Identity Exposure Field Notes

Synthetic voice technology has crossed a threshold. An attacker with a few seconds of audio — a voicemail, a social media video, a podcast clip — can generate a convincing clone of someone's voice in real time. This is not a research demonstration. It is a deployed attack technique.

The attack pattern is consistent: a family member calls in apparent distress. They have been arrested, are in a car accident, are stranded. They need money immediately — wire transfer, cryptocurrency, or gift cards. The voice sounds real because it is generated from a real voice sample. The scenario is built from publicly available information about the family — names, relationships, locations visible on social media and data broker profiles.

The attack is effective precisely because it triggers emotional responses that override normal judgment. Urgency, family distress, and a familiar voice combine to produce decisions people later describe as uncharacteristic.

The defense is behavioral, not technical. Establish a family verification phrase — a word or short phrase agreed on in advance, not derivable from public information — that anyone can ask for in an unexpected contact scenario. If the caller cannot provide the phrase, hang up and call back on a number you already have. The phrase must be established when there is no pressure: discussed calmly, written somewhere trusted, known to all family members including elderly relatives.

A SIM swap is an attack that transfers your phone number to a device the attacker controls. It is performed by social engineering your mobile carrier's customer support team, convincing them that you are requesting a number transfer — using information gathered from data brokers and public records.

Once the transfer is complete, the attacker receives all SMS messages sent to your number — including two-factor authentication codes, account recovery texts, and one-time passwords. Any account that uses your phone number as a recovery factor is now accessible. This typically includes email, which recovers everything else.

Mitigation step 1: Log in to your carrier account and set an account PIN or passcode. Some carriers offer a “port freeze” that prevents number transfers without in-store verification. T-Mobile, AT&T, and Verizon all offer versions of this.

Mitigation step 2: On your primary email and financial accounts, remove your mobile number as a backup recovery method. Replace with a backup email with equally strong MFA.

Mitigation step 3: Move from SMS 2FA to TOTP (authenticator app) or passkeys for all high-value accounts. SIM swap is irrelevant when authentication does not involve your phone number.

QR code phishing — “quishing” — has grown as a technique because QR codes bypass most email security tools. A URL in an email can be scanned by a security gateway; a QR code image embedded in a PDF attachment cannot.

Attack vectors: printed QR codes placed over legitimate codes in parking lots, restaurants, and public transit kiosks; QR codes in phishing emails directing to credential-harvesting sites; fake QR codes in package tracking scams, cryptocurrency pitches, and government impersonation emails.

The defense is one habit: preview the destination URL before tapping. Most smartphone cameras display the URL before opening. If the URL does not match the expected domain, do not proceed. If someone placed a QR code sticker over a parking meter or public poster, that is worth a closer look — physical tampering is common.

The modern workplace does not fail only at the firewall. It fails when personal accounts, business data, unmanaged devices, and convenience prompts quietly blur the line between private life and corporate responsibility.

OneDrive and Google Drive personal accounts on work devices are a widespread example. An employee signs in to their personal Microsoft account on a work computer. Office prompts them to sync files. Documents drafted at work — contracts, personnel files, customer data — sync silently to a personal cloud account with no MDM enrollment, no conditional access policy, and potentially weaker authentication than the corporate tenant.

From a compliance perspective, this is a data leakage path. From an identity security perspective, the personal account is the weak link: SMS MFA, potentially reused credentials, and none of the monitoring and alerting that the corporate tenant has.

Organizational response: Conditional Access policies in Microsoft Entra ID blocking personal account sync on managed devices; Intune policies restricting personal account enrollment; DLP policies flagging business data written to personal storage. Pair technical controls with a clear user-facing explanation — a block without context produces workarounds.

Individual response: Keep personal and work accounts, devices, and cloud storage strictly separated. The convenience is not worth the exposure in either direction.