Despite my enthusiasm over AI-generated avatars and video translations for use in marketing, we’ve just seen a stark reminder that even technology companies can fall prey to social engineering tactics when a hacker impersonated an employee’s voice using deepfake audio to infiltrate the systems of Retool, a software business. The incident highlights the rising threat of weaponized artificial intelligence and the need for companies to reassess vulnerabilities in their cybersecurity strategies as part of their AI policies.
How The Breach Occurred
The attack began simply enough – with a phishing text message. We’ve all received these text messages. I usually get the one claiming to be the CEO asking that I run out and purchase gift cards. Of course, each time that has happened, I’ve texted my boss to ask if the request was real. It never was.
Posing as a member of Retool’s IT team, the hacker contacted several employees claiming payroll issues were blocking their healthcare coverage and provided a link to resolve the problem.
Most employees avoided the obvious scam, but one clicked through, landing on a fake login page. After entering their credentials, the target received a deepfaked call that chillingly mimicked a coworker’s voice.
Armed with intimate knowledge of Retool’s office layout, personnel, and protocols, the AI-generated voice put the employee at ease. Their suspicions didn’t fully activate until the conversation turned to multi-factor authentication codes. Unfortunately, the employee relinquished the key piece of information needed to access their account. From there, the hacker added their own device and infiltrated the employee’s G Suite account.
Hackers Gained Access To Google’s Authenticators
The use of Google’s Authenticator app proved catastrophic, as its cloud sync made the employee’s multi-factor codes visible across linked devices. In other words, compromising the Google account granted the hacker all associated MFA tokens. Retool insists this was the primary reason the attacker penetrated deep into its systems.
Over several harrowing days, the hacker prowled Retool’s network, accessing over two dozen customer cloud accounts. The company has since revoked the intruder’s access but felt compelled to publicize the incident given the sophistication of the social engineering tactics. As Retool stated, “Anyone can be made a target.”
A DeepFaked Audio Helped Hackers Impersonate Coworkers for Access
The deception was made possible by advancements in AI-generated audio using samples of a person’s voice to synthesize natural conversation. While the technology holds promise for honest applications, it also poses serious risks for exploitation by cybercriminals. Attackers no longer need the victim on the phone to mimic speech patterns and vocabulary convincingly.
Deepfakes allow hackers to impersonate coworkers and authority figures with alarming credibility, making it difficult for the average employee to detect deception in real time. Combine voice imitation with personal details gleaned from social media profiles, and the effect is extremely disorienting. I’ve seen articles where individuals are targeted – particularly parents who are confronted with the deepfaked voice of their kid screaming in fear or pain as the crook asks for money.
What You Can Do To Protect Yourself
As deepfake technology grows more sophisticated, companies must make cybersecurity training a top priority. Educating employees on social engineering techniques, especially voice-based attacks, is critical. Simulated scenarios should be incorporated to train the ear in identifying telltale vocal oddities of AI-rendered speech.
It’s also imperative that you train your employees on how to react to receiving a text or a call. Because of previous attempts that I’ve encountered, I know screen shot any text that sounds even remotely unusual and send it to the actual person to confirm its authenticity.
IT departments need to implement safeguards limiting access from compromised accounts, such as partitioning permissions and prompt termination of sessions from unauthorized devices. Disabling wide syncing abilities for multi-factor apps is also advisable to contain the damage from stolen MFA credentials.
While technology will always harbor risks, a learned and vigilant workforce is any company’s best defense. We can take valuable lessons from Retool’s experience in bolstering human judgment against cyber tricks. With care and foresight, businesses can identify points of weakness and close the gaps where high-tech deception can take hold.
The age of deepfake subterfuge is upon us, but we are far from powerless. By pooling our intelligence and imagining vulnerabilities before they are exploited, we can keep our defenses aligned with emerging threats.
If you need assistance understanding how to leverage Generative AI in your marketing, advertising, or public relations campaigns, contact us today. In-person and virtual training workshops are available. Or, schedule a session for a comprehensive AI Transformation strategic roadmap to ensure your marketing team utilizes the right GAI tech stack for your needs.Read more: DeepFake AI Voice Beat a Tech Company’s Defenses
As AI continues infiltrating businesses, a new C-suite role is emerging – the Chief AI Officer. Here’s a look at what this role looks like.
Led by powerhouses like IBM, Meta, and AMD, the new AI Alliance has the potential to shape the responsible, ethical evolution of AI.
New study shows that the proper use of generative AI can deliver significant ROI across your entire marketing organization.