Digital Transactions Authoritative, insightful and timely information for payments professionals
The financial-services industry faces a threat even more sophisticated and convincing than traditional cybercrime: AI-powered deepfake voice scams. Unlike conventional account-takeover attempts that rely on stolen credentials and digital channels, these attacks use artificial intelligence to replicate customers’ voices with startling accuracy. They are able to bypass traditional authentication methods and exploit the trust often put in voice-based interactions.
Traditional account takeover typically involves bad actors working behind screens, stealing login credentials to gain access to online banking or credit card accounts. Financial institutions have developed robust digital controls to detect these attempts.
Deepfake voice scams represent a fundamental shift in this landscape. Instead of attacking digital channels, fraudsters can now impersonate customers directly through voice calls. The sophistication lies in their ability to sound exactly like the legitimate account holder, creating an immediate sense of trust and authenticity that convinces institutions and bypasses traditional security protocols.
The attack methodology is effective because of its simplicity. Fraudsters begin by targeting the actual customer through social-engineering techniques. They initiate seemingly innocent conversations with victims, engaging them in discussions that allow for voice recording without raising suspicion. This initial contact serves a dual purpose: gathering personal and account information while simultaneously capturing enough voice samples to create a convincing deepfake.
Once armed with both the victim’s personal details and recordings of his or her voice, fraudsters can deploy AI technology to replicate the customer’s voice patterns, tone, and speech characteristics. When they subsequently contact the financial institution, they present as the legitimate account holder.
This approach is particularly effective against institutions that have implemented voice-biometric authentication systems. These systems were designed to enhance the customer experience by reducing friction in the authentication process, but they become vulnerabilities when faced with sophisticated voice-replication technology.
What makes these attacks particularly worrying is their scalability. Fraudsters don’t limit themselves to individual targets. They operate at scale, potentially contacting thousands of victims simultaneously to gather voice samples and personal information. This volume approach means that even if only a fraction of attempts succeeds, the overall impact can be substantial when considered holistically.
Indeed, targeting thousands of victims reflects a calculated approach to return on investment. While high-value accounts remain priority targets, the automation capabilities allow fraudsters to cast a wide net. When successful at scale, the cumulative impact of numerous smaller accounts can be as profitable as targeting fewer high-value accounts.
These attacks can be challenging to counter. When financial institutions implement controls that make attacks more difficult, fraudsters typically abandon those targets in favor of institutions with weaker defenses.
The fight against deepfake voice scams requires a multi-layered approach. While no single solution provides complete protection, several emerging strategies show promise:
- Enhanced Voice Biometrics and Anti-Spoofing Technology. More-sophisticated voice biometric systems are being developed that go beyond simple voice-pattern matching;
- Strengthened Multi-Factor Authentication. Maintaining robust multi-factor authentication protocols becomes critical, even when voice biometrics are in use. Any requests for demographic changes – particularly phone numbers and email addresses – should trigger additional verification steps.
- Real-Time Transaction Monitoring. Advanced machine-learning models can monitor transaction patterns and behaviors in real time, even after successful authentication. If fraudsters gain account access, their spending patterns will likely differ significantly from the legitimate customer’s historical behavior. These systems can flag unusual transactions and limit potential losses.
But one of the most critical defense mechanisms remains customer education. The effectiveness of deepfake voice scams often depends on victims who willingly providing personal information and one-time passwords (OTPs) during the initial social-engineering phase. If fraudsters can convince customers to share OTPs, even the most sophisticated security systems become ineffective. Financial institutions must educate customers that legitimate banks will rarely, if ever, call to request OTPs or other sensitive personal information.
The next frontier will likely involve agentic AI systems, which can take intelligent, autonomous actions to stop attacks before they spiral out of control. The defending AI systems will need to perform real-time analysis of voice patterns, detecting subtle inconsistencies that might indicate artificial generation, and implementing dynamic authentication challenges that are difficult for current deepfake technology to overcome.
The most effective approach combines advanced technology solutions with comprehensive customer education and robust operational procedures. While the threat is significant, institutions that implement layered defenses, maintain vigilant monitoring, and educate their customers can significantly reduce their vulnerability to these emerging attack vectors.
The battle against deepfake voice fraud is just beginning. Institutions that invest in comprehensive defense strategies today will be best positioned to protect their customers and maintain trust in an increasingly complex threat landscape.
—Michael Kirby is head of managed risk and cybersecurity services at FIS Inc.
