A hacker has revealed how cybercriminals are using artificial intelligence to clone people’s voices and steal thousands of pounds.
Dr Katie Paxton-Fear is a professor of cybersecurity at Manchester Metropolitan University and also an “ethical hacker” who “hacks companies before the bad guys do.”
It has teamed up with Vodafone Business on a new campaign to raise awareness of the growing threat of AI phishing scams in the UK business sector.
New research from the company suggests that young office workers are putting their workplace at greater risk of AI phishing attacks than any other age group.
The study highlighted an “age gap” in awareness: younger staff, aged 18 to 24, appear to be more likely to fall for the new generation of AI phishing scams than their older peers.
Gen Z staff appear much easier to hack than most: almost half (46%) have not updated their work password for over a year, compared to an average of a third (33%) of staff .
Researchers questioned 3,000 UK office workers and business leaders from small, medium and large businesses on a range of cybersecurity issues, including awareness of AI phishing attacks.
The study revealed that the majority of UK businesses (94%) do not feel adequately prepared to manage the growing threat of sophisticated AI-powered phishing attacks.
Dr Katie Paxton-Fear is a professor of cybersecurity at Manchester Metropolitan University and also an ‘ethical hacker’ who ‘hacks companies before the bad guys’.
In a bid to raise awareness, Katie has revealed how easily cybercriminals can use AI to clone people’s voices and impersonate them over the phone, often without the victim realizing it.
In a bid to raise awareness, Katie has revealed how easily cybercriminals can use AI to clone people’s voices and impersonate them over the phone, often without the victim realizing it.
Hackers need only “three seconds of audio” (like a voice message) to clone someone’s voice. They also typically follow five easy steps to carry out their ‘vishing’ scam (voice clone phishing scam).
To prove it, entrepreneur Chris Donnelly challenged Katie to hack his business to see how easily criminals could use AI to defraud him.
Chris has been an entrepreneur for 15 years and is the founder of Lottie, a healthcare technology platform for nursing homes.
Continue reading below as Katie explains the steps cybercriminals take to hack a company using AI voice cloning.
1. Recognition
Katie said: “Any trick starts with recognition.” A hacker will find a victim and access their social networks.
In this case, Chris is a public figure with thousands of followers on various social media platforms. His profiles reveal details about his staff and the jobs they do for him.
Now a hacker has both an unsuspecting boss and his equally unsuspecting employee in his sights.
2. Voice cloning
Now the hacker will browse the boss’s social media pages to find audio or video content.
Katie said: ‘All we have to do is visit Chris’s social media pages, download some video and copy his speech style. We only need three seconds of audio.’
AI voice cloning software can use the recording to recreate Chris’ voice; Now all the hacker has to do is type what he wants his victim to say.
In this case, Katie writes “Have you managed to pay the bill I sent you?” – and the message is repeated in Chris’s voice.
3. Make contact
The hacker sends a text message to the employee posing as his boss; Although it is from an unknown number, it tells him to wait for a call.
In this case, Chris’s employee receives the text message and waits for the call from his boss.
4. The call
Now the call. The hacker calls the employee from his computer using software, then simply types the message he wants the cloned Chris to say.
In the video, the employee hears his boss Chris ask him: “Have you managed to pay the invoice I sent you?” “It is crucial that this is resolved immediately.”
New research from Vodafone Business suggests that young office workers are putting their workplace at greater risk of AI phishing attacks than any other age group.
What should the employee do? Your boss has given you a direct order.
5. The wait
The employee has received specific instructions on how to make the payment. Now we have to wait to see if they will do it.
Katie said: ‘The final step is whether the victim takes action or not. “Most hackers will know if they have been successful at the end of the phone call.”
Chris Donnelly, entrepreneur and CEO of Lottie, said: ‘Cybersecurity has always been a priority for my business, it’s something we think about all the time and we make sure we keep our security protocols as up to date as possible.
‘You can imagine my surprise at how easily the ethical hacker was able to breach our defenses using sophisticated AI phishing tactics such as voice cloning.
‘As someone who runs a healthcare technology platform where we manage large amounts of personal and private data, this experience highlights the importance of being one step ahead in cybersecurity, especially with evolving AI threats.
Katie warned: “With AI, attackers can tailor messages to appear highly personalized, making it harder than ever for employees to distinguish a fake email from a legitimate one.”
‘It is a wake-up call for all businesses to strengthen their security measures and provide ongoing training to staff to protect against even the most advanced forms of deception. Today, remaining alert and adaptable is essential to protect our organization and our customers.”
Katie added: “With AI, attackers can personalize messages to appear highly personalized, making it harder than ever for employees to distinguish a fake email from a legitimate one.”
‘Businesses, regardless of their size, must understand the real risk they face and take proactive steps to defend against these threats.
“Strengthening cybersecurity practices, implementing advanced detection systems, and educating staff on how to recognize AI-powered scams are essential steps to safeguarding valuable data and maintaining trust.”