Here is one of the many questions we receive from our free monthly
Privacy Professor Tips awareness publication readers, LinkedIn
connections, and our Data Security and Privacy with the Privacy
Professor radio/podcast show listeners.
We provided a short answer to it within the January 2024 Tips.
However, we wanted to expand upon that information within a blog post.
Here is the question:
How is artificial intelligence (AI) being used within social engineering tactics?
First, you may be asking, what is social engineering?
Social engineering is a term that broadly covers all the types of
tactics used to manipulate individuals, often by exploiting their trust
or naivety, and convincing them to divulge sensitive information, such
as login credentials or financial data.
AI is being used much more frequently, and in new and unexpected
ways, to not only launch social engineering attacks, but also to
facilitate many new types of cyberattacks. In addition to research I’ve
done in this area, one of our other Privacy & Security Brainiacs
team members, Noah Herold, has also done research for how AI is being
used for social engineering and other cybercrime tactics.
Criminals do not need much clean audio to train AI to create
realistic voice models. Less than an hour is needed for most AI models,
and that amount of time is getting less and less as AI models used to
impersonate voices are getting more powerful. Criminals are able to use
published audio, such as from podcasts, videos, and audible news
reports, to train AI for to impersonate specific individuals to initiate
such scams. AI is also being used for a wide range of social
engineering tactics.
Impersonating others in phone calls
We covered a long list of ways that AI is being used to spoof callers
in phone calls for social engineering, and how to spot and prevent
being victimized by them in another blog post we made today. Please see it as a supplement to this blog post.
AI use in other social engineering tactics
It’s now possible to use AI to filter your voice in near real-time
rather than just recording sound bites to use for a script. For example,
here is a video
where someone is pretending to be the developer of the videogame that
he's playing as a joke. NOTE: The language is not safe for work (NSFW)
environments.
Crooks are also using social engineering in extortion attempts to
have ransom paid after claiming to have kidnapped an individual, or to
kill someone. The crooks often show photos or videos that seemingly
shows the person being impersonated, or play an audio clip of the
person, as “proof” that the crook has them or is targeting them. The
crooks then demand a large amount of money to release and/or not harm
the person. Such extortion attempts are occurring daily.
Specific to social engineering tactics, Noah and I put together the
following list describing a few ways that you can tell signs the video
and photo images were likely AI generated, and that the person
contacting you is likely trying to social engineer you. Look closely at
any so-called “evidence” the person contacting you is providing. If this
happens to you, look closely at images and videos.
-
Are there any small details that are incorrect? A common AI defect is including too many or too few fingers or toes on people. Also having too many eyes, arms, legs, or other body parts, or blurry body parts, are also common indicators of AI generated images.
-
Look at the clothes, jewelry, hairstyles, and other characteristics of the purported person. Do they match what the person was last seen wearing? Would such attributes be uncharacteristic for that person?
-
Videos where the person never blinks, blinks too frequently, or blinks in an unnatural way are often the result of AI generated images.
-
Facial issues, skin, or hair issues, and faces that seem blurrier than the surroundings in which they are situated, and/or abnormally soft appearance of the focus, are also indicators of AI-generated images.
-
Does the lighting look artificial? AI algorithms often do not sync the generated images of deepfakes with the original images from which the impersonations are made.
-
The audio of AI generated videos often are slightly, almost imperceptibly, not exactly synced with the mouth of the impersonated individual.
To identify when hackers are attempting to spoof/clone a voice,
increasingly more often voice liveness detection (VOID) is being
embedded in mobile computing device firmware or software used in such
devices for voice recognition. Other tools will be made available soon
as well.