“Voice bots are so good that users can easily believe they are authentic, especially when it appears to be helping by stopping malicious activity, such as a suspicious purchase,” Joseph Carson of cybersecurity firm ThycoticCentrify, told Lifewire in an email interview. “Unfortunately, in reality, hackers are stealing your money.”
Chatty Bots
Hackers use customized bots to make automated calls asking for your temporary password, Jonathan Tian, the co-founder of Mobitrix Perfix, an iPhone solution, told Lifewire. Some bots make you think you’re talking to an actual customer service rep before asking for your code. The issue was recently highlighted in Motherboard. “The hacker may easily connect to your account and perform transactions or whatever they want once you submit the verification code,” Tian added. “The attacker then calls the owner using a bot saying their account has been compromised and to enter the code sent to their phone to validate their account ownership,” he added. “When the owner enters the code, the thief now has the missing second factor to compromise the user’s account.” Experts say that hacker voice bots are a growing problem. “There are far more voice bots on the market now than there were ten months ago—although they remain an expensive investment,” privacy expert Hannah Hart told Lifewire. Bots can imitate all sorts of services for the hackers that do pay the price, meaning there’s potential for a broad swathe of customers to be contacted and duped into handing over a 2FA code or OTP (one-time password), Hart said. Because the voice bots don’t require hackers to be exceptionally skilled at using social engineering techniques, anyone could feasibly use one, “so it’s likely that we’ll see copycat hackers who want to try their luck,” Hart added. Fraud and cyberattacks of all kinds have rapidly increased in recent years, Bob Lyle, a senior VP at cybersecurity firm SpyCloud, told Lifewire. And criminals’ use of stolen credentials has grown increasingly sophisticated. “One major challenge is a lack of understanding the threat,” he said. “Because of the proliferation of telemarketing scams and automated calls, many consumers assume their phone number has already been compromised without realizing how it could be used to access their accounts.”
Protecting Yourself
There are ways to keep voice bots from stealing your precious security codes. Never enter your 2FA code unless you initiated the request, Carson said. He also suggests that you always be suspicious of any request that asks for your 2FA code that you did not expect. “Make sure you periodically change your passwords and use a password manager to help you create unique long, strong passwords for each account,” he added. Don’t send personal information via text, and hang up on any calls that insist that you hand them over, Hart said. Instead, check out the service directly to keep tabs on your account activity and report any suspicions or concerns to the customer care team. “It’s also well worth spreading the word to friends and family about these nasty hacking attempts,” Hart added. “After all, we could all find ourselves targeted by a would-be scammer, and it’s not always easy to determine whether an automated system is legitimate or not.”