惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fox-IT International blog
Security Latest
Security Latest
S
Security @ Cisco Blogs
L
LINUX DO - 热门话题
T
Threatpost
W
WeLiveSecurity
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
腾讯CDC
雷峰网
雷峰网
Cyberwarzone
Cyberwarzone
V
V2EX - 技术
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
P
Proofpoint News Feed
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
人人都是产品经理
人人都是产品经理
罗磊的独立博客
P
Privacy International News Feed
The Register - Security
The Register - Security
T
Threat Research - Cisco Blogs
IT之家
IT之家
T
True Tiger Recordings
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
博客园_首页
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
美团技术团队
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - Franky
V
Visual Studio Blog
E
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
F
Future of Privacy Forum
J
Java Code Geeks
Microsoft Azure Blog
Microsoft Azure Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
AWS News Blog
AWS News Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Scott Helme
Scott Helme
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
InfoQ
U
Unit 42

WeLiveSecurity

Foul play: Scams target soccer fans with fake World Cup tickets, merchandise Webworm: New burrowing techniques The quest for greater tech independence Why geopolitical turmoil is a gift for scammers, and how to stay safe FrostyNeighbor: Fresh mischief and digital shenanigans Eyes wide open: How to mitigate the security and privacy risks of smart glasses Fake call logs, real payments: How CallPhantom tricks Android users Fixing trivial passwords is as easy as 123456 A rigged game: ScarCruft compromises gaming platform in a supply-chain attack This month in security with Tony Anscombe – April 2026 edition The calm before the ransom: What you see is not all there is GopherWhisper: A burrow full of malware New NGate variant hides in a trojanized NFC payment app Ransomware’s back office: What the ransom note won’t say Why that next data breach alert could be a trap Supply chain dependencies: Have you checked your blind spot? Recovery scammers hit you when you’re down: Here’s how to avoid a ‘second strike’ As breakout time accelerates, prevention-first cybersecurity takes center stage Digital assets after death: Managing risks to your loved one’s digital estate This month in security with Tony Anscombe – March 2026 edition RSAC 2026 wrap-up – Week in security with Tony Anscombe A cunning predator: How Silver Fox preys on Japanese firms this tax season Virtual machines, virtually everywhere – but not all protected Cloud workload security: Mind the gaps Move fast and save things: A quick guide to recovering a hacked account EDR killers explained: Beyond the drivers Face value: What it takes to fool facial recognition Cyber fallout from the Iran war: What to have on your radar Sednit reloaded: Back in the trenches What cybersecurity actually does for your business How SMBs use threat research and MDR to build a defensive edge Protecting education: How MDR can tip the balance in favor of schools This month in security with Tony Anscombe – February 2026 edition Mobile app permissions (still) matter more than you may think PromptSpy ushers in the era of Android threats using GenAI Is Poshmark safe? How to buy and sell without getting scammed Is it OK to let your children post selfies online? Naming and shaming: How ransomware groups tighten the screws on victims Taxing times: Top IRS scams to look out for in 2026 OfferUp scammers are out in force: Here’s what you should know A slippery slope: Beware of Winter Olympics scams and other cyberthreats This month in security with Tony Anscombe – January 2026 edition DynoWiper update: Technical analysis and attribution Love? Actually: Fake dating app used as lure in targeted spyware campaign in Pakistan Drowning in spam or scam emails lately? Here’s why ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 Children and chatbots: What parents should know Common Apple Pay scams, and how to stay safe Old habits die hard: 2025’s most common passwords were as predictable as ever Why LinkedIn is a hunting ground for threat actors – and how to protect yourself Is it time for internet services to adopt identity verification? Your information is on the dark web. What happens next? Credential stuffing: What it is and how to protect yourself This month in security with Tony Anscombe – December 2025 edition A brush with online fraud: What are brushing scams and how do I stay safe? Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan ESET Threat Report H2 2025 Black Hat Europe 2025: Was that device designed to be on the internet at all? Black Hat Europe 2025: Reputation is currency – even in the ransomware economy Locks, SOCs and a cat in a box: What Schrödinger can teach us about cybersecurity Seeking symmetry during ATT&CK® season: How to harness today’s diverse analyst and tester landscape to paint a security masterpiece The biggest catch: How whaling attacks target top executives Phishing, privileges and passwords: Why identity is critical to improving cybersecurity posture MuddyWater: Snakes by the riverbank Oversharing is not caring: What’s at stake if your employees post too much online This month in security with Tony Anscombe – November 2025 edition What parents should know to protect their children from doxxing Influencers in the crosshairs: How cybercriminals are targeting content creators MDR is the answer – now, what’s the question? The OSINT playbook: Find your weak spots before attackers do PlushDaemon compromises network devices for adversary-in-the-middle attacks What if your romantic AI chatbot can’t keep a secret? Can password managers get hacked? Here’s what to know Why shadow AI could be your biggest security blind spot In memoriam: David Harley The who, where, and how of APT attacks in Q2 2025–Q3 2025 ESET APT Activity Report Q2 2025–Q3 2025 Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming How social engineering really works | Unlocked 403 cybersecurity podcast (S2E6) Ground zero: 5 things to do after discovering a cyberattack This month in security with Tony Anscombe – October 2025 edition Fraud prevention: How to help older family members avoid scams Cybersecurity Awareness Month 2025: When seeing isn't believing Recruitment red flags: Can you spot a spy posing as a job seeker? How MDR can give MSPs the edge in a competitive market Cybersecurity Awareness Month 2025: Cyber risk thrives in the shadows Gotta fly: Lazarus targets the UAV sector SnakeStealer: How it preys on personal data – and how to stay safe Cybersecurity Awareness Month 2025: Building resilience against ransomware Minecraft mods: When ‘hacking’ your game becomes a security risk IT service desks: The security blind spot that may put your business at risk Cybersecurity Awareness Month 2025: Why software patching matters more than ever AI-aided malvertising: How chatbots can help spread scams How Uber seems to know where you are – even with restricted location permissions Cybersecurity Awareness Month 2025: Passwords alone are not enough The case for cybersecurity: Why successful businesses are built on protection Beware of threats lurking in booby-trapped PDF files Manufacturing under fire: Strengthening cyber-defenses amid surging threats New spyware campaigns target privacy-conscious Android users in the UAE
Faking it on the phone: How to tell if a voice call is AI or not
2026-02-23 · via WeLiveSecurity

