AI-Powered Vishing Threats to MFA

William Elchert and Antonio Rivera

24 Feb 2025 — 6 min read

Breakdown

In recent years, there has been a significant increase in voice phishing, or "vishing," attacks, largely due to advancements in artificial intelligence (AI). AI-powered voice cloning technology enables scammers to create highly convincing audio deepfakes, mimicking the voices of trusted individuals such as family members, friends, or company executives.¹ This development has made it increasingly difficult for individuals and organizations to distinguish between legitimate and fraudulent communications. A notable example occurred in 2019 when cybercriminals used AI to impersonate the voice of a company's CEO, successfully instructing a subordinate to transfer €220,000 to a fraudulent account. More recently, there have been reports of scammers using AI-generated voices to simulate distress calls from family members, coercing victims into making urgent financial transfers. According to a 2023 global McAfee survey, one in four adults has been impacted by AI voice scams, highlighting the widespread nature of this threat.²

The travel and hospitality industries have also been targeted. In 2024, hotels and travel firms reported a surge in AI-driven phone scams, where attackers used voice cloning to impersonate customers or company executives, extracting sensitive information and causing financial losses. The Retail and Hospitality Information Sharing and Analysis Center noted a 300% increase in social engineering attacks in the first half of 2024 compared to the previous year.³ The sophistication of these scams is further enhanced by the availability of personal information on social media platforms. Scammers can gather audio samples and contextual details to create more believable scenarios, increasing the likelihood of success. The Federal Bureau of Investigation has warned about the alarming rise in such sophisticated phishing scams, emphasizing the need for heightened vigilance.

To mitigate the risks associated with AI-driven voice phishing, experts recommend implementing verification protocols, such as establishing secret passphrases within families or organizations. This simple yet effective measure can help individuals confirm the identity of callers, especially in high-pressure situations. Additionally, being cautious of unsolicited calls, especially those urging immediate action or requesting sensitive information, is crucial. Verifying the caller's identity through alternative means, such as contacting the person directly using known contact information, can prevent falling victim to these scams. As AI technology continues to evolve, the potential for more advanced and convincing voice phishing attacks increases. Staying informed about these developments and adopting proactive security measures are essential steps in protecting oneself and one's organization from this emerging threat.

Targeted Industries and Countries

Financial Sector: The financial industry is a prime target due to the sensitive nature of the data it handles. Vishing attacks in this sector often focus on exploiting banking systems and targeting employees responsible for financial transfers.
Professional Services: Organizations in legal, consulting, and auditing fields face vishing attacks as they manage highly confidential client information. Employees are often tricked into divulging sensitive data or approving unauthorized transactions.
Manufacturing and Construction: These industries are frequently targeted due to their reliance on frequent communications for procurement and supply chain operations. Vishing tactics here are used to impersonate vendors or internal management to request unauthorized payments.
Countries at High Risk: Economically prominent nations such as the United States, United Kingdom, Canada, India, and Germany are frequently targeted due to the potential for higher financial returns.

Risk and Impact

Financial Losses: Vishing attacks have resulted in substantial monetary theft. For example, an AI-driven vishing attack in 2019 led to the loss of €220,000 from a UK-based energy company.
Data Breaches: Successful vishing campaigns can expose sensitive corporate data, intellectual property, and client information, leading to both immediate and long-term repercussions.
Reputational Harm: Falling victim to these scams damages organizational credibility and client trust, impacting future business opportunities.
Operational Disruption: Vishing often leads to compromised systems, forcing companies to redirect resources toward recovery and damage control, thereby impacting business continuity.

Trends

AI-Driven Customization: Attackers increasingly use AI tools to mimic the voices of high-ranking executives, making their social engineering attempts more convincing and more challenging to detect.
Deepfake Audio: The use of deepfake audio in vishing scams has seen a sharp rise, particularly in impersonating family members or colleagues to exploit emotional and urgent situations.
Sophisticated Social Engineering: Attackers leverage publicly available data from social media and company websites to enhance the credibility of their impersonations and make the scams more targeted and effective.

