Cyber Security

What are the biggest risks of using generative AI tools in sophisticated vishing and deepfake attacks?

DA Asked by Daniel Foster · 09-01-2024
0 upvotes 4,565 views 0 comments
The question

With the rise of Generative AI tools, I'm concerned about the escalating sophistication of vishing (voice phishing) and the new threat of deepfakes. How is AI currently being used to make social engineering attacks more effective, and what specific technical countermeasures and cyber security protocols should businesses adopt right now to defend against synthesized voices or video pretexts that perfectly mimic an executive or colleague? This is a major area for us to address in our next security awareness training.

3 answers

0
PE
Answered on 23-02-2024

Generative AI is a game-changer for attackers, allowing them to rapidly produce highly convincing text for spear phishing and, critically, realistic voice clones for vishing. This bypasses basic emotional red flags because the voice sounds authentic. To counter this, organizations must implement out-of-band verification for all sensitive requests (e.g., a CEO's voice call for an urgent wire transfer must be confirmed via a separate channel like a pre-agreed-upon secure text message or a call back to a known number). In training, emphasize that urgency and secrecy are the biggest signs of a social engineering attack, regardless of how real the voice sounds.

0
NO
Answered on 08-03-2024

While out-of-band verification is essential for wire transfers, what practical steps can employees take to authenticate a manager's identity during a spontaneous video call? Are there technical controls that can detect deepfakes in real-time within communication platforms, or is it purely a security awareness problem at this stage?

PE 22-03-2024

Noah, detecting deepfakes in real-time is an emerging field, but current enterprise tools are limited. For now, it is primarily a security awareness and protocol issue. Train employees to look for subtle artifacts (blurry edges, unnatural blinking/lighting) and, more importantly, to challenge the request by referring to a pre-established verbal authentication code or simply stating, "I need to call you back on your known extension for this sensitive request." This process must be mandatory for any high-risk action, regardless of the perceived authenticity of the voice or image.

0
AL
Answered on 01-04-2024

Enforce mandatory out-of-band verification for all financial and data access requests. Train staff to treat urgency/secrecy requests as immediate red flags for a potential AI-driven social engineering attempt.

DA 15-04-2024

Alex is spot on. And to bolster that, companies should include examples of realistic AI-generated voices in their security awareness training so employees are accustomed to the sound of a cloned voice, removing the element of shock and disbelief.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

World globe icon Country: Canada

Book Free Session