Home › Insights / news › The $25M deepfake phone call

Scams

The $25 million phone call: why voice cloning is the new CEO scam (and how to stop it)

Insights · Key IT · By Peter Fotias, Technician · Published 2 June 2026 · Updated 12 June 2026

AI voice cloning lets scammers fake your voice to authorise payments. Here's how Melbourne businesses stop the deepfake CEO scam with process and verification.

The voice on the phone sounds exactly like the boss — because a few seconds of audio is now all a scammer needs to clone it.

Your finance manager gets a call from you, in your voice, asking them to release a payment urgently — except it isn't you, and it never was. The number looked right, the tone was right, even the slightly impatient way you ask for things was right. By the time anyone thinks to double-check, the money has left the account. This isn't science fiction or a problem for next year. It's the natural evolution of the CEO scam, and it's already costing businesses real money.

What changed: the CEO scam grew a voice

The "CEO fraud" or business email compromise scam has been around for years. An attacker impersonates a senior person — usually the owner or a director — and pressures someone in finance to make an urgent payment or change supplier bank details. Until recently it lived almost entirely in email, which gave you a fighting chance: a wrong address, an odd turn of phrase, a request that didn't quite sound like the person.

AI has removed those tells. Vendors now report that usable voice clones can be built from only a few seconds of audio — a snippet from a webinar, a voicemail greeting, a podcast appearance or a social video. The result is a phone call that sounds genuinely like you. In one widely reported case, a finance worker at a multinational paid out around US$25 million after joining a video call where multiple colleagues — including the CFO — turned out to be deepfakes. Treat that figure as a reported case rather than a typical loss, but the lesson stands: the impersonation is now good enough to fool a careful person on a live call.

How a modern attack actually unfolds

These campaigns are rarely a single phone call out of nowhere. The convincing ones are multimodal — they layer channels to build trust before the ask.

Reconnaissance first.

The attacker learns who approves payments, who reports to whom, and when a director is travelling or hard to reach.

An email to set the scene.

A message that looks like it's from the owner flags an upcoming "confidential" payment, so the later call feels expected.

The cloned voice call.

The urgent follow-up "from the boss" applies time pressure — a deal closing, a supplier threatening to walk — so there's no time to verify.

Sometimes a video call.

In the most advanced cases, the scammer adds a deepfake video meeting so the request feels witnessed and real.

Why your spam filter can't save you here

A good email filter is essential and it blocks an enormous amount of rubbish. But this attack is designed to defeat the filter, not trip it. The phone call never passes through your mail server. The email, if there is one, may come from a genuinely compromised account of someone you actually know. There's no malicious attachment to quarantine and no dodgy link to flag — just a believable human being asking a believable question. Technology alone won't catch it, because nothing about the message is technically "wrong". The weakness it exploits is a process one: a payment that can be authorised on the strength of a voice and a sense of urgency.

The one habit that stops it: call back on a known number

The single most effective defence costs nothing and takes thirty seconds. Any request to move money, change bank details or authorise an unusual payment gets verified out of band — through a separate, already-known channel — before anything happens.

Call back on a number you already have.

Use the contact you have on file for that person, never the number that called you or the details in the email.

Agree a verification step in advance.

A simple internal pass-phrase or a "we always confirm payments over $X in person or by call-back" rule removes the judgement call under pressure.

Make urgency a red flag, not a reason to hurry.

"Do this now and don't tell anyone" is the scammer's signature, not a real executive's.

Give staff explicit permission to pause.

Nobody should fear getting in trouble for verifying a payment — that fear is exactly what the scam relies on.

The technical controls that back the process up

Process is the front line, but layered controls make the whole con far harder to pull off — and far easier to detect if someone tries. This is where a security-first IT partner earns its keep.

Multi-factor authentication and identity controls.

Strong MFA and conditional access on Microsoft 365 make it much harder for an attacker to take over the mailbox they use to set the scene.

Email security that spots account takeover.

Monitoring for impossible-travel logins, new mail-forwarding rules and unusual sending behaviour catches the quiet compromise that often precedes the call.

The Essential 8 as a baseline.

Patching, application control and restricted admin rights shrink the attack surface the scammers probe first. Our Essential 8 uplift gives you a clear, measured starting point.

A 24/7 SOC watching in real time.

Our in-house Security Operations Centre watches for the signals of business email compromise around the clock, so a takeover is caught in hours, not discovered weeks later in the accounts.

A rehearsed response if money does move.

If a payment slips through, fast incident response and a bank contacted within the hour give you the best chance of recovering funds and containing the damage.

What to do in the next week

You don't need a big project to close most of this gap. Write down a payment-verification rule, share it with everyone who can move money, and make call-back on a known number non-negotiable. Then check the technical basics — MFA everywhere, login monitoring switched on, admin rights tidied up. Those few steps defeat the overwhelming majority of CEO-scam attempts, deepfake voice or not.

FAQ

Frequently asked questions

Can a scammer really clone my voice from a short clip?

At the time of writing, vendors report that convincing voice clones can be produced from only a few seconds of audio — the kind of sample available in a webinar, podcast, voicemail greeting or social video. You don't need to be famous; you just need a little public audio. That's why the defence is verifying the request, not trying to judge whether a voice sounds real.

How is this different from the old CEO email scam?

It's the same goal — pressuring someone into an urgent payment or a bank-detail change by impersonating a senior person — but with AI-generated voice and sometimes video added. That removes the wording and accent tells people used to rely on, so the only dependable defence is an out-of-band verification process rather than spotting a fake.

Will antivirus or a spam filter stop a deepfake payment scam?

Not on its own. A phone call never touches your spam filter, and the email, if there is one, may come from a real, compromised account. You need the layered approach: MFA and email-security controls to make account takeover hard, monitoring to detect it, and a payment-verification process so no single voice or message can release funds.

What should we do if we've already paid a fraudulent request?

Move fast. Contact your bank immediately to attempt a recall, change passwords and review mailbox rules for any unauthorised forwarding, and get your IT or security team to investigate the account that was abused. In Australia you may also have notification obligations. Speed is the single biggest factor in recovering money and limiting the fallout.

Keep exploring

Related Key IT services

Managed IT support→Managed cybersecurity→24/7 security operations centre→Essential Eight uplift→

Keep reading

More insights

Ransomware12 June 2026

Book your free IT & Cyber Security Review

See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.

Book a Free Review Call 1300 053 948