Who’s calling? The threat of AI-powered vishing attacks

Who's calling? The threat of AI-powered vishing attacks

Imagine receiving a call from a high-ranking official, urgently requesting a wire transfer to resolve a national crisis. This was the case for several wealthy entrepreneurs in Italy recently, leaving them in an awkward position.

However, it was in fact fraudsters impersonating the Italian Defense Minister Guido Crosetto, trying to trick individuals into transferring large sums of money.

This is an example of vishing—a growing cybersecurity threat that’s at risk of going nuclear thanks to AI.

Vishing, or “voice phishing,” is a form of social engineering where scammers use phone calls to deceive victims into revealing sensitive information or making fraudulent payments.

While traditional vishing relied on human impersonation, AI now enables attackers to generate highly convincing synthetic voices, even cloning the voices of real individuals.

How can your voice be cloned?

AI can create realistic human voices using text-to-speech (TTS) synthesis and deep learning techniques. Advanced models like Google DeepMind’s WaveNet and AI-powered vocoders are able to replicate human speech patterns with remarkable accuracy.

Microsoft claims that a voice can be cloned in just three seconds, meaning a scammer could phone someone for a very brief conversation and then create a realistic AI voice using only that recording.

Vishers will usually impersonate banks, government agencies, or corporate executives to exploit victims’ trust. They use urgency, authority, and emotional manipulation to pressure targets into compliance.

AI-enhanced vishing is more believable and harder to detect, due to how realistic a cloned voice can sound.

When used in combination with other social engineering techniques like phishing (email) and smishing (SMS), these attacks can be hard to spot even for cyber-savvy professionals.

Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches. 
 
Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles!

Try it for free

The anatomy of an AI vishing attack

A typical AI vishing attack tends to follow the below process:

  1. Reconnaissance: The attacker gathers personal information about the target.
  2. Spoofed call: Using AI-generated voices and fake caller IDs, the attacker impersonates a trusted entity.
  3. Urgency and manipulation: The scammer creates a sense of emergency, claiming a security breach, overdue payment, or crisis.
  4. Information extraction: The victim is pressured into revealing credentials, transferring money, or installing malicious software.
  5. Follow-up attacks: The attacker may reinforce their deception through phishing emails or smishing messages.

Some cybercriminals also offer “Vishing-as-a-Service” (VaaS), where they sell their talents to less-skilled fraudsters. These services include AI voice cloning and robocall automation, making sophisticated scams accessible to a wider range of attackers.

As the barriers to entry get lower, it’s likely we’ll see an increasing number of vishing attacks over the coming years.

What if you think you’re being targeted by vishing?

AI vishing is a serious and evolving cyber threat. With AI making it easier to impersonate trusted voices, businesses and individuals need to stay vigilant.

By implementing authentication measures, educating employees, and adopting security best practices, organizations can reduce their exposure to vishing attacks.

The key to defense is awareness—don’t trust a voice at face value, especially when money or sensitive information is on the line.

Signs of a vishing attack

  • Unexpected robocalls followed by a personal call.
  • Urgent demands for payments or sensitive data.
  • Poor audio quality or unnatural voice patterns.
  • Calls from unfamiliar numbers or at odd times.
  • Requests to bypass standard security procedures.

Best practices for individuals

  • Never share sensitive information over the phone unless you can verify the caller.
  • Let unknown numbers go to voicemail and review the message before responding.
  • Verify unusual requests using a secondary communication channel, or use multi-factor authentication (MFA) to verify callers making sensitive requests.
  • Register phone numbers with the “Do Not Call” registry and enable call filtering features.

Enterprise security measures

  • Implement strong authentication protocols at service desks to verify callers.
  • Require multi-step verification for sensitive transactions.
  • Train employees to recognize vishing red flags.
  • Use AI-based call monitoring to detect fraudulent activity.
  • Limit publicly available employee information to reduce targeting risks.

The MGM Resorts hack

The MGM Resorts hack was a prime example of how vishing can be used to bypass security and gain unauthorized access to critical systems. The attackers, believed to be part of the ALPHV/BlackCat ransomware group, started by researching MGM employees on LinkedIn.

Une image contenant bâtiment, Néon, plein air, casinoLe contenu généré par l’IA peut être incorrect.They then impersonated an employee and called the MGM service desk, posing as the staff member and requesting access to their account.

Because the attackers were convincing and exploited gaps in MGM’s authentication process, they were able to bypass security checks and gain entry into the system.

This initial access led to a massive data breach, costing MGM Resorts millions in revenue and causing widespread system disruptions, including issues with reservations, electronic payments, and slot machines in casinos.

Protect your service desk from vishing

Service desk agents are prime targets for vishing attacks since they often handle sensitive information and user authentication requests. Without proper verification protocols, attackers can impersonate employees, executives, or vendors to gain unauthorized access to systems and data.

To defend against vishing threats, organizations must implement strong authentication processes at the service desk. Multi-factor authentication (MFA) and caller verification techniques can help prevent unauthorized access and reduce the risk of social engineering attacks.

Ensuring that agents are trained to recognize vishing attempts and verify caller identities before processing requests is crucial in the face of AI-powered vishing threats.

Une image contenant capture d’écran, dessin humoristiqueLe contenu généré par l’IA peut être incorrect.

With Specops Secure Service Desk, you can enforce strong user verification before allowing password resets or account unlocks. This reduces the risk of impersonation and protects your organization from costly breaches.

Want to strengthen your security against vishing attacks? Try Specops Secure Service Desk today.

Sponsored and written by Specops Software.


Source link