It’s an auditory crisis. The perfect mimicry of the human voice by artificial intelligence (AI) used by criminals to access organizations, discredit governments and leaders, steal data and money, and exploit people and companies. A woman was tricked into thinking her daughter had been kidnapped – the terrified voice on the end of the call was an AI fake. An employee in a multinational enterprise was conned into paying cybercriminals $25 million because he believed he was talking to the company’s Chief Financial Officer and Tom Hanks’ voice was cloned to sell dental plans.
If a fraudster can mimic someone’s voice, they can bypass security checks designed to use voice biometrics. They can fool people into believing that they’re talking to a trusted friend and colleague. They can slide past security barriers and connect with people because their fakes are so good, nobody can tell the difference.
“It’s the trust factor,” explains Adrianus Warmenhoven, cybersecurity expert at NordVPN. “As humans we have implicit trust anchors – I can read your body language when I see you, I can hear inflections and reactions in your voice on the phone and these anchor trust between us. These were developed by being in school, going to work, seeing people. Now they’re being used by criminals to make connections and successful scams.”
Voice is easy to start with. It can be trained easily and there are plenty of applications online. Anyone can download an AI and clone someone’s voice. The technology capable of converting voice to text, text to voice and then applying it to anything from fake bank calls through to scams designed to phish passwords or con family members is readily available.
“How accurately can you pick up someone’s voice? Are the slight tonal differences not just background noise? What if they’ve told you they’re not feeling well? The last two are the highest contributors, accounting for more than 80% of the threats we are seeing in terms of how voice recognition can be compromised,” says Vukosi Sambo, Executive – Head of Data Insights and AIat AfroCentric.
“We are also seeing instances where someone records a person’s voice and then uses it to authenticate themselves as that person to gain access to information or systems.”
Getting hold of a person’s voice isn’t difficult either. Cybercriminals simply turn to the one thing they’ve used to hone their craft for years – social media. As Ryan Mer, CEO of eftsure Africa, points out: “People post videos on social media, they share voice notes on WhatsApp, and in the business space, key people have some form of media, whether it’s an interview on TV, radio or a podcast.”
The technology is capable of generating a legitimate voice profile using only a few seconds of these videos and voice snippets. Then, that voice can be used to get in touch with people in the business, especially the finance team, to swindle them out of sensitive information or get them to perform certain tasks. It’s not always a case of getting someone to transfer millions, it can also be trying to access the system for data that can be sold for millions, or to infiltrate a business to commit long-term fraud from within.
Anyone can go onto the dark web and, for a small fee, ask for a deep fake video saying whatever they want. Nobody is going to ask how this will be used. Nobody will care about the repercussions of its use. It is also very likely the next creator of millionaires and billionaires who have used AI to achieve their financial goals, as nefarious as those may be.
Sambo adds: “It’s important to understand what the organization is entitled to in terms of collecting and storing voice data. If you’re not careful, you could infringe individual rights in light of the AI threat. Can companies that record calls for quality and security purposes really protect themselves from this perspective?”
“Considering how this technology is available to anybody these days for next to nothing, security has to take a multi- layered approach,” says Lance Fanaroff, co-founder of iiDENTIFii. “You need to manage access control based on who has access to what; focus on individual access tools such as two-factor authentication and biometrics; and then invest into technologies designed to identify and mitigate potential threats on a granular, individual, level.”
There is a positive side to the conversation – the technologies designed to tackle the threats are evolving just as rapidly. They’re more resilient and alert, capable of adapting to the potential deep fake risks with agility. However, there is only so much a company can do to protect its people and its systems. As Kabelo Makwane, Managing Executive: Cloud, Hosting & Security at Vodacom Business Africa, concludes: “What has become important now is finding the right balance between leveraging the technology, not locking down systems, and still finding a way of layering security so there remains space for growth and productivity.”