently transfer €220,000 ($243,000) to a Hungarian supplier.
SEE: 10 tips for new cybersecurity pros (free PDF)
However, the UK CEO was in fact taking instructions from a scammer who’d used AI-powered voice technology to impersonate the German CEO. It’s the voice equivalent of deepfake videos that are causing alarm for their potential to manipulate public opinion and cause social discord.
The voice fraud incident was described to the WSJ by the energy company’s insurer, Euler Hermes Group.
The insurer believes the scammer had used commercially available AI voice-generating software to carry out the fraud.
The UK-based CEO became suspicious when the fraudster called a third time requesting a second transfer and noticed the call was from an Austrian number. He didn’t make any further transfers. However, the original transfer went to a Hungarian account under the scammers’ control and was then transferred to Mexico.
It’s not the first known case of deepfaked audio of CEO voices being used to trick financial controllers into transferring funds to fraudsters.
The BBC reported in July that Symantec had seen three similar cases where AI software had been used to spoof CEO voices. Victims lost millions of dollars in those cases.
CEOs could be an easier target for AI-generated voice fraud because their voices are often contained in earnings calls, media appearances, YouTube videos, and conferences, offering scammers plenty of data to build a model of someone’s voice.
The scam bears the hallmarks of an older fraud that’s already caused massive losses in the US. That is, business email compromise, which cost US businesses $1.3bn in 2018 alone.
While BEC crime involves manipulating people through fraudulent email, the basic scam and goal are the same, albeit via a different medium.
It involves spoofing or compromising a senior officer’s email account and emailing instructions for a financial controller to urgently transfer funds to an account controlled by the scammer.
Insurance giant AIG (American International Group) recently reported that BEC-related issuance filings from the EMEA region accounted for 23% of all cyber-insurance claims it received in 2018. It was followed by ransomware, which accounted for 18% of these claims.