From the wonderfully complex defining most of infosec, we swiftly move to the wonderfully simple. What you say, matters. Every word, in some cases, because a verbal password is emerging as a powerful measure against one of the most sophisticated hacks happening today: AI generated deepfakes, combined with spearphishing.
Let’s find out why, all the while reflecting on a new paradox emerging in the cybersecurity world.
Now, as a CFO, infosec is (or should be) right up there alongside Excel as a priority. Yes, yes, we know you have fancier calculators than that, but we also know you can’t look past a spreadsheet. As the individual entrusted with safeguarding your organisation’s financial integrity, you’re one of the biggest phish in the company pond, essentially featuring a huge target on your back. It’s the old story of hackers concentrating their efforts where they might get the biggest payoff.
Social engineers are one thing, and these days most can recognise these attempts at violating the integrity of individuals and the systems they’re responsible for. Most CFOs are quite adept at spotting and fending off spearphishing attempts: the spoofed email ‘from the CEO’ insisting on a rushed payment to a new ‘supplier’.
The thornier problem is the AI-generated deepfake. Instead of the easily identified fake email, the urgent request for a large transfer to close a deal comes from an (apparently) authentic voice on the phone, complete with plausible context. You’re in a hurry – who isn’t, these days – so you go with the instructions from the boss.
Except the voice is synthesised, generated by a hacker who’s done their homework.
Deepfakes use artificial intelligence to mimic voices and even video appearances with alarming accuracy. In 2019, a UK energy firm lost £200,000 after scammers used AI to impersonate the CEO’s voice, convincing an employee to transfer funds.
More recently, posts on X have highlighted incidents where fraudsters have targeted finance teams with deepfake calls, exploiting trust in familiar voices. These scams are sophisticated, often combining social engineering with real-time voice manipulation, making them difficult to detect without robust safeguards.
Here comes the paradox. We’ve got all kinds of fancy technology stuff helping safeguard your technology and data assets, but steering off this tactic can be as simple as going straight back to basic brass tacks. The verbal password is a low-tech, high-impact solution – a literal spoken word known only to the insiders.
Unlike emailed or texted codes, which can be intercepted or hacked, a verbal password is shared and stored offline, reducing the risk of exposure. The pre-agreed word or phrase is used to confirm the authenticity of a transaction request, especially for larger sums.
If the caller—whether claiming to be the CEO, a board member, or even you—can’t provide the password, the transaction is flagged for further scrutiny.
The approach leverages simplicity and human judgment. It doesn’t require expensive software or complex training, making it accessible for businesses of all sizes. Most importantly, it adds a layer of protection against deepfake scams, which rely on bypassing digital defences to exploit trust.
Deepfakes are a wake-up call for CFOs to rethink how we verify trust in an AI-driven world. A verbal password isn’t a silver bullet, but it’s a practical, cost-effective way to protect your organisation from a growing threat.
My advice? Sit down with the finance team, agree on a password, and put this system in place. It takes less than an hour to set up but could save you millions in losses and countless hours of damage control. Better a safeword, than a sorry one.
