Phishing attacks have become par for the course when it comes to cybersecurity threats, partly because they’re so effective—and some attackers are taking advantage of advances in voice-based technology to increase their chances for successful subterfuge.
Michael Crandell, CEO of password manager Bitwarden, demonstrated just how far voice phishing, or “vishing,” has come. During an interview with IT Brew, Crandell played a recording his team had made of him apologizing for lateness and asking this reporter for his personal information to reconnect. While the delivery was somewhat stilted, the effect wasn’t completely unbelievable.
“Almost every new team member at Bitwarden in the first week or two gets a text, supposedly from Michael Crandell, asking them: ‘I’m in a webinar, could they buy some gift cards?’” Crandell said. “Most of them are pretty obvious, but I think we’re in a world where, because of AI, everything is advancing quickly and becoming more difficult to detect.”
Criminal actions. Phishing attacks in general, primarily those relying on email, have become a major issue in the fintech sector. A recent report from Abnormal Security found that email and phishing attacks increased year over year by 23% and 17% respectively, due in part to the size and scope of the financial services industry.
“Many of these big companies don’t even know who all they are doing business with,” Abnormal Field CISO Mick Leach told IT Brew.
Vishing is on Davit Baghdasaryan’s radar too. The co-founder and CEO of AI voice technology company Krisp told IT Brew that he and his team have been tracking vishing reports with concern. The pace of criminal innovation isn’t slowing.
“The threat is pretty real,” Baghdasaryan said. “And given how technology improves, especially text to speech, over time, this is clearly going to be a big battle between companies—the ones that try to scam, and the ones that create anti-phishing detection technologies.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Lurker alert. IT teams and defenders need to invest in deepfake detection and to stay abreast of changes in the field, Baghdasaryan said. That means being aware of how threat actors are deploying vishing to attack your organization and educating staff.
“When the defense relies on people, traditionally we see that it’s a weak point,” Baghdasaryan said. “The weakest point in security is people, because sometimes they’re too relaxed, they don’t pay attention, they’re exhausted at work.”
That’s the perfect time for the visher to strike. A phone call asking for what might seem like an innocuous piece of information could turn into a security disaster. Part of the way phishing works is by enticing the victim.
As NCC Group Technical Director Sourya Biswas told IT Brew, for emails it’s as simple as clicking a button. But with vishing, the process is more complicated, and the outcome can deliver greater rewards.
AI adds to the uniqueness of the vishing attack; being able to react quickly through generative AI means the threat actor is more likely to be able to pivot when challenged. To the unsuspecting victim, it might seem like a real conversation. Urgency and a sense of connection make vishing particularly dangerous.
“Phishing is basically social engineering, and social engineering basically means that success is predicated on exploiting the norms of normal social behavior,” Biswas said. “The way people behave, that’s how they are; they are prone to manipulation by these criminals.”
Solutions time. Basic security hygiene, as always, is the key. Crandell told IT Brew that double-checking things can go a long way to determining that the person calling you is who they say they are.
“Find another communication avenue—don’t text back whoever texted you that, get on a different email, or go on Slack chat or Teams, or whatever you’re using, and verify it,” Crandell said.