On January 21st, just two days before the primary election, numerous New Hampshire voters received robocalls containing a recording of an AI-generated clone of President Biden’s voice. 

“This coming Tuesday is the New Hampshire Presidential Preference Primary. Republicans have been trying to push nonpartisan and Democratic voters to participate in their primary. What a bunch of malarkey. We know the value of voting Democratic when our votes count. It’s important that you save your vote for the November election. We’ll need your help in electing Democrats up and down the ticket. Voting this Tuesday only enables the Republicans in their quest to elect Donald Trump again. Your vote makes a difference in November, not this Tuesday.”

This marked the first known widespread case of voter suppression using sophisticated text-to-speech technology. The pressing question now is: How do we catch the next AI-generated, nefarious robocall in real-time before they reach the public? Today, we are excited to announce a partnership with YouMail and the creation of the Election Communication Defense Grid (ECDG).

Understanding the Election Robocall Threat

This year, a total of 468 seats in the U.S. Congress (33 Senate seats and all 435 House seats) along with the Presidency are up for election. Politicians are employing a variety of tactics to reach their constituents, including door-to-door campaigning, social media, traditional media ads, and email campaigns. With the recent launch of Pindrop Pulse™ Inspect, we’ve made available a forensic tool for media organizations, nonprofits, and governments to analyze and detect synthetically generated audio in digital media. The platform has already been used to identify and analyze several high-profile deepfakes, including a recent parody of Kamala Harris.

However, one critical area remained unaddressed: political robocalls. As we approach the November elections, voters’ voicemails are filled with these automated messages, where recordings of candidates discuss their platforms and encourage voter turnout. The challenge was clear: How do we get our technology into the hands of organizations that can flag political voicemails in real-time to help protect consumers from AI-generated speech?

State-of-the-art detection meets carrier-grade distribution

Enter YouMail, the industry’s only call-sensor network that accurately detects robocalls in real time, enabling carriers to stop fraud, spam, and other malicious attacks from reaching consumers. YouMail’s sensor network monitors billions of real consumer calls across all major US carriers to detect threats accurately and immediately. 

We began collaborating with YouMail’s engineering teams the day after detecting the TTS engine behind the Biden robocall. After seven months of collaboration and analyzing robocalls from over a thousand political candidates in 2024 (the incumbents and their key challengers), we are proud to officially announce our partnership with YouMail and the creation of the Election Communication Defense Grid (ECDG).

Now that YouMail has Pindrop Pulse™ Inspect, our latest deepfake detection APIs, integrated into their robocall mitigation service, carriers who are using the YouMail Sensor Network can, in real time, block deepfaked political robocalls from originating or traversing their networks.

Learn more about our partnership at YouMail.com and ECDG.org.

SAN FRANCISCO–Apple has touted its Apple Pay system as a convenient, simple, and secure alternative to using physical debit or credit cards. But researchers have identified some weaknesses in the enrollment and authentication flow of the system that could have allowed attackers to add stolen cards to their own Apple Pay accounts and use them with impunity.
The Apple Pay system has been available in the United States for several months and relies on a number of discrete pieces to work. When a new user enrolls in the system, she will be prompted to automatically enroll the card that is already associated with her iTunes account. To add a new card, the user has to either enter the card number, name, and CVV, or take a photo of the card with her phone.
During this process, Apple sends the information to the card issuer, who can approve or deny the enrollment, or ask for more cardholder information. Depending on which issuer is involved, this could involve entering a code from a text, following a link in an email, or answering knowledge-based authentication questions. If that all works correctly, the card is enrolled and the user is off and running. But one of the weaknesses in the flow is that the issuers decide on their own how much of Apple’s data to take in.
“Apple is going to provide some information to the issuer when you enroll that card and it’s up to the issuer to decide how much of that information they want to pay attention to,” said David Dewey, director of research at Pindrop Labs. “How hard is it to sidestep that enrollment flow?”
Not as hard as it should be.
To test the security of the Apple Pay enrollment flow, Dewey created a test Apple ID, which is the master identity for Apple customers, and then collected credit cards from four different volunteers. He then tried to enroll each of the cards, which all have different names on them, in Apple Pay for the test ID. He ran the experiment for the first time in April and then again in September, and while each card issuer required different levels of authentication to complete the process, none of them was insurmountable, and most weren’t even challenging.
The first card issuer asked Dewey to either go into the issuer’s mobile app to verify the enrollment or answer some KBAs. With a quick Google search, he was able to find the information he needed to answer the questions and the card was enrolled.
“The only thing was that the customer service rep asked me if I knew I was adding a card that didn’t match the Apple ID. I said it was fine and then went into iTunes and changed the name on the account,” said Dewey, who is giving a talk on the research at the RSA Conference here Tuesday.
The second card issuer was a little more challenging, asking Dewey for a second-level verification. He had to answer some KBA questions, as well. The third issuer presented no obstacles at all, verifying the card right away. However, that issuer had changed its process by the second time Dewey ran the experiment. He had to call the issuer and get an authorization token, which he then had to recite over the phone before he could enroll the card.
There are a variety of ways to verify cards and users, and Dewey said that doing it inside a bank or card issuer’s app is probably the best one.
“Authentication through an app is very secure, because if they’re doing it properly they know specifically it’s your device they’re sending the authorization to,” he said. “A phone call is the weakest of these possible options.”
Most of the issues Dewey discovered in his research were fixed by the card issuers by the second time he ran the experiment. One of the issuers that asked for a CVV didn’t limit the number of time you could attempt to enter the number, so Dewey will demo a tool during his talk that will cycle through all of the possible three-digit CVV combinations.

