Full Report
AI voice cloning and deepfakes are supercharging scams. One method to protect your loved ones and yourself is to create secret code words to verify someone’s identity in real time.
Analysis Summary
# Best Practices: Establishing Family Verification Passphrases Against Impersonation Scams
## Overview
These practices address the growing threat of sophisticated impersonation scams, particularly those leveraging AI-powered voice cloning (deepfakes) and social engineering tactics (panic, urgency) to defraud individuals and families. The core recommendation is establishing a pre-agreed, secret verification phrase or password within a trusted group (like a family) to authenticate urgent communications.
## Key Recommendations
### Immediate Actions
1. **Initiate Family Discussion:** Immediately schedule a discussion with all relevant family members (and trusted contacts) to agree upon the necessity of a secure verification method.
2. **Select a Secret Passphrase:** Choose a unique, memorable, and non-obvious phrase or word that is not shared publicly (i.e., not a pet's name, birthday, or common proverb).
3. **Establish the Verification Protocol:** Agree that if any family member receives an urgent, unusual request for money or sensitive information—especially via phone, text, or video pretending to be another family member—the requestor *must* provide the correct passphrase before any action is taken.
### Short-term Improvements (1-3 months)
1. **Distribute and Secure the Passphrase:** Securely share the passphrase only with authorized individuals, preferably through an out-of-band, secure communication channel (e.g., a secured password manager, not standard email).
2. **Practice the Protocol:** Conduct low-stakes "test runs" where one party initiates contact asking for verification to ensure all parties know how to respond under pressure.
3. **Document Verification Guidelines:** Create a simple, one-page document outlining who needs to know the passphrase and the steps to take if the passphrase fails (e.g., Hang up, call the person via a known number, contact emergency contact).
### Long-term Strategy (3+ months)
1. **Establish Secondary Verification Methods:** Develop a secondary, slightly more complex verification mechanism to rotate in annually, or for interactions involving significant financial transfers.
2. **Integrate Verification Education:** Make passphrase verification a standing part of general cybersecurity education within the family structure (especially for vulnerable members or those less tech-savvy).
3. **Monitor Impersonation Trends:** Stay informed about evolving scam tactics (e.g., new AI capabilities) and adjust the passphrase criteria or security protocols as necessary.
## Implementation Guidance
### For Small Organizations (or close-knit families)
- Focus on simplicity and speed. Use a phrase that is easy to recall quickly under stress (e.g., a specific, nonsensical phrase from a childhood memory).
- Implementation can be managed via a secured shared document or a dedicated group chat (if the platform is trusted).
### For Medium Organizations (or extended families/friend groups)
- Implement tiered passphrases: A primary phrase for general high-urgency checks, and a secondary, longer phrase required only for transactions exceeding a certain financial threshold (e.g., over \$1,000).
- Mandate multi-factor verification: If a call is suspicious, hang up and call the known contact back on a verified, pre-saved number (not the number the suspicious call came from).
### For Large Enterprises
- While the direct application is for individuals, the principle aligns with *Insider Threat Verification*. Implement mandatory verbal/visual confirmation protocols for high-risk requests originating from C-suite or HR/Finance departments, especially during off-hours or via non-standard communication channels.
- Use this concept to reinforce the necessity of multi-factor authentication (MFA) for accessing critical systems, treating digital credentials as the organization's passphrase.
## Configuration Examples
The article focuses on linguistic/procedural security setup rather than technical configuration.
**Passphrase Selection Guidance:**
* **Good:** A specific, contextually irrelevant sentence (e.g., "The purple elephant drank three martinis.")
* **Better:** A unique compound word or phrase known only to participants (e.g., "Star_Light_Jupiter_7").
* **Avoid:** Personal identification easily found online, common quotes, dictionary words, or phrases related to shared public knowledge (e.g., favorite sports team slogan).
## Compliance Alignment
While this is a personal security measure, it aligns conceptually with frameworks stressing identity verification and personnel security:
* **NIST SP 800-53 (AC-2):** Account Management (ensuring proper identity verification for access).
* **ISO/IEC 27001 (A.9):** Access Control (ensuring authentication for sensitive interactions).
## Common Pitfalls to Avoid
1. **Using Easily Guessable or Public Phrases:** Avoid using phrases that could be found in social media posts, old letters, or obvious inside jokes that are not truly secret.
2. **Allowing Urgency to Bypass Verification:** Scammers rely on panic. If the person on the other end pressures you to "hurry" or "not ask questions," this is a major red flag, and the verification step *must* be completed.
3. **Forgetting the Passphrase:** Not practicing or reviewing the passphrase regularly leads to failure under duress.
4. **Sharing the Passphrase via Email:** Do not send the secret passphrase over unsecured digital channels.
## Resources
* **FBI Public Service Announcement (PSA):** Agencies recommend establishing family code words to verify identity against potential impersonation scams.
* **Financial Institution Guidelines (e.g., Starling Bank):** Consult publicly available "Safe Phrase" guidelines for structuring protocol efficacy.
* **Deepfake Education:** Review resources on AI voice cloning (e.g., KrebsOnSecurity, major cybersecurity news outlets) to understand the technical sophistication the passphrase counters.