[00:00:00] Speaker A: Welcome to behind the Scams. I'm Nick here with sue and today we are launching a brand new short form series called Scam Watch. Our fast paced under 8 minute alert on the most dangerous threats hitting the public right now.
Sue, I need to start this first brief with a scenario that is keeping corporate treasurers awake staring at the ceiling at three in the morning.
Imagine you are a meticulous financial controller. You get an email from a long term vendor saying they've changed their bank account for a recurring $90,000 payment. You do exactly what corporate policy says. You pick up the phone, dial the number on file and talk to the vendor's cfo.
You recognize his voice. He jokes about his recent golf trip to Scotland, confirms the routing number and you hit send.
Except that CFO was actually on a flight over the Atlantic and the voice you just verified on the phone was a real time generative AI deepfake clone.
[00:01:01] Speaker B: Before I get into our topic for this sc, I just wanted to say what a great idea these scam watches are because we love producing long form podcast episodes. But those episodes take time to produce in between our regular episodes. Scammers don't just sit around waiting for us to produce our next episode. They are still hard at work trying to steal your money.
So our new Scam Watch fills that space in between episodes with trending and unique scam alerts.
These alerts don't take as long to produce, but they provide crucial scam information and tactics that everybody should be aware of.
So Nick, back to today's Scam Watch topic.
This scam about deepfake clones is absolutely terrifying because in your overview, that controller did everything right.
They didn't just click a sketchy link. They stopped, they challenged, they picked up the phone.
Can you imagine the sheer gut wrenching horror of realizing that the voice you trusted, the actual human tone and cadence you've known for years, was just an algorithm speaking spitting out synthetic audio.
It's not just a financial loss.
It is a profound violation of reality.
[00:02:32] Speaker A: It is and this is what the industry is calling false pretenses. Ach fraud. It's the fastest growing sector of corporate financial crime.
We aren't talking about Eastern European hackers brute forcing their way into firewalls anymore.
Why waste weeks trying to crack a bank's defense when you can just manipulate the human being holding the keys?
They are combining social engineering with high end tech to turn our own safety protocols against us.
[00:03:01] Speaker B: And the emotional aftermath of that is devastating.
When we talk to victims of these corporate scams, the shame Is paralyzing.
They say I authorized it. I looked at the screen, I held the phone and I pushed the button.
The scammers didn't steal the money from the vault. They convinced the victim to carry it out the front door and hand it over.
It creates this toxic cloud of self doubt that can ruin a career even when they followed the written handbook to the letter.
[00:03:40] Speaker A: And this isn't random, Sue. This is highly engineered.
For example, did you know that the average target amount for these unauthorized ACH transfers has suddenly dropped to right around $88,000?
[00:03:54] Speaker B: 88,000?
Why that specific number?
It seems almost random when these companies are dealing with millions.
[00:04:03] Speaker A: Because 90,000 is the typical internal threshold where most mid market corporate banks trigger a manual review.
If you send 88,000, it slips right through the automated ACH pipe without a single human eye looking at it.
They are micro targeting the gaps in our compliance thresholds.
[00:04:23] Speaker B: So they're literally reading the corporate policy manuals, or at least reverse engineering them based on trial and error.
But how are they timing these phone calls so perfectly?
To pull off a deepfake callback, they have to know when the target is going to call.
[00:04:41] Speaker A: That's the insider loophole. They aren't guessing in these cases. The scammers already have compromised credentials. They've been sitting silently inside the company's email systems for months, reading the message threads. They see the invoice get sent, they see the controller email back saying, hey, I need to call to verify this. And then they intercept the process.
The highest state of the call report actually found that one in four Americans are now targeted by these deep fake voice calls. One in four.
[00:05:13] Speaker B: One in four.
That means we've reached a point where the phone network itself is compromised.
The traditional second factor of security.
The idea that I will call you on a separate channel to verify is completely dead.
If they're in your email, they can spoof the incoming caller id, intercept the redirect, or simply wait for your outbound call and hijack it using a virtual SIP trunk.
Legacy multi factor authentication is completely failing because it still relies on us trusting a basic phone connection.
[00:05:55] Speaker A: Exactly. But here's the silver lining. The regulators are finally waking up. There is a massive Nacha Phase 2 deadline coming up on June 22.
This regulation is going to force corporate originators to implement much more robust identity verification before they initiate or change any ACH transactions.
The era of the simple call to verify is legally coming to an end.
[00:06:22] Speaker B: June 22nd.
That is right around the corner.
So if a static phone call is no longer safe. What actually works?
How do we verify identity when we can't trust our own ears?
[00:06:38] Speaker A: We have to move to dynamic identity verification.
No more static phone numbers. We're talking about out of band cryptographically secured approvals.
If you want to change a bank account, it has to be verified through a digital signature that requires a hardware token login or a pre established safe word that changes daily. Or even a face to face video call where you ask the person to perform a specific unscripted physical action to break the AI's rendering frame.
[00:07:08] Speaker B: It's about re anchoring trust.
We used to believe that seeing was believing and then hearing was believing.
Now we have to build a system where only mathematical proof and verified multi layered pathways can establish truth.
[00:07:27] Speaker A: Well said Sue. It's a brand new world out there and the bad guys are using the latest tech.
We have to do the same.
Stay safe, stay smart and stay skeptical.
See you next time.
[00:07:41] Speaker B: Take care everyone.
Before we officially sign off, thanks for tuning in to our first episode of Scam Watch. If you have a scam you would like for us to cover here on Scam Watch, please send it to
[email protected] Bye for now.
