Speaker: Daniel Isler, Actor, University Professor, Security Consultant & Team Leader at Friendly Rats
Background: Social Engineering Team Leader at DreamLab Technologies (Swiss company), former voiceover artist for Virgin Mobile
Key Focus: Voice impersonation attacks exploiting brand trust and voiceover industry vulnerabilities
Introduction: The Invisible Social Engineer
Daniel Isler introduces his journey from traditional penetration testing to social engineering, emphasizing the importance of being "invisible" while conducting security assessments. His team, Friendly Rats, specializes in creative social engineering operations.
Team Philosophy: "We need to be obvious... we believe that workers in a company need to have the chance to realize that the situation is suspicious or not permitted. But they never catch us."
Creative Social Engineering Operations:
- Free coffee distribution with flyers containing malicious URLs
- Fake flight attendant visits with rubber ducky planes
- Social media framing around special dates (Valentine's, Christmas)
- Educational presentations based on TV shows like Money Heist
- Security awareness games like "Who Wants to Be Secured"
"This is for all audience because it's worldwide vulnerability that can be exploited by 13-year-old kid without a computer... it's 100% social engineering."
The Inspiration: Money Heist & Perfect Crimes
TV Show Inspiration
The Spanish series "Money Heist" (La Casa de Papel) inspired the research - exploring how to not just spoof identities but actually become identities through voice impersonation.
The Perfect Crime Question
Conversation with his wife (a bank executive) sparked the question: "Can a normal person do something like this?" This led to research into voice-based attacks.
Richard Branson Influence
Daniel's experience as a voiceover artist for Virgin Mobile for 7 years without a contract revealed industry vulnerabilities in voice talent management.
Industry Insight: "I worked for Virgin Mobile as the voiceover artist for seven years and I never had a contract... This revealed massive vulnerabilities in how brands protect their vocal identities."
Understanding the Voiceover Industry
Brand Voice Architecture:
Brand Identity Through Voice
Companies choose specific voices to build confidence and recognition. These voices become trusted auditory signatures that customers associate with reliability and authenticity.
Marketing Ecosystem
Brand → Marketing Department → Advertising Agency → Production Company → Sound Studio → Voiceover Artist. Multiple points of potential compromise.
Casting Vulnerabilities
"Who can request a casting? Anyone. Who can be called for a casting? Anyone." The casting process is fundamentally insecure across most markets.
Global Regulatory Landscape:
Chile & Most Countries
No regulation governing voice talent casting or usage. Less than 10% of voiceover artists have contracts in Chile.
United Kingdom
No union regulation - anyone can participate in castings without restrictions. Gravy for the Brain confirmed this vulnerability.
United States
SAG-AFTRA union provides some protection but offers one free casting hour - "one hour to do your magic" for attackers.
Industry Expert Confirmation: From Gravy for the Brain CEO: "Anyone can be called to participate in a casting... they don't have a union in the UK." Similar vulnerabilities confirmed in US and Chilean markets.
Proof of Concept: Voice Attack Demonstration
Total Calls Made
195 calls attempted over 3+ hours of testing
Successful Connections
38 calls answered by targets
ID Information Obtained
23 people provided full identification details
ATM Codes Obtained
15 people provided ID numbers AND ATM codes
Attack Methodology:
Casting Call Pretext
Posed as casting directors seeking voice talent, using personalized phone numbers that appeared legitimate to targets.
Customized Scripts
Created believable casting scenarios that naturally required personal identification and security information as part of the "application process."
Low-Budget Operation
Conducted entire operation using only cell phones - no specialized equipment or significant budget required.
"Imagine an IVR with 2 million people in 10 minutes... Why is this so bad? The casting - anyone can call for a casting. You can customize your attack, ask whatever you want in the script, and have those credentials in one minute."
Attack Vectors & Scalability
Versatile Attack Scenarios:
Two-Factor Authentication Bypass
Impersonate trusted voices to intercept or bypass 2FA systems that rely on voice verification or phone-based authentication.
Corporate IVR Impersonation
Mimic official corporate interactive voice response systems to harvest employee credentials or sensitive information.
