What is AI voice cloning fraud?
AI voice cloning fraud is a scam where attackers use artificial intelligence to recreate a real person’s voice — typically an executive, vendor, or family member — from a short audio sample, then use that cloned voice in a phone call or video conference to trick someone into transferring money or sensitive data. Commodity cloning tools available on the open web can now convincingly replicate a voice from as little as three seconds of public audio, such as a podcast clip, webinar recording, or LinkedIn video.
How common is deepfake fraud in business email compromise attacks?
The share of business email compromise (BEC) attacks that use AI-generated voice, video, or text deepfakes has reached 40% in 2026, up from under 5% in 2023, according to industry fraud-trend research. This is no longer a rare, exotic attack — it has become a mainstream tactic layered on top of traditional email-based fraud, and small and mid-size businesses are increasingly the target because they often lack the layered verification controls larger enterprises have adopted.
What does a deepfake attack actually cost a business?
Average losses from AI-augmented BEC attacks now exceed $4.1 million per incident, compared to roughly $1.3 million for traditional phishing-based BEC. The most widely cited example is engineering firm Arup, where a finance employee joined a video conference call that appeared to include the company’s CFO and several senior leaders — every face and voice on that call was AI-generated — and authorized a $25 million transfer before the fraud was discovered. Deepfake-enabled scams broadly are projected to cause $40 billion in global losses by 2027.
Why are AI-generated phishing attempts more effective than traditional ones?
AI-generated content now shows up in 82.6% of phishing emails, and those AI-written messages achieve a 54% click-through rate compared to just 12% for traditional human-written phishing. The same pattern holds for voice: deepfake vishing (voice phishing) attacks surged 1,633% in the first quarter of 2025 compared to the prior quarter, and vishing now accounts for more than 60% of phishing-related incident response engagements. Attackers get better results because a familiar voice or face bypasses the skepticism that written email alone tends to trigger.
Why do small businesses face outsized risk?
Small businesses already account for a disproportionate share of ransomware and BEC victims — 88% of confirmed SMB breaches involve ransomware, compared to 39% at large organizations, and social engineering attacks are 350% more common against SMB employees, with human error involved in 95% of cases. Layer AI-generated voice and video onto that existing gap in verification processes, and a well-timed cloned-voice call to accounting or HR becomes one of the highest-return attacks available to a fraudster.
How can a business defend against AI voice cloning and deepfake calls?
The controls that stop deepfake fraud are procedural, not just technical, and most are inexpensive to put in place:
- Require out-of-band verification for any payment or wire change. A phone call or video request to move money or change banking details should always be confirmed through a separate, previously known channel — not by calling a number provided during the same interaction.
- Establish a shared verification phrase for executives and finance staff to use on sensitive requests, similar to a code word, that would not appear in public audio or video an attacker could train a model on.
- Treat urgency and secrecy as red flags. Deepfake pretexts almost always include pressure to act immediately and to bypass normal approval steps — the same psychological lever traditional BEC has always used.
- Limit public audio and video exposure of executives and finance approvers where practical, since three seconds of clean audio is enough to clone a voice with widely available tools.
- Formalize a dual-approval process for wire transfers and vendor banking-detail changes above a set threshold, regardless of who is asking or how convincing the request sounds.
- Train staff specifically on deepfake scenarios, not just email phishing — most security awareness programs still focus almost entirely on suspicious links and attachments.
How is Boston Managed IT helping clients prepare?
Inside our managed services practice, we are updating client security awareness training to include voice and video deepfake scenarios specifically, not just email-based phishing. We are also working with finance and operations teams to formalize out-of-band verification steps for wire transfers and vendor payment changes, and reviewing what executive audio and video is publicly available that could be used to train a cloning tool. None of these controls require new software licensing — they require a documented process and staff who know to follow it even when a request sounds completely legitimate.
Common questions about deepfake and AI voice fraud
Can I tell a cloned voice apart from a real one on a phone call?
Not reliably. Current voice cloning tools produce audio that is difficult to distinguish from the real speaker, especially over a phone connection, which is why verification has to happen through a separate channel rather than by ear.
Does this only affect large companies like Arup?
No. Large, well-publicized incidents get attention, but small and mid-size businesses are actually the more common target because they typically have fewer formal verification controls in place for payment and banking-detail changes.
Is multi-factor authentication enough to stop this?
MFA protects account logins, but it does not stop a phone call or video conference where a fraudster impersonates an executive to request a wire transfer. Deepfake fraud requires process controls — out-of-band verification and dual approval — in addition to technical safeguards.
What is the single highest-impact control a small business can put in place this quarter?
A mandatory callback or separate-channel verification step for any payment, wire, or banking-detail change request, regardless of how the request arrives or how convincing it sounds.
Should we stop posting executive video content publicly?
Not necessarily, but it is worth being aware that any public audio or video is a potential training source for voice cloning, and it should factor into a business’s broader risk conversation, particularly for staff who regularly authorize payments.
Get a deepfake and BEC readiness review
Boston Managed IT works with businesses across Massachusetts and New England to review payment-verification processes, update security awareness training for AI-driven threats, and close the procedural gaps that deepfake fraud exploits. If you would like a readiness review of your current wire-transfer and vendor-payment controls, please reach out to our team.
References: Sumsub – Fraud Trends 2026, Digital Applied – AI Deepfake Attacks Surge to 40% of Email Compromise, ZeroThreat – Deepfake Attacks & AI-Generated Phishing Statistics, Adaptive Security – Deepfake Statistics 2026, Astra – Small Business Cyber Attack Statistics 2026.