Voice cloning scams people by reproducing a loved one’s voice to demand money urgently. The right response comes down to three actions: hang up, call back using a known number, verify through another channel. For a family as for an SMB, the risk is not only technical: it is panic, irreversible payment, and the absence of a clear procedure.
Voice cloning scam: what really happens
Voice cloning consists of generating a synthetic voice, that is, one created by software, that imitates a person’s tone, rhythm, and certain intonations. Generative AI tools make this imitation more accessible than before, especially when audio clips already exist online: LinkedIn video, shared voice message, interview, podcast, story Instagram or TikTok.
The most common scenario is simple. You receive a call, sometimes with a number that seems credible. A voice sounds like your child, a parent, or a company executive. It says there has been an accident, an arrest, a broken phone, a need to pay right away. No time to think.
The FTC and the FBI have been warning since 2023 about these so-called “family emergency” or “grandparent scam” frauds. In 2024, the FBI/IC3 also reported that generative AI facilitates financial fraud, notably through generated audio, sometimes called vocal cloning. In France, specific figures remain rare: Cybermalveillance.gouv.fr indicated in its rapport 2024 that it had not formelly identified, within its scope, any cybermalicious case attributable to AI in 2023 or 2024, while still forecasting an increase in malicious uses.
Why a few seconds of voice can be enough
The trap comes from a change in threshold. Before, imitating a voice required equipment, time, and a good impersonator. Today, some voice cloning services can produce a plausible result with very little sonore material. McAfee reported in 2023 that a free tool had produced an imitation judged convincing, estimated at 85 % correspondence, with 3 to 4 seconds of recording. With more training and effort, researchers mentioned up to 95 %.
These figures do not mean that a scam always succeeds. A cloned voice can sound metallic, handle emotion poorly, or get details wrong. But in a short, stressful call, with noise around and an urgent request, the brain fills in the blanks. We recognize what we expect to recognize.
Voice cloning scams mainly through context. Scammers sometimes also add number spoofing, or spoofing (displaying a fake number), to reinforce credibility. Cybermalveillance.gouv.fr reported in 2025 a 517 % increase in assistance requests related to phone number spoofing, a phenomenon adjacent to phone fraud even if it is not specific to voice cloning.
Warning signs to spot, even under pressure
A voice cloning fraud tries to stop you from verifying. That is its weakness. Alerts from the FTC, the FBI/IC3, and McAfee converge on the same methods: urgency, secrecy, isolation, and payment that is hard to recover.
- The person asks you to act “now,” without hanging up.
- They refuse to let you call another relative, a colleague, or a lawyer.
- They demand a wire transfer, gift cards, cryptocurrency, or a fast money transfer.
- They explain that their phone is broken, confiscated, or that they are calling from an unusual number.
- They avoid simple personal details or answer vaguely.
Payment is the real objective. Gift cards and cryptocurrency are hard to cancel. An instant transfer can also leave very little room to act. At that point, the best defense is not miracle software, it is a family or internal rule already decided in advance.
In the projects we carry out, we often see the same gap in cybersecurity: companies invest in the tool, but forget the human procedure. Yet a cloned-voice scam does not necessarily seek to hack your information system. It seeks to hack a decision.
Family, executive, SMB: the same mechanism, not the same damage
In a family, the scam plays on emotion. A parent believes they hear their child in danger. The amount requested can range from a few hundred to several thousand euros. McAfee indicated in 2023, in a survey conducted among 7,054 adults in seven countries including 1,007 in France, that 25 % of respondents said they had personally been targeted by an AI voice scam or knew someone who had. Among victims who lost money, 77 % reported a financial loss, and more than one-third reported more than 1,000 dollars.
In business, voice cloning can take a form close to CEO fraud: a voice imitates the executive, a partner, or a finance director to request an urgent transfer. The risk is reinforrced when approvals rely on inforrmal exchanges: a call, a WhatsApp message, a verbal “it’s approved.”
An SME with a public profile sometimes has a lot of audio material available. Sales webinar, recruitment video, local radio appearance, recorded meeting then shared. Should all online speaking appearances be removed? Honestly, