Voice Cloning AI Scams Are on the Rise
(Originally published Oct. 2021) Though many services are improved with AI, scams are increasing. Scammers use tactics like voice cloning to mimic voices to steal your money. Here's what you need to know to protect yourself from cyber theft.
If someone calls you and says, "You've won the lottery!" you likely know what to do: Hang up because it's probably a scam. But what if the voice on the other line is your child — and they're in trouble?
That's what happened to Jennifer DeStefano, who received a call from an unknown number and heard the panicked voice of her daughter, who was in danger and needed a $1 million ransom paid to her kidnappers, according to CNN. Thankfully, Jennifer was able to confirm her daughter was safe and didn't part with any money, but the experience was terrifying.
In the ongoing efforts by scammers to find new ways to steal your money, federal officials are warning consumers to be aware of cloned voices.
How Does AI Voice Cloning Work?
The growth of artificial intelligence (AI) has made it easier for criminals to clone voices and create snippets of dialogue that sound just like people you know. In fact, according to Federal Trade Commission reports, in 2022, the U.S. lost $2.6 million to imposter scams alone.
"Scammers can pull pieces of a person's real voice and have an AI tool use those voice patterns to create synthetic conversations, copying and manipulating your voice," said Sean Murphy, a Senior Vice President and the Chief Information Security Officer at BECU.
Murphy said even a small number of recorded words from a voice recording is enough for AI tools to successfully imitate a person's voice.
When in doubt, Murphy says to be cautious when any urgent requests arise, even if it sounds like someone you know.
AI Scams Are More Sophisticated
Technology used to scam people extends beyond voice impersonations. Images of people who don't exist are used to create false social media profiles, and "deep fake" videos can be manipulated to show real people doing things they didn't do.
Murphy said it's all an effort to increase the efficiency and effectiveness of what digital security professionals refer to as social engineering: AI finds patterns in your behavior that make it easier for the scammer to target you and convince you to give them access to personal information.
"The most likely way credit union members are at risk is someone trying to get your credentials, like your password or challenge question information," Murphy said. "They might use that information to pretend to be a member and try to get someone from BECU to give them account access. With the addition of AI capabilities and social engineering, attackers can be even more convincing to gain unauthorized access."
Playing Defense and Offense
Talking about online scams might make AI sound scary, but Murphy said it's important to remember that legitimate organizations use it for positive purposes, too.
For instance, OpenAI, a private AI research company, just announced its newest ChatGPT feature that can speak and respond to images. This means users could take a picture of the food in their fridge and ask the platform to create a meal plan based on the ingredients on hand.
"AI can be both good and bad," Murphy said. "From a cybersecurity perspective, BECU is using AI to help us develop tools and techniques to protect our own systems. We find patterns and create defenses that are more predictive and proactive, rather than being reactive."
Murphy said many organizations use AI to teach their computers to detect when other computers are trying to penetrate their cybersecurity measures.
"Sometimes we just see feelers," Murphy said. "For example, the AI call you receive may ask you seemingly innocent questions, including just getting you to say, 'Hello, who is there?' to gather voice patterns that the scammer will use later to impersonate you. You can protect yourself by maintaining the skepticism you have when there is a sense of urgency or an offer that is too good to be true. Unsolicited phone calls from unknown sources should raise your concerns," Murphy said.
"Limit the information you are willing to share," he said. "If they are claiming to be from BECU, hang up and contact us directly to be sure."
6 Tips To Protect Yourself From Scams
Follow these tips to protect your personal data and your finances:
1. Protect your information.
Unless you are certain you are talking with a trusted source, be skeptical about requests that require your information. Never give passwords, authentication codes or personal information to a caller, even if they sound familiar. It could be a voice recording trying to capture your voice pattern.
2. Be aware of urgent requests.
Don't click on links or reply to requests for money transfers.
3. Avoid unverified offers for prizes.
Assume that if a prize or deal is too good to be true, it probably is.
4. Take a pause.
Pause when confronted with any deal or notice of a discontinued service that requires urgent action. Most reputable companies will give plenty of time to communicate a special offer or discount, and they won't ask you to log in and provide your account number.
5. Contact a trusted source.
Hang up and call the company back using the phone number you know is theirs. Look up the number on the company's website or in your own contacts. Don't call back the number that just called you or use a number in an email or text message you received from the caller.
6. Report fraud.
If you suspect fraud, the FTC wants you to report it. Learn how to help fight fraud on their website.
Basic Scams Still Rule
As interesting and scary as AI driven scams are, Murphy said most people are more likely to encounter basic attempts at fraud and theft, like password phishing emails, text messages and spoofed websites, where scammers are trying to convince users to give up their login information.
"I hope people don't worry so much about highly technical, sensational attacks that they look past basic attacks that are far more common," Murphy said.
If people want to protect themselves most effectively, Murphy advises learning and practicing the basics of online security.
"A healthy dose of skepticism is good," he said. "Just take an extra second to look for red flags."