In a rapidly digitizing world, the threat landscape is evolving at a pace far imagined. Cybercriminals are no longer relying solely on crude phishing emails riddled with grammar mistakes or brute-force hacking tools. The use of Vishing (voice phishing) and whaling (which targets senior leadership and C-level executives) is now more pronounced and potent, with the help of AI. With these, criminals can generate real-time audio deepfakes to call unsuspecting targets, posing as familiar internal staff or business partners with the concept of deepfakes and AI-driven spoofing technologies to launch cyberattacks. Following the use of these tools to deliver the malicious software (malware), the victims systems locked up, and payment are demanded, also known as ransomware.
AI spoofing is a tool usually utilized to impersonate individuals or systems. For instance, replicating an email writing style to impersonate a person, cloning a voice for a phone conversation scam, or even simulating biometric data such as facial recognition or fingerprints, among others.
Deepfakes, on the other hand, are synthetic media, such as audio, video, or images, created using AI technology to replicate an individual’s voice, facial expressions, and other physical traits to a large degree.
Consider a deepfake video call where an organization’s Chief Financial Officer is deceived into thinking he is speaking with the CEO about a financial emergency, leading them to approve a transaction quickly or system access. With the use of social engineering, these tools can be weaponized to deceive potential victims into downloading corrupted attachments and clicking malicious links, thereby providing access to sensitive credentials, hence the execution of ransomware.
Historically, cybercriminals have relied on social engineering through sending large emails, malicious links, fraudulent messages or notifications that appear to have originated from legitimate banks (phony bank alerts). The attacker intends to trick individuals into sharing sensitive information, such as account details, login credentials, or one-time passwords (OTPs). While the above-described methods are still in use, attackers now adopt more sophisticated strategies that utilize deepfakes and AI spoofing. This approach leverages the potency of AI in social engineering by creating hyper-personalized, nearly indistinguishable fraudulent content.
For instance, a UK-based energy firm was scammed out of almost £200,000 after an employee received a call from an individual who mimicked the voice of the organization’s German CEO. According to the report, the scammer cloned the CEO’s voice using AI and made the voice sound urgent and legitimate, which made the employee transfer funds to a supplier in Hungary. This activity eventually turned out to be part of a ransomware attack as it was a strategic infiltration using synthetic voice technology, which led to financial loss and system compromise.
Attackers adopt several stages of the cyber kill chain to achieve their deepfakes strategies as discussed below.
- Reconnaissance and Targeting: The deepfake and AI spoofing tools utilize social media platforms and websites to capture visual and audio data of executives, employees, or public figures, which becomes the weapon to create convincing impersonations.
- Initial Contact and Deception: A deepfake video of a manager may be sent via email, instructing an IT administrator to “urgently” install a software patch. The email of this kind usually brings in a sense of urgency, and it usually contains embedded ransomware.
- Payload Delivery: In this stage, the victim would have been successfully deceived, and malicious software is executed through the attached documents or hyperlinks. The ransomware would then encrypt files and systems, often spreading laterally across the organization’s network.
- Ransom and Extortion: This is the last stage, which comes after the systems are locked. The attackers at this stage achieve their ultimate objective of financial extortion. For example, they might fabricate compromising video content to pressure xecutives into paying ransoms swiftly and quietly.
The sophistication and advancement in AI spoofing for ransomware attacks are developing daily, and these techniques are now commonly used for infiltrating secure systems, especially where human verification is the last defence. In many instances, attackers are now utilizing AI spoofing to clone biometric data by bypassing facial or fingerprint recognition systems and impersonate digital assistants (like Amazon Alexa, Apple Siri, Google Assistant, and Microsoft Co-pilot, among others) to initiate actions on smart devices. The AI spooling can also generate multiple emails and texts with linguistic accuracy mimicking individual writing styles.