Scams

Can you believe your ears? Increasingly, the answer is no. Here’s what’s at stake for your business, and how to beat the deepfakers.

23 Feb 2026  •  , 4 min. read

Faking it on the phone: How to tell if a voice call is AI or not

There was a time when we could believe everything we saw and heard. Unfortunately, those days are probably long gone. Generative AI (GenAI) has democratized the creation of deepfake audio and video, to the point where generating a fabricated clip is as easy as pushing a button or two. This is bad news for everyone, including businesses.

Deepfakes are helping scammers bypass Know Your Customer and account authentication checks. They can even enable malicious state actors to masquerade as job candidates. But arguably the biggest threat they pose is financial/wire transfer fraud and the hijacking of executive accounts.

Organizations underestimate the deepfake threat at their peril. The British government claims that as many as eight million synthetic clips were shared last year, up from just 500,000 in 2023. The real figure may be far higher.

How attacks work

As an experiment by ESET Global Security Advisor Jake Moore has also shown, it’s never been easier to launch a deepfake audio attack on your business. All it requires is a short clip of the victim to be impersonated. GenAI will do the rest. Here’s how an attack might proceed:

  1. An attacker selects the person they’re going to impersonate. It might be a CEO, a CFO or even a supplier.
  2. They find an audio sample online – which is quite easy for high-profile executives who regularly speak in public. It might come from a social media account, an earnings call, a video/TV interview or any number of other sources. A few seconds of footage should be enough.
  3. They select the person to call. This might require some desk research – usually scouring LinkedIn for IT helpdesk staff, or finance team members.
  4. They might call the individual direct, or send an email in advance – for example, a CEO requesting an urgent money transfer, a password/multi-factor authentication (MFA) reset request, or a supplier demanding payment for an overdue invoice.
  5. They call the pre-selected target, using GenAI-generated deepfake audio to impersonate the CEO/supplier. Depending on the tool, they may stick to pre-scripted speech, or use a more sophisticated “speech-to-speech” method where the attacker’s voice is translated in near real time to that of their victim.

Hearing is believing

This type of attack is getting cheaper, easier and more convincing. Some tools are even able to insert background noise, pauses and stammers to make the impersonated voice sound more believable. They’re getting much better at mimicking the rhythms, inflection and verbal ticks unique to every speaker. And when an attack is launched over the phone, AI-related glitches may be harder for the listener to pick up.

Attackers may also use social engineering tactics, such as creating pressure on the listener to respond urgently to their request, in order to achieve their goals. Another classic is to urge the listener to keep the request confidential. Add to that the fact that they’re often impersonating a senior executive, and it’s easy to see why some victims are duped. Who would want to get into the CEO’s bad books?

That said, there are ways for you to spot a faker. Depending on how sophisticated the GenAI they’re using is, it may be possible to discern:

  • An unnatural rhythm to the speech of the speaker
  • An unnaturally flat emotional tone to the voice of the speaker
  • Unnatural breathing or even breath-free sentences
  • An unusually robotic sound (when they use less advanced tooling)
  • Background noise which is either strangely absent or too uniform

Time to fight back

The reason threat actors are putting more of their time into scams like these is simple: the potential rewards on offer. Cautionary tales are steadily accumulating. One of the biggest blunders came way back in 2020, when an employee at a firm in the UAE was tricked into believing that their director had phoned to request a $35m fund transfer for an M&A deal.

Given that deepfake technology has improved significantly in the six years since, it’s worth revisiting some key steps you can take to minimize the chances of a worst-case scenario.

It should start with employee training and awareness. These programs should be updated to include deepfake audio simulations to ensure staff known what to expect, what’s at stake and how to act. They should be taught to spot the tell-tale signs of social engineering and typical deepfake scenarios such as the ones described above. Red teaming exercises should be run to test how well employees are absorbing this information.

Next comes process. Consider the following:

  • Out-of-band verification of any phone-based requests – i.e., using corporate messaging accounts to check with the sender independently
  • Two individuals to sign off any large financial transfers or changes to supplier bank details
  • Pre-agreed passphrases or questions which executives must answer to prove they are who they say they are over the phone

Technology can also help. Detection tools exist to check various parameters for the presence of a synthetic voice. Harder to implement but another course of action would be to limit the opportunities for threat actors to get hold of audio, by limiting executives’ public appearances.

People, process and technology

However, the bottom line is that deepfakes are simple and cost little to produce. Given the potentially huge sums up for grabs for the fraudsters, it’s unlikely that we’ll see the end of voice cloning scams any time soon. A three-pronged approach based around people, process and technology is therefore the best option your organization has to mitigate the risk.

Once a plan has been approved, remember to regularly review it so that it stays fit for purpose, even as AI innovation advances. The new cyber-fraud landscape demands constant attention.

Let us keep you
up to date

Sign up for our newsletters

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。