How the future of cyber crime could involve fake voice messages from loved ones

Gisec Global conference in Dubai hears of the evolving threats to cyber security as criminals adapt to advanced AI tools

Voice mail messages could be the latest hi-tech tool for cyber criminals. Photo: Xavier Lorenzo
Powered by automated translation

Imagine receiving a voice message from your spouse saying they had an emergency and needed you to send an OTP to make an urgent payment from your bank account.

Many, if not most of us, would send it without a second thought.

However, cyber security experts have said that we should not be so quick to believe everything we hear in the years to come, even if it is the voice of a loved one.

As artificial intelligence continues to evolve, so will the threats it presents to people around the world, they warned.

“There are a number of opportunities being unlocked by modern AI applications, with ChatGPT being one of them,” said Mossab Hussein, co-founder of UAE-based cyber security company SpiderSilk.

“There’s a number of risks that will also become unlocked with those opportunities.

“We are all familiar with phishing texts and emails pretending to be someone else; now we’re going to see these threats become more sophisticated and personalised.”

He was speaking on the sidelines of the Gisec Global cybersecurity conference, taking place in Dubai’s World Trade Centre on Thursday.

ChatGPT, the AI-based chatbot launched last year by San Francisco company OpenAI, which was co-founded by Elon Musk, has been praised by many for its capability — not least by Mr Musk who described it as “scary good”.

However, others have urged caution when it comes to the use of the chatbot, fearing it could open the floodgates when it came to fraud, especially with the creation of fake voice recordings or video images.

“Hackers now have the capacity to make their threats more personalised than ever before,” said Mr Hussein.

“It’s not going to look like it did before when it was 10 paragraphs in an email or text message.

“Now it will sound and look much more personal, which means more people will be likely to fall for it.”

The good news? Personalised visual deepfakes are still some way from becoming a viable threat to the public, due to the relative infancy of the technology.

Don't believe everything you hear

The bad news? The same cannot be said of fraudulent voice messages that can be personalised to deceive a particular victim.

“Research shows that it only takes five seconds of access to an original audio recording to be able to create a message in that person’s voice,” said Mr Hussein.

“It means you could get a message that appears to be from someone you are very close to with an urgent request and you might not have the time to stop and question it [depending on the nature of the message].”

So, how can people protect themselves against such a sophisticated threat?

“Cyber hygiene is something we should practice, no matter what,” he said.

“You have to be on the look out for an unusual approach and to be aware if something just doesn’t feel right.

“If nothing else, just take a minute to think twice before making any big decisions like passing on OTPs or sharing passwords.”

Cyber crime is nothing new, in the UAE or further afield.

About two in three businesses (64 per cent) in the UAE suffered a ransomware attack last year, according to a recent report from cybersecurity firm Proofpoint Inc.

The UAE watchdog, the Telecommunications and Digital Government Regulatory Authority, issued a warning earlier this year about how cyber criminals were sending messages that appeared to be from well-known courier companies.

An image that can spring to mind when you think of cyber crime is of a dingy room with teams of hackers behind keyboards trying to break into systems and find weaknesses in people’s cyber security.

It is an image immediately associated with criminal activity, but that is not always the case.

Also at the Gisec Global conference was Rodolph Harand, managing director of Yes We Hack.

He oversees a team of 50,000 ethical hackers around the world who find weaknesses in cyber security defences and report them to companies before criminals discover them. The reward the ethical hackers receive is known as a bug bounty.

“One of the biggest challenges is that if you are being targeted by one of the better hackers then you would have no clue until it’s too late,” said Mr Harand.

“A lot of vendors will tell you their products can detect every attack but that is impossible.

“They will only detect the easiest ones, not the more sophisticated.”

While that paints a bleak picture, he said there were measures firms could adopt to reduce risks.

“The most common mistake is to try to fix everything without setting priorities,” said Mr Harand. “You should prioritise what is most valuable and work to secure that first.”

Updated: March 17, 2023, 4:20 AM