Deepfake-Assisted Phishing

Overview

Adversaries may use deepfakes (AI-generated synthetic images, audio, or video) in phishing campaigns to impersonate trusted individuals, executives, or organizations. These attacks exploit human trust by presenting fraudulent voice or video communications as legitimate, enabling adversaries to manipulate targets into disclosing credentials, transferring funds, or granting access to systems.

Voice deepfakes (AI-cloned voices) are used in vishing Vishing - Social-Engineer Framework (voice phishing) attacks over telephone or VoIP. Adversaries can clone a target's voice using a few seconds VALL-E Family: Neural codec language models for speech synthesis of publicly available audio from speeches, earnings calls, podcasts, or social media AI-powered voice spoofing: Understanding and defending against vishing attacks. These cloned voices are then used in pre-recorded voicemail messages or live phone calls. Video deepfakes can impersonate a trusted individual's face and voice. Adversaries use publicly available video from company meetings, earnings calls, or social media to create convincing AI-generated video of target individuals. They are used in live video conference calls or recorded video messages. AI-generated content has advanced to the point that it is often difficult to identify as synthetic FBI Public Service Advisory: Scammers are deepfaking voices of senior US government officials.

Adversaries may first perform Obtain Capabilities: Generative AI followed by Generate Deepfakes in preparation for their Phishing campaign. Deepfake phishing campaigns often utilize other communication channels (such as email, SMS, or instant messaging) for layered social engineering attacks Purportedly AI-Driven Phishing Scam Uses Spoofed Google Call to Attempt Gmail Breach.

These attacks span a wide range of victims and attack types, demonstrating the breadth of deepfake-enabled fraud. Adversaries have conducted extensive deepfake-assisted phishing campaigns against the individuals, including targeted scams Voice deepfake targets bank in failed transfer scam AI-Generated Voice Used in Scam Targeting Drica Moraes' Contacts Reported Use of AI Voice and Identity Manipulation in the 'Phantom Hacker' Fraud Scheme Purportedly AI-Generated Jason Momoa Deepfake Used in Romance Scam, as well as large-scale credential harvesting campaigns targeting billions of users Purportedly AI-Driven Phishing Scam Uses Spoofed Google Call to Attempt Gmail Breach AI-Driven Phishing Scam Uses Deepfake Robocalls to Target Gmail Users. Adversaries have used deepfakes to impersonate executives AI Incident Database - LastPass CEO Voice Deepfake Attempt, causing business entities to suffer significant financial losses from Alleged Deepfake CFO Scam Reportedly Costs Multinational Engineering Firm Arup $25 Million Reported AI-Cloned Voice Used to Deceive Hong Kong Bank Manager in Purported $35 Million Fraud Scheme. There are also reports of government officials being targeted in widespread campaigns FBI Public Service Advisory: Scammers are deepfaking voices of senior US government officials Italian Defense Minister Voice Clone.

The attacks span communication channels including voice deepfakes for vishing Deepfake Voice Exploit Compromises Retool's Cloud Services and video deepfakes in conference calls Alleged Deepfake CFO Scam Reportedly Costs Multinational Engineering Firm Arup $25 Million, as well as multi-channel campaigns combining phone, email, and messaging platforms Purportedly AI-Driven Phishing Scam Uses Spoofed Google Call to Attempt Gmail Breach.