An Arizona family was recently in the news warning others about how they were the target of a ransom call in which scammers used AI (artificial intelligence) to clone their daughter’s voice to convince the parents they had kidnapped their daughter, with the apparent goal of extorting money.

DeLynne Bock, the mother of Payton Bock and target of the con, said she feels she can easily spot a fake scam call, but this was on a whole other level.

According to the news story, the scammers called their home, where DeLynne’s husband answered the call. A man on the other end of the line was screaming and using foul language, saying his daughter had caused an accident, hitting his car, and couldn’t find her insurance. From there, he started making threats, saying he had her tied up in the back of his truck.

What made the call so convincing was the deep fake of her daughter’s voice on the other end of the line – pleading for help, crying. Unable to reach her daughter by phone, DeLynne called the police while her husband kept the man on the phone. “I called the police, and they’re saying, ‘This is possibly a scam situation.’ I said, ‘There is no way this is a scam. This is my daughter’s voice,’” DeLynne said. “This wasn’t just some person pretending. As a mother, you know your daughter’s voice, and this was my daughter.”

Apparently, this wasn’t the first time this happened which is how the police were able to suggest it could be a scam. This is just the latest iteration of how hackers are using AI to produce deep fakes to extort money. AI and ChatGPT have been in the news recently for a reason – AI is an extremely powerful tool that, if put in the wrong hands, can do a lot of harm.

It’s not a stretch to imagine the use of AI to fake a CEO’s voice, signature or writing style in an e-mail, text, call or instant messaging to trick an employee into sending money or doing things that would severely harm the organization, such as providing a login or access to the company’s network, data or critical applications. Or similarly use this same type of approach to scam clients or patients into giving up confidential information or payments.

A report released by security experts at Home Security Heroes showed that 51% of common passwords could be cracked in less than one minute using an AI. Both the length and complexity of the passwords factored into the speed of successfully cracking the password, but even a complex password with seven characters using both uppercase and lowercase letters, numbers and symbols took just minutes to crack.

This means it’s hypercritical for all business owners to no longer rely on strong passwords and simple antivirus to protect their organization.

Today, all businesses should have some type of security awareness training for their employees. For example, simply sharing this article and others we publish like them with them can go a long way toward making sure they’re always on high alert for scams; but sharing the occasional article is not enough. You should have some type of ongoing reminders and formal training so that it’s always top of mind. Employees AREN’T “too smart” to fall for these scams. If someone can trick a mother into believing her daughter has been kidnapped by duping her daughter’s voice, they can trick an employee into clicking on a link, giving them access or transferring funds – and it’s happening right now to a lot of businesses.

Second, you need to work with your IT company to ensure they have implemented robust cyber security tools and protections, as well as disaster recovery protocols so if you are ransomed, you can be sure to recover your data. This is not an area to be cheap about. Most people stubbornly believe it won’t happen to them, or that it will be a minor inconvenience, not the costly, business-crippling and devastating disaster that a cyber or ransomware attack can have. An ounce of prevention goes a long, long way toward minimizing your risk.

I would also recommend incorporating a cybersecurity framework into your organization's IT operational environment. The CIS Controls cybersecurity framework is great for businesses for several reasons, especially in light of the increasing use of AI for malicious purposes as described in the text.

1. Proactive Security Measures: The CIS Controls provide a comprehensive set of best practices and specific security measures that organizations can implement to protect their systems and data. By following these controls, businesses can establish a proactive security posture that helps prevent and mitigate potential threats, including those leveraging AI.

2. Risk Mitigation: The text highlights how hackers can use AI to create convincing deep fakes to trick employees, clients, or patients into disclosing sensitive information or making fraudulent payments. The CIS Controls emphasize the importance of user awareness training and ongoing reminders to help employees recognize and respond to such scams effectively. By incorporating these controls, businesses can mitigate the risk of falling victim to AI-based social engineering attacks.

3. Robust Cybersecurity Tools: The text also mentions the need for businesses to work with their IT company to implement robust cybersecurity tools and protections. The CIS Controls provide guidance on selecting and deploying effective security solutions that align with the organization's needs and risks. These controls can help businesses ensure that they have appropriate security measures in place to detect, prevent, and respond to cyber threats effectively.

4. Data Recovery and Disaster Preparedness: The text highlights the importance of disaster recovery protocols in case of a ransomware attack or data loss. The CIS Controls cover data backup and recovery strategies, as well as incident response planning, to help businesses prepare for and recover from cyber incidents. By implementing these controls, organizations can minimize the impact of attacks and ensure timely recovery of critical systems and data.

5. Holistic Approach: The CIS Controls provide a comprehensive framework that addresses multiple aspects of cybersecurity, including asset management, vulnerability management, access control, network security, and more. This holistic approach ensures that businesses consider all relevant areas of security and implement appropriate measures accordingly. It helps organizations build a strong defense against AI-based attacks and other evolving cyber threats.

Overall, the CIS Controls framework offers practical guidance and actionable steps that businesses can take to enhance their cybersecurity posture and protect against the growing risks associated with AI-based attacks. By adopting these controls, organizations can strengthen their defenses, minimize vulnerabilities, and safeguard their critical assets, data, and reputation.

If you want to make sure your Microsoft 365 Cloud services are configured properly to protect you, click here to request a Microsoft 365 Secure Score review. This review is not time-consuming, invasive or difficult to do, but will give you the unvarnished truth about your current security and whether or not you will be properly and brilliantly prepared for a cyber-attack.