Scams targeting businesses that involve someone pretending to be the boss are nothing new. Business email compromise, often called CEO phishing scams, and fake invoice scams cost businesses billions each year in
But that simple advice may no longer be enough. Artificial intelligence makes it easier to impersonate someone's voice, leading to what authorities believe is the first successful major theft from a business using AI voice software, according to the
The managing director of a British energy company, believing his boss was on the phone, followed orders one Friday afternoon in March to wire more than
The request was "rather strange," the director noted later in an email, but the voice was so lifelike that he felt he had no choice but to comply.
These software tools take samples of a person's speech and break them down into the individual tones and rhythm, which can then be used to make that person's voice say whatever you want. And partially because the development and improvement of artificial intelligence requires gathering lots of data, companies have made these tools free and widely available for everyone, including scammers.
Combining existing methods of fraud against businesses with these new AI voice tools can create a very convincing scam. A company's controller might receive an email appearing to be from the CEO with an urgent request to make a payment to an unknown account, which might be then followed up by a call which sounds exactly like the CEO, confirming the instructions and generating more urgency.
The more prominent a company's CEO is, the more likely they are to be a target of this type of scam. This is because AI works best when it is given more high quality data with which to start. CEOs who are frequently recorded talking in interviews or speeches will have more of this high quality data publicly available for criminals to use. As the technology matures, this will not be as necessary, and we may reach a point where a scammer simply needs to keep someone on the line for a short phone call to record enough of their voice.
So what are businesses to do? The answer is in policies and culture. Businesses should have a robust system of checks and balances in place when it comes to the accounts and data that are the targets of scammers. Payments should not be made to new accounts until some time has passed, which allows for multiple rounds of review of the request. If it truly is an emergency, this process might be sped up but should require even more people be involved to check for signs of suspicious activity.
When it comes to culture, organizations should accept this reality and bake it into how employees are expected to execute instructions and interact with peers, supervisors, and reports. A policy that any instruction from anyone, including the CEO, to pay a new account must be confirmed by calling that individual directly and confirming the instructions (including hanging up and calling the CEO back) falls apart if management expects orders to be followed without question or scrutiny. Compliance with company policy needs to be celebrated as integral to protecting the business's assets and reputation, rather than dismissed as just a way to cover oneself if something goes wrong.
While the march of technological change is giving scammers new tools every day, the basics remain the same. Scammers don't just exploit technology; they exploit psychology. It's the sense of urgency, fear, or excitement you feel when you are told the boss needs to wire money immediately, you're going to be arrested for missing jury duty, or you just won a lottery you didn't enter, that is at the core of most scams. By making it both an organizational value and a personal practice to stop in these situations and ask what might really be going on, we can all protect ourselves not just from the scams we know about, but also the next ones criminals dream up.