Social Engineeringmedium

LastPass Employee Deepfake Audio Attack: The CEO's Voice Is Being Cloned

A LastPass employee received WhatsApp calls from what sounded exactly like LastPass CEO Karim Toubba asking for urgent action. The employee correctly identified it as a social engineering attempt — a rare success story.

LastPass·2024·2 min read

Background

Following LastPass's catastrophic 2022 data breach, the company invested significantly in security awareness. In early 2024, an employee received WhatsApp audio messages using AI-cloned audio of CEO Karim Toubba's voice, requesting urgent action inconsistent with normal business processes.

The Attack

The attacker used publicly available audio of Toubba — likely from interviews, podcasts, or earnings calls — to train a voice synthesis model. They then called a LastPass employee via WhatsApp with the fake CEO voice making urgent requests. The employee was suspicious because the contact came through an unofficial channel (WhatsApp instead of corporate communication tools), the request was outside normal business processes, and the message conveyed unusual urgency — all classic social engineering indicators that LastPass had specifically trained employees to recognise.

Response

The employee reported the attempt to LastPass's security team rather than complying. LastPass published a blog post about the attempt to raise public awareness of AI voice cloning attacks against companies. The attacker was not identified.

Outcome

The case is notable as a successful defence — rare in social engineering case studies. The employee's training to question urgency, unofficial channels, and out-of-process requests was the defence that worked. LastPass's transparency in publishing the incident contributed to broader awareness.

Key Takeaways

  1. Train employees to question any urgent request made via unofficial channels, regardless of how authentic the voice sounds
  2. Establish company-wide protocols: specific code words or out-of-band verification for any unusual executive request
  3. AI voice cloning is mature enough to fool untrained employees — assume any executive voice call could be synthetic
  4. Security awareness training that teaches specific red flags (urgency + unofficial channel + unusual request) is highly effective

How to Prevent This

All guides
beginner

Train employees that urgency plus unusual channel is a red flag, not a reason to act faster

Virtually every social engineering attack combines two elements: urgency ("this is time-sensitive, act now") and an unusual communication channel ("my CEO emailed me on WhatsApp"). The urgency is designed to short-circuit the instinct to pause and verify. The unusual channel is used because the legitimate channel would fail verification checks. Train employees to treat these two signals as reasons to slow down and verify, not to act faster. The LastPass employee who received AI-cloned audio of their CEO's voice via WhatsApp correctly identified it as suspicious because it came through an unofficial channel with unusual urgency — and reported it rather than complying.

See: LastPass Deepfake AudioSocial Engineering Defence
deepfake audiovoice cloningCEO impersonationWhatsAppsuccessful defence

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering