IntermediateSocial Engineering Defence

Establish a company-wide code word for verifying unusual executive requests

AI voice cloning and deepfake audio have reached quality where a CEO's voice on a phone call is no longer a reliable identity signal. The first documented AI voice clone fraud transferred €220,000 because the recipient trusted the voice. Establish a company-wide protocol for any unusual financial or sensitive request: a pre-agreed code word or phrase that is changed monthly and distributed only through internal secure channels. Any request from a senior executive that does not include the current code word — regardless of how the voice sounds or how urgent the matter seems — requires independent verification before action.

Tags

deepfake audiovoice cloningcode wordexecutive impersonationverification

More in Social Engineering Defence

All guides
beginnerfeatured

Verify wire transfer requests by calling a pre-registered number — never one from the email

Business Email Compromise (BEC) caused more than $3 billion in losses in 2022 alone. Every BEC attack involving a wire transfer succeeded because the victim called back a phone number from the fraudulent email, or did not call back at all. The defence is simple and absolute: any wire transfer request arriving via email must be verified by calling the requestor at a number already in your company directory or phonebook — not a number provided in the email. FACC lost €50 million because no one picked up the phone. Ubiquiti lost $46.7 million for the same reason. A 60-second phone call to a known number prevents these attacks entirely.

See: Ubiquiti BEC FraudSocial Engineering Defence
beginner

Require out-of-band identity verification before any MFA reset or privilege escalation

The MGM Resorts breach and the Caesars Entertainment breach both began the same way: a caller to the IT helpdesk provided an employee's name (found on LinkedIn) and convinced the operator to reset MFA credentials over a phone call. With MFA reset, the attacker had full account access. Any request to reset MFA, change recovery methods, or grant elevated privileges must require verification through a separate, independent channel — a video call where the employee displays their physical badge, a manager confirmation via internal ticketing, or a physical visit to the help desk. The single phone call channel is broken by design.

See: MGM ResortsSocial Engineering Defence
beginner

Train employees that urgency plus unusual channel is a red flag, not a reason to act faster

Virtually every social engineering attack combines two elements: urgency ("this is time-sensitive, act now") and an unusual communication channel ("my CEO emailed me on WhatsApp"). The urgency is designed to short-circuit the instinct to pause and verify. The unusual channel is used because the legitimate channel would fail verification checks. Train employees to treat these two signals as reasons to slow down and verify, not to act faster. The LastPass employee who received AI-cloned audio of their CEO's voice via WhatsApp correctly identified it as suspicious because it came through an unofficial channel with unusual urgency — and reported it rather than complying.

See: LastPass Deepfake AudioSocial Engineering Defence