The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, mphone-scam-breakdowneta tags, and keywords to get your website found upon a quick Internet search. Then, from a local number, you get a phone call from a Google specialist claiming they have a front page position for your business with unlimited clicks, 24 hours a day. Your business is struggling to gain traction on the Internet so you immediately press one at the behest of the specialist. You set your website up with the Google specialist. Quick and easy, you pay the local specialist for the front page spot and you hang up.
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?

  • Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
  • Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
  • Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance

 
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.
 
 
 

The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.

The Scam

It’s a chilly January day. You’ve been busy hitting the ground running on your New Years’ resolutions, getting back into the daily grind at work, or stocking your pantry for impending snowstorms. One day in the midsts of all the hustle and bustle, you receive this call:
“You may already know effective January 1st of this year, federal law mandates that all Americans have health insurance. If you missed open enrollment, you can still avoid tax penalties and get covered during the special enrollment period, often at little or no cost to you.”phone-scam-breakdown

Oh no! Open enrollment has ended and you haven’t signed up for health insurance. You don’t want to be penalized on your taxes so you quickly press one for more information. Soon after you have selected the healthcare plan right for you, paid with your credit card, and avoided all penalties… or so you thought.

What Really Happened

Scammers used a fake robocall to gain your personal information including social security number, your bank account, and your address. With this information, these fraudsters racked up purchases on your credit card and opened new accounts.  Because the insurance you thought they offered you was made up, you also are penalized for being uninsured come tax time. Attackers have successfully stolen your identity using the following tactics.

  • Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location
  • Confusion – You’ve heard something about Obamacare and tax deadlines, but you haven’t paid much attention to the details. Fraudsters take advantage of your confusion.
  • Cross-channel Fraud – Fraudsters use many different channels to extort sensitive information. In the case of the Healthcare Scam, fraudsters use the phone channel to collect personal information and use that information in other channels, like online or in the call center.

Healthcare Scam Examples

5 Obamacare Scams and How to Avoid Them – In addition to offering healthcare, scammers will also tell victims they can get lowered insurance rates, pretend to be government agents, or even offer nonexistent “Obamacare cards”.
Expert Warns about Healthcare Scammers – Brownsville, TX – fraudulent robocallers warn residents about $695 penalty for not enrolling in healthcare.
State Warns of Multiple Scams and Fraudulent Practices in Oregon – Phone scammers are preying upon the financial troubles of Moda Health, calling and intimidating those using Moda as their primary insurance carrier.

The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
The Scam
You’re a call center representative for major telecommunications carrier. Days are pretty easy, you help customers troubleshoot problems and use KBAs to help identify customers to help them. Sometime in the afternoon you get a call from one of your co-workers who is having a technical issue. No worries, this sort of thing happens all the time. After verifying that he had his employee ID number, you help your fellow call center rep get an account number, PIN,phone-scam-breakdown email address, and other information to fix the issue. You pack your things up, turn off your computer, and head off. Another day’s work complete.

Here’s What Really Happened

Little did you know that co-worker of yours wasn’t actually an employee, he was a high school hacker, and that information you helped get belonged to a minor internet celebrity. From there the hacker got access to the victim’s email account and found numerous documents, including personal emails, contact lists, phone logs, and even social security numbers. So how did this happen?

  • Social Engineering – The high schooler was able to trick several call center representatives into divulging sensitive information all by finding the victim’s phone number online and locating the provider associated with that number. He was able to pass several knowledge based authentication questions (KBAs) just by looking on the Internet.
  • Reconnaissance – The caller knew that you would need his employee ID number to get him the information he needed. That means he’d already done his research, making test calls, or searching online, to learn what format to make his own fake id number believable.
  • Cross-Enterprise Attacks – Wait – who got attacked here? You gave out the information, but the fraudster was actually hacking into an account at an entirely different company.

 Employee Impersonation Scam Examples

The Employee Impersonation Scam can happen to anyone.
How a Teenager Hacked the CIA with Just a Few Phone Calls
High school student uses social engineering to hack CIA Director’s personal AOL account
Using Only His Phone, Man Scams 217 Macy’s Stores Into Issuing Fraudulent Refunds
In September, the FBI arrested a man for calling Macy’s department stores and impersonating the “Director of Customer Service.” With a few phone calls, he was able to get refunds for products never actually purchased.
How Scammers Are Stealing Xbox Live Accounts
Anonymous hackers explain how they impersonate Tech Support agents to take over Xbox Live accounts.

