A new social engineering scam is using VoCo. VoCo is a sound engineer’s dream in that it allows a controller to edit or insert words into an audio recording without having to bring the voiceover artist back into studio.
If proper safeguards aren’t implemented, Project VoCo could undermine the authenticity of audio recordings. Attackers could in that case exploit the technology to fool others into thinking someone said something they did not.
Here is how one such attack might proceed:
1) An attacker performs OSINT and discovers an organization’s CEO will be away on business for a few days or a week.
2) The bad actor records a fake message from the CEO using VoCo that asks the head of finance to call them back for instructions regarding an upcoming payment.
3) The attacker receives a call from the head of finance. Using VoCo, the former instructs the latter to deliver funds to an account under their control.