How Lawyers Can Use Code Words to Combat Client Voice Cloning and Deepfakes
Voice cloning uses machine learning to reproduce someone’s voice patterns with disturbing realism. Deepfakes utilize similar AI to manipulate video by swapping faces or creating highly convincing impersonations. For example, OpenAI can imitate a voice using only a 15-second sample.
Imagine receiving a call that sounds exactly like a client urgently requesting you wire a large sum to a particular account. Or a deepfake video surfaces of you strategizing, exposing privileged information. The implications range from financial theft to violations of attorney-client privilege.
While still an emerging threat, these AI impersonations are becoming more accessible. In early 2024, criminals created a deepfake video likeness of a Hong Kong company’s CFO and other employees. The video appeared during a conference call asking an employee to transfer over $25 million to the scammers.
As I’ve written, law firms are the least guarded path to the most sensitive data. They all too often lack the cybersecurity protocols or training to support them. As such, lawyers will likely be targeted in similar schemes as the technology proliferates.
The Battle Against Voice Cloning and Deepfake Scams
How can legal professionals safeguard against such deceptions? One low-tech but highly effective solution is establishing unique code words attorneys and clients can use to verify their identity in communication. When an attorney asks a client for a code word during unsecure audio or video communication, they can better safeguard against sharing sensitive financial or confidential information with someone who is not the client. Likewise, clients can rest assured they are speaking to their attorney or staff once they’ve confirmed the code word.
For example, set the code “Purple Elephant” with client X. Any time you call them or they call your office, ask them for the code word before going any further. If they fail to provide it, terminate the interaction. If they insist it is them or claim they forgot the code word, require them to reset it in person.
Of course, proper protocols are key. For example, frequently update code words if your representation is lengthy, use different code words across clients and matter types, never say a code word out loud that could be overheard, and consider making code verification a mandatory firm policy for financial or strategic communication.
While I haven’t seen code word verification inputs built directly into legal practice management platforms (such as Clio, MyCase or Smokeball), I’m optimistic that the legal profession will soon have tools that allow for this two-way authentication. This includes those built into client portals for either party — client-side or law firm-side — to confirm the genuineness of the party corresponding with them.
While establishing code words may be a minor inconvenience, it is well worth your time. It can also help build clients’ trust in an era when voice cloning and deepfakes are only growing.
Introduce the process to your clients upfront and explain why it is important. Be sure your clients and your staff are trained. Most clients will appreciate your proactive commitment to protecting the confidentiality of their sensitive information.
By embracing this old-fashioned security technique, you safeguard your clients and your firm against becoming an unsuspecting victim of AI’s dark side. In an era of deepfakes and digital deception, something as simple as a shared code may be your strongest shield.