"Criminals used artificial intelligence-based software to impersonate a chief executive’s voice and demand a fraudulent transfer of €220,000 ($243,000) in March in what cybercrime experts described as an unusual case of artificial intelligence being used in hacking."
Would the Ronald Reagan approach of "trust but verify" actually work in these circumstances?
So there you are listening to the CEO of your organisation, who has demanded you send money to a particular place within a certain time frame.
Regardless of it potentially being a medical emergency, a ransom demand, or some other issue such as an emergency due to someone having forgotten to renew the license on a vital piece of equipment or service?
How would you verify that the person on the other end is actually who they state they are?
1) Ask them key questions, only you and the CEO would know the correct responses?
2) Put the mobile or telephone down, and ring a known verified number belonging to the person?
3) If you have your wits about at the time, record the session and then compare this with a known verified recording?
4) Could you take a SHA-256 bit hash and compare them - would this sufficient to prove that it was the original CEO in reality?
This is more like a security awareness theme, but the potential for damage is very high given the number of high profile whaling successes.
On the basis that Augmented Intelligence (known as Artificial Intelligence) can detect up to 187 different nuances of a humans voice, and if a recording is captured by some means - and then played back through an attacking Augmented Intelligence solution or service - would you immediately pay up or carry out the task in reality, if you were prepared for such an attack?
Re: Social Engineering reaches new heights - mimicking a persons voice with AI
Requiring two forms of approval (verbal and documented) or dual approval for transfer requests over a certain amount. There should be clearly documented policies on this, regardless of who is making the request. If it was that urgent and an actual request , the extra layers of approval would get done quickly. Hopefully, in this case, the bad actors would have struggled getting the second form of approval, or the second person required to approve would have questioned it and called the CEO. Security awareness can only take you so far. At the end of day, financial controls need to be used in combination with security awareness.