Threat Actors

Anonymous Fraud Collectives: Individual cybercriminals and small groups often use AI-enhanced vishing scams to impersonate support staff or executives, exploiting weak authentication processes.
- Emergence Date: Varies; often short-lived groups of individual cybercriminals.
- Attribution: Global; no specific nation-state ties.
- Associated Malware: Tools include commodity malware like Agent Tesla, NanoCore, and Remcos RAT.
- Targets: Individuals and small to medium-sized businesses.
- Common Tactics: Use of AI tools to clone voices and create convincing phone calls.
- Recent Activities: Widely used AI-driven voice cloning for impersonating family members, resulting in financial fraud.
Carbanak: A cybercrime syndicate specializing in banking malware has used vishing to gain insider access and facilitate financial theft from financial institutions globally.
- Emergence Date: 2013
- Attribution: Eastern Europe, often overlapping with FIN7 operations.
- Associated Malware: Carbanak backdoor, Anunak, and Derialock ransomware.
- Targets: Financial institutions, including banks, payment processors, and ATM networks.
- Common Tactics: Spear-phishing and vishing to access internal banking systems. Deployment of malware to gain unauthorized access and control over ATMs and financial systems.
- Recent Activities: Shifted focus to targeting cryptocurrency exchanges through AI-enhanced vishing campaigns in 2024.
Cobalt Group: This group has targeted financial institutions using social engineering methods, including vishing, to gain access to internal networks and deploy malware for ATM fraud.
- Emergence Date: 2016
- Attribution: Eastern Europe, likely Russia.
- Associated Malware: Cobalt Strike framework, CobInt malware, and TinyPos.
- Targets: Primarily banks and financial institutions in Europe, Asia, and South America.
- Common Tactics: Extensive use of social engineering, including vishing, to compromise banking employees.
- Recent Activities: Targeted European banks using a combination of phishing and AI-powered vishing in 2024.
FIN7: This financially motivated group has employed vishing techniques alongside email phishing to exploit vulnerabilities in payment systems and steal financial data.
- Emergence Date: 2013
- Attribution: Eastern Europe, suspected connections to Russia.
- Associated Malware: Carbanak, Cobalt Strike, Meterpreter, and Griffin malware.
- Targets: Retail, hospitality, and financial services sectors, with a focus on point-of-sale systems and payment card data.
- Common Tactics: Combined phishing and vishing to impersonate IT support and gain insider access.
- Recent Activities: Leveraged AI voice cloning to target customer support desks, prompting employees to reveal sensitive data.
Lazarus Group: Known for its involvement in financial fraud, this North Korean cybercrime group has used social engineering tactics, including vishing, to manipulate employees into providing access to corporate systems.
- Emergence Date: 2007
- Attribution: North Korea; tied to the Reconnaissance General Bureau (RGB), the country's primary intelligence agency.
- Associated Malware: WannaCry ransomware, MATA malware framework, AppleJeus, and FASTCash tools.
- Targets: Financial institutions, cryptocurrency exchanges, government entities, media organizations, and defense contractors.
- Common Tactics: Use of phishing and vishing to target financial employees and executives. Deployment of malware to exfiltrate data and enable financial fraud.
- Recent Activities: Targeted defense and aerospace firms with spear-phishing campaigns, often using AI to enhance social engineering.

Recommendations

Enhance User Training: Regularly educate users on the evolving tactics of vishing attacks, emphasizing the importance of verifying unsolicited requests, especially those involving sensitive information or financial transactions.
Implement Robust Verification Protocols: Establish procedures that require multiple forms of verification before processing sensitive requests, such as financial transfers or disclosure of confidential information.
Monitor for Anomalous Activities: Deploy systems to detect unusual behavior patterns, such as multiple MFA requests or atypical transaction requests, to identify potential vishing attempts.
Limit Information Sharing: Encourage individuals and organizations to minimize the amount of personal information shared publicly, reducing the data available for attackers to exploit in crafting convincing vishing attacks.

💡

Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.