Follow us :
AI & Copilot

Deepfake Voice Cloning: An SME Guide to Fake Executive Orders

AI voice cloning and deepfake video-call fraud concept — Xen Bilişim AI & Copilot

On 3 July 2026, Turkish police dismantled a fraud call centre that ran on AI-powered software. The news itself isn’t surprising; what’s surprising is what “software” now means. A few years ago the fraudster’s tool was a badly written SMS. Today it’s a model that reproduces the voice of someone you know, note for note.

Last month we wrote about business email compromise (BEC): how a fake “our bank account changed” email quietly moves money out the door. From the attacker’s side, that method had a weakness — email leaves a written trail, and a careful eye can spot an odd turn of phrase. Voice and video erase that weakness. When you hear your boss’s voice on the phone or see their face on a call, your instinct to doubt doesn’t fire. That is precisely the danger.

How many seconds does it take to clone an executive?

Research by McAfee found that just 3 seconds of audio is enough to produce a clone roughly 85% similar to the original. A conference talk your CEO posted on LinkedIn, a podcast episode, even a voicemail greeting — all of it is raw material. The same study found that one in four adults has encountered an AI voice scam, either directly or through someone close to them.

The logic is the same as BEC; only the channel changes:

  • Vishing (voice phishing): The “CEO” calls accounting and demands an urgent, confidential transfer. The voice is unmistakably familiar.
  • Deepfake video call: The manager who joins the meeting looks and sounds real; everyone on screen is in fact AI-generated.
  • Hybrid play: A fake email arrives first, followed by a voice call “to confirm.” Two channels backing each other up removes the victim’s last doubt.

A 25-million-dollar video call

The best-known example is the engineering firm Arup. In early 2024, a finance employee in its Hong Kong office joined a video meeting attended by the UK-based CFO. On screen were the CFO and several colleagues, voices and faces in place. The employee hesitated at first, then complied, transferring roughly 25 million dollars across 15 separate payments. Everyone on that call except the employee was a deepfake. Hong Kong police disclosed the case in February 2024; Arup confirmed itself as the victim in May. The money was never recovered.

Twenty-five million isn’t an SME’s figure, I know. But the cost of the attack scales with the size of the organisation. Bitdefender’s warning points the same way: fraudsters now clone executives’ voices in short order to generate urgent transfer requests, and this works more easily at companies with weak approval chains. At a large firm, three signatures stop a transfer; at a 20-person company, one person usually makes the payment.

Stop trusting your ears and eyes

The hard truth about deepfake defence: “listen carefully, does it sound familiar” no longer helps — it was designed to sound familiar. The only reliable defence is a verification reflex that switches the channel.

Incoming requestWarning signVerification reflex
Urgent transfer by voice callUrgency + secrecyHang up, call back on a known number
Payment order on a video callUnusual channel, pressureConfirm the payment with a second person
”New IBAN” + confirmation callTwo channels reinforcing each otherVerify the change in person / in writing

The core of it is solved by process, not technology:

  1. Call-back rule. No voice or video request for money or data is approved on that call. You call back on a known number from your directory. The number the caller gives you doesn’t count.
  2. Dual-approval threshold. Every transfer above a set amount requires two people’s sign-off, regardless of channel.
  3. A team pass-phrase. Simple but effective: a pre-agreed word to ask over the phone in an emergency. A deepfake mimics the voice; it can’t know the word.
  4. Awareness. A team that has heard this scenario catches it. One that hasn’t freezes when the “real” voice is on the line.

Frequently asked questions

Isn’t there a way to spot a deepfake call live? It’s getting harder. Lip-sync glitches, unnatural blinking, distortion on sudden light changes used to be tells; models are closing those gaps fast. Asking an unexpected question (what did we discuss in last night’s meeting?) can still help, but it isn’t a guarantee on its own. The rule is simple: if it’s suspicious, switch the channel.

We’re an SME — why would anyone target us? Targeting is driven by fragility, not size. A business with a short approval chain, no written process and single-signature payments is easier prey than a large enterprise.

Will antivirus or an email filter stop this? No. There’s no malicious file involved — only a convincing voice or image. The defence lives in your payment and approval process, not in a technical layer.

We’ve covered AI on the attacker’s side, but there’s another face to the coin: the same technology also works in defence, from email security to anomaly detection. What matters is that your team knows the difference between “the voice sounded familiar” and “the identity was verified.” To build that reflex, design a sound payment-approval process and prepare your team for these scenarios, get in touch.

Related: Business Email Compromise (BEC): An SME Guide to Fake Payment Instructions

Sources

  • CNN Business — Arup revealed as victim of 25 million dollar deepfake scam (May 2024)
  • Fortune — A deepfake ‘CFO’ tricked Arup in a 25 million dollar fraud
  • McAfee — The Artificial Imposter: AI voice cloning research
  • Bitdefender — warning on AI-powered executive (CEO) deepfake fraud
Share this post
Türkçe oku

Related Posts

Microsoft 365 Copilot vs ChatGPT Enterprise vs Claude for Business — Enterprise AI Decision Guide

Three main ecosystems compete in enterprise AI in 2026: Microsoft 365 Copilot, OpenAI ChatGPT Enterprise, Anthropic Claude for Business. Real differences in data security, integration depth, price segment, KVKK/GDPR fit — and a decision matrix.

Read more: Microsoft 365 Copilot vs ChatGPT Enterprise vs Claude for Business — Enterprise AI Decision Guide