As a elderly resident of Kozhikode loses money to an AI-enabled con, experts say their worst fears are finally coming true in the Indian cybercrime landscape
Illustration/Uday Mohite
Since July 9, PS Radhakrishnan has stopped taking calls from unknown numbers. The 72-year-old Kozhikode resident, who retired from Coal India Limited (CIL) 12 years ago, has spent every day since thinking and rethinking what he could have done better.
ADVERTISEMENT
“It wasn’t just the voice or the face,” Radhakrishnan tells mid-day over a call. “It was how the face moved, how the eyes crinkled and how the lips were in perfect sync with the voice I was hearing.”
Early on the morning of July 9, the septuagenarian received a message from an unknown number. The person at the other end claimed to be a fellow ex-employee of CIL, and asked about the well-being of several supposedly common friends. He then made a WhatsApp voicecall and told Radhakrishnan that his sister-in-law had been admitted to a hospital in Mumbai, and that he urgently needed to raise funds for her treatment. He gave Radhakrishnan another unknown number, requesting him to transfer R40,000 via UPI.
“I had heard of impersonation scams and even though I was talking to him, I still wanted to be extra careful,” Radhakrishnan recalls, “I expressed these concerns and the next thing I knew, he was making a video call. I picked up and we spoke for around 25 seconds; the minute he made that call, all my defences were shattered. After hanging up, I transferred the amount to him.”
Steve Grobman, Venkata Satish Guttula and PS Radhakrishnan
It was only when the person asked for another Rs 30,000 immediately that Radhakrishnan smelled a rat and hung up after making some excuses. He then called back the same number, and realised he had been scammed. When he went to the Kozhikode police headquarters to register a complaint, the policemen surrounded him and listened with interest. It was the first time they had heard of a scam like this.
Radhakrishnan, however, was not the only target. When he posted his ordeal on a WhatsApp group of former colleagues, another member said he had also received a similar call but had not fallen for it.
The Kozhikode police suspect that the accused had infiltrated this very WhatsApp group and mined the information shared in it to impersonate a member. Subsequent police investigation found that Radhakrishnan’s money was deposited into an account in Gujarat, and then transferred to one in Mumbai. This modus operandi, where money is continuously moved about before being withdrawn in cash, is indicative of what is known in police circles as ‘Jamtara’ rackets. In other words, the perpetrators are the same, but now they are abetted by AI.
“The police have been able to freeze the amount and will soon recover the money. But the fact that this was so easy for them to con me is scary,” says Radhakrishnan, speaking for all of us. mid-day reached out to Deputy Commissioner of Police K E Baiju, Kozhikode, but received no response.
The case is the realisation of cybersecurity and cyber law enforcement community’s worst fears. Ever since Artificial Intelligence (AI) began developing at a rapid pace, there have been concerns about its impersonation capabilities being used for criminal purposes. The text-to-speech model, in particular, has always been an area of interest worldwide. It began as an experiment in the 1960s, where text would be entered into a system and a robotic voice would read it out.
This field has been the focus of intense research and development over the decades.
“Actual transformation in this field came with the advent of deep learning and AI,” says Venkata Satish Guttula, co-founder and Chief Information Security Officer at CyberXGen, a cybersecurity technology, consulting and training centre. “With increased computational power and vast amounts of training data available, sophisticated models began to emerge. AI-based models are capable of discerning intricate details of human speech, and generating synthetic voices that are virtually indistinguishable from the real thing. Today’s text-to-speech systems can produce speech that sounds very natural and lifelike, mimicking human intonations, pace, and even emotional inflection.”
Much to the chagrin of those tracking AI-based crimes, while misuse of publicly available pictures and personal information for criminal purposes has had its fair share of limelight, few seem to have thought of the fact that voices too are equally vulnerable on the internet.
In April this year, McAfee, a US based cybersecurity company, commissioned a study after noting the rapid rise of AI. The results, which were compiled in May, threw up scary revelations, particularly in the Indian context.
“Fifty-three per cent of all adults share their voice online at least once a week,” says McAfee’s Chief Technology Officer Steve Grobman, “with 49 per cent doing so up to 10 times in the same period. The practice is most common in India, with 86 per cent of people making their voices available online at least once a week, followed by the UK at 56 per cent and then the US at 52 per cent.”
Cybercriminals can collect voice samples from anywhere: Social media posts, voice notes or other public posts. To further test how effectively these samples could be cloned using AI, McAfee discovered over of a dozen free and paid tools on the Internet, besides toolkits to create more
sophisticated clones.
“We used one of these tools to replicate a researcher’s voice,” Grobman reveals. “With just three to four seconds of voice recording, the free tool was able to create a convincing clone at an estimated 85 per cent match. For just $.0006 per second of audio produced, the team was able to record 100 prompts, which resulted in a higher-quality outcome. With the next paid tier, they were able to add things such as emotion and inflection, making the voice clone almost indistinguishable from the real thing.”
McAfee also found that some tools struggled with reading acronyms, taking pauses in between sentences or depicting accurate emotion of a sentence. On the other hand, some tools sounded very natural, paused in between long sentences to ‘catch a breath’ or added a stutter to sound more authentic.
A huge 47 per cent of Indians surveyed by McAfee had either fallen prey to AI-enabled voice scams or knew someone who had. Of these, 86 per cent had lost money to such scams, with 48 per cent losing over R50,000. The research team also achieved a high success rate in replicating accents from several countries, including India, Australia, US, and UK.
What concerns the cybersecurity community is also the fact that since the Internet transcends borders, no single country or government could, by itself, reign in the menace. “AI in the hands of malicious actors is indeed a concerning development,” says Guttula, “A major obstacle in investigation is jurisdictional issues, given that these crimes often cross national borders. Therefore, fostering international collaboration and creating harmonized laws and regulations that span countries can expedite investigations and prosecutions. Moreover, it’s crucial that the government invests in awareness campaigns and educational programs for the public.”
Grobman recommends an intensive low-trust policy, including limiting online exposure and proactive effort to find potential threats, like using identity monitoring services that can help alert you if your personally identifiable information is available on the Dark Web. Other measures include setting a code word with close family and friends which they can use when asking for help, and asking personal verification questions such as the birth date of parents.
Meanwhile, Guttula says that it would help a lot if one took a moment to think before responding to the urgency that these cybercriminals try to create, and triple-check authenticity. “You can do this by independently reaching out to the individual or organization through a different, trusted channel,” he says, “Don’t rely on the contact information provided in the suspicious message or call; look up the contact details yourself. Scammers create a sense of urgency to prevent you from thinking clearly or cross-checking their story.”
As McAfee’s research report observes, AI has already changed the game for cybercriminals. The barrier to entry has never been lower, which means it has never been easier to commit cybercrime.
But two can play the game, says Guttula.
“It’s important to note that while AI can enhance the capabilities of cybercriminals,” he says, “it also significantly strengthens the tools and techniques available to cybersecurity professionals. The challenge lies in continuously innovating and remaining one step ahead.”