Contest & Promotion Scams
Use familiar brand voices to run fake contests that collect personal and financial information from targets.
Government Agency Spoofing
Impersonate official government voices for tax agencies, security services, or other authoritative entities.
Scalability Factors:
- Low Budget: Basic cell phone operation makes attacks accessible to anyone
- High Effectiveness: "If your brother calls you, it's your brother - it's the voice you hear all your life"
- Mass Targeting: Potential to reach millions through IVR systems in minutes
- Customization: Attack scripts can be tailored to specific targets or scenarios
- Plausible Deniability: Casting call pretext provides natural cover story
Psychological Effectiveness: "If your brother calls you, is your brother? It's the voice that you hear all your life. Do you believe in that voice? So imagine if something like this happens with brand voices you've trusted for years."
Industry Response & Real-World Impact
Banking Industry Demonstration:
Live POC for Banks
Presented this research to banking institutions with their own voiceover artists participating in live demonstrations.
Contract Awareness Gap
Less than 10% of voiceover artists have contracts in Chile, leaving brands vulnerable to impersonation.
Immediate Impact
Banks realized their vocal branding assets were completely unprotected against impersonation attacks.
Recommended Resources:
- "Improv" by Keith Johnstone - The "Bible" for understanding human interaction and spontaneity
- Advertising Psychology Resources - Understanding how brands manipulate through voice
- Gravy for the Brain - Voiceover training organization that confirmed industry vulnerabilities
- SAG-AFTRA Guidelines - Understanding US voice talent union protections and limitations
Real-World Validation: "Before I came here I presented this investigation in our bank and worked with their voiceover artists... at the end everyone was clapping, then realized: this is your voiceover artist and she doesn't have a contract."
Defensive Strategies & Mitigations
Protective Measures for Organizations:
Voice Talent Contracts
Implement exclusive contracts with voice talent that prevent them from participating in unauthorized castings or recordings.
Multi-Factor Verification
Implement additional verification steps beyond voice recognition for sensitive operations.
Employee Awareness Training
Train staff to recognize social engineering attempts, even when they appear to come from trusted voices.
Voice Biometrics
Implement voice fingerprinting and biometric analysis to detect impersonation attempts.
Industry-Level Solutions:
- Union & Regulatory Strengthening - Enhance SAG-AFTRA and similar organizations to better protect voice talent
- Contract Standardization - Develop industry-standard contracts that protect brand vocal identities
- Casting Process Security - Implement verification processes for legitimate casting calls
- Public Awareness - Educate consumers about voice-based social engineering risks
- Technical Countermeasures - Develop AI-based voice impersonation detection systems
"Advertising and propaganda are the biggest social engineering ever made... We need to understand how these psychological mechanisms work to defend against them."
Key Takeaways for Security Teams
Critical Vulnerabilities Identified:
- Voice talent industry is fundamentally insecure - Lack of contracts and regulation enables impersonation
- Casting process vulnerabilities - Anyone can request or participate in castings globally
- Low-cost, high-impact attacks - Basic cell phones suffice for effective voice impersonation
- Psychological trust exploitation - People inherently trust familiar voices without verification
- Mass scalability potential - IVR systems could compromise millions in minutes
- Multiple attack vectors - 2FA bypass, corporate impersonation, financial scams, government spoofing
- Global applicability - Vulnerabilities exist across US, UK, Chilean markets and likely worldwide
- Immediate threat reality - Proof of concept demonstrated 60% success rate obtaining sensitive data
Urgent Call to Action: "This is a worldwide vulnerability that can be exploited by a 13-year-old kid without a computer... Organizations must immediately assess their vocal brand security and implement protective measures before attackers exploit these vulnerabilities at scale."
Red Team Applications:
- Incorporate voice impersonation into social engineering assessments
- Test organizational resilience against vocal identity attacks
- Assess IVR and phone-based authentication system vulnerabilities
- Evaluate employee awareness and response to voice-based social engineering
- Develop detection capabilities for voice impersonation attempts
"Why is this so effective? If your brother calls you, you believe it's your brother. It's the voice you hear all your life. Now imagine that level of trust applied to brand voices you've been hearing for decades."