Communication breakdown: The advances in AI spoofing and deepfakes have hampered communication within organizations. This is because of the trust erosion this development has created, which is a major threat in corporate environments, especially for organizations that rely heavily on remote work and digital communication. With this development, every phone call, message, and chat is now suspicious.
Supply Chain Vulnerability: Malicious attackers take advantage of the supply chain by sending deepfake calls or messages appearing to have emanated from trusted partners, after which malicious access gets into their environment and vice versa. Many ransomware attacks now target the supply chain to perpetrate their malicious acts.
Financial and Legal Losses: Not only are organizations prone to financial loss due to the Deepfake and AI spoofing activities, but the legal risk that threatens an organization’s reputation is also at the forefront. While the original intention of ransomware is to demand payment, organizations may face financial loss from regulatory bodies and reputational loss from data breaches that resulted from the attack.
National Security Implications: In geopolitically sensitive environments, deepfakes could be used to fabricate government officials giving false orders, causing chaos, military responses, or stock market crashes.
Cognitive Bias and Authority: The success of AI spoofing attacks relies on humans’ weaknesses, particularly their tendency to trust. The deepfake exploits the basis of superior authority, giving directives to subordinates with a natural tendency to follow instructions without question. Most synthetic attacks emulate real business scenarios, providing a sense of urgency in their requests. For instance, a prompt that requests clicking a link to install an update to an application from an IT department.
Low Detection Rates: Prior to the AI Spoofing and Deepfake development, voice authentication systems and biometric tools were among the trusted and secure security tools to detect social engineering techniques like phishing, whaling, and Vishing. Today, these systems are now vulnerable to synthetic mimicry, as detecting them is becoming notoriously difficult. Attackers are constantly refining their techniques, and the detection of their tactics now requires tools of high quality.
To arm against these attacks, employing some of the following strategies can help the organization.
Multi-Factor Authentication (MFA): guarantees user verification through many methods. This may involve employing multiple passwords, tokens, or one-time passwords (OTPs) to authenticate identity, hence augmenting security against illegal access. With this approach, relying solely on voice or visual identity is avoided, and any identified unauthorized access is blocked.
Zero Trust Architecture: Zero Trust is rooted in the maxim ‘never trust, always verify,’ which emphasizes strict identity verification, micro-segmentation, real-time monitoring, and dynamic access controls. The implementation of Zero Trust within an organization mitigate the risks associated with insider threats, unauthorized access, and malicious hackers’ lateral movement.
Deepfake Detection Tools: Organizations should periodically update their policies to reflect AI-based threats and ensure incident response teams are prepared for deepfake-enabled scenarios. Additionally, policy enforcement must be in place for regulatory compliance and to maintain a good reputational image, and prevent financial loss due to fines from regulatory bodies. For instance, organizations that are serious about combating these menacing attacks must keep themselves updated with new regulations addressing trending threats such as the recently released EU AI Act and the proposed US Deepfakes Accountability Act, aimed at regulating malicious uses of synthetic media.
Employee Training: is needed to refocus cultural shift towards prioritizing cyber resilience through comprehensive cybersecurity governance by creating regular awareness training sessions for employees to recognize anomalies, and escalate potential threats. With this in place, not only will the staff be able to recognize email scams and suspicious links, suspicious audio, video, and even biometric evidence also stand the chance to be questionedand escalated by staff, who serve as the human firewall.
The convergence of deepfakes, AI spoofing, and ransomware attacks marks a profound shift in cyber risk and a new era where the boundaries between technical failure and human deception are not easily separated. Therefore, organizations and individuals alike should be fully aware of the cyber attackers’ strategies of not only targeting machines, but also the human psyche. In addition to proactively investing in technical, procedural, and ethical tools, organizations must have the right governance and policies in place and ensure full compliance at all times. Finally, all hands must be on deck through public campaigns, educative programs, and digital literacy in enlightening the general public with these new cyber-attack, as the most potent defence is not the technical equipment and tools, but through awareness by the human firewall.