phone-scam-breakdownThe first step in protecting against phone scams is understanding how they work. That’s why we’re starting a new series on the blog, breaking down some of the newest and most popular phone scams circulating among businesses and consumers. 
The Scam
Imagine that you’re a senior executive at a law firm or hedge fund. It’s the end of a long week at the office. Just as you’re about to hit the road, you answer one last phone call. It’s your company’s bank. They tell you that they’ve detected fraudulent activity on your account. This sounds like it’s going to be a pain to take care of.
Fortunately, this counter-fraud team seems to have everything under control. They already have most of your information. They just need to verify a few details, including your online security code, and they can cancel the suspicious transactions. You give them the information they need and head home, making a note to check in on what happened when you get back on Monday.
When you arrive back at the office the next week, you log into you firm’s online bank account to check that the fraud transactions were canceled. Instead, you see that more than a million dollars has gone missing…
Here’s What Really Happened
It turns out that wasn’t actually your bank calling on Friday afternoon. It was an attacker. When you “verified” your online security details, you were actually giving the attackers everything they needed to take over your company’s account. After you left the office, they logged in and transferred the money out of your account. They know that Friday afternoon is when conveyancing transactions are completed, so by the time everyone returns to the office on Monday, that money is long gone.
It’s called the Friday Afternoon Scam, but it actually combines several popular scam techniques:

  • Spear Phishing / Spear Vishing – Unlike many phone scams, which cast a broad, random net, spear phishing or spear vishing attacks are extremely targeted. The attacker will often do extensive research on a single executive in an attempt to steal intellectual property, financial data, or other trade secrets. Here, the attackers are specifically targeting CFOs and other high level financial executives.
  • Social Engineering –Think of social engineering as old-fashioned trickery. Attackers use psychological manipulation to con people into divulging sensitive information. In this scam, the attackers call on a Friday afternoon, knowing that the executive will be distracted.
  • Bank Impersonation – By pretending to be calling from the company’s bank, the fraudsters were able to gain the executive’s trust fairly easily. Attackers can impersonate a bank by doing reconnaissance work to learn which bank the company uses and spoofing that bank’s Caller-ID. Often attackers will transfer the call to a ‘manager’ in order to make it seem more legitimate.

Friday Afternoon Scam Examples
A London Hedge Fund Lost $1.2 Million in a Friday Afternoon Phone Scam – Last week, Bloomberg reported on this scam, which targeted Forelus Capital Management LLP’s CFO, Thomas Meston. As a result, Meston was terminated and is now being sued by the funds. The firm claims he breached his duty to protect the firm’s assets.
SRA Warns of ‘Friday Afternoon Fraud’ Risk – Earlier this year, The UK’s Solicitors Regulation Authority reported that it had been receiving four reports a month of law firms being tricked by Friday Afternoon Scams. Law firms reported an average $500,000 loss per scam.
 
 
 

The first step in protecting against phone scams is understanding how they work. That’s why we’re starting a new series on the blog, breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
**For more information on how phone fraud affects retailers, register for our upcoming webinar, “The State of Retail Phone Fraud.”
The Scam
You work in a call center as a customer service representative for a retailer with lots of big customers – maybe colleges and universities, hospitals, or construction companies. These customers typically make large, bulk orders, and they can come from many individuals or departments within the companies.
It seems like business as usual when one of your biggest customers calls to get a quote for a bulk shipment of toner and electronics. Once you deliver the quote, you get the purchase order, requesting Net-30 payment terms. Everything looks normal, so you process and ship the order.
Here’s What Really Happened
That order was really placed by a scammer, who probably found your real customer’s details online. To receive the products, the scammer may have changed the customer’s usual shipping address. Alternately, he may have called the customer directly, claiming that the order had been incorrectly shipped to them and offering to send a courier to pick it up. Because of the Net-30 terms, there is a full 30-day window for the scammers to get away with their crime – plenty of time to pick up the shipment and resell the goods on the black market.
A few of the techniques these attackers use for purchase order scams are:

  • Cross-channel fraud – Attackers combine email and phone communications to better impersonate real customers. Attackers often set up fake email accounts that look like they are coming from a real customer, then follow up with a phone call to complete the order.
  • Courier fraud – It’s hard to say no when there’s a legitimate-looking courier at your door. Attackers often send couriers to physically pick up fraudulently purchased goods.
  • Reconnaissance – Many large organizations like universities or hospitals have easy to access corporate information posted publically on the company’s domain. This is all the information attackers need to generate a very real looking purchase order.

Retail Purchase Order Scam Examples
Purchase Order Scam Leaves a Trail of Victims – Last Fall, the FBI issued an official warning about purchase order scams. Investigators found approximately 400 actual or attempted incidents that targeted some 250 vendors, and claim nearly $5 million has been lost so far.
Purchase Order Scam Targeting University Suppliers – CSO magazine reported a rash of scams targeting universities, going back as far as May 2013. The article includes links to official warning from Ohio State University, Penn State University, Texas A&M and more.
Purchase Order Scams Now Targeting Construction Suppliers – Earlier this year, KGC Inc, an industrial and commercial construction company reported falling victim to the purchase order scam. Scammers impersonating the company attempted to place orders for $25,310 worth of equipment.

Voice security is
not a luxury—it’s
a necessity

Take the first step toward a safer, more secure future
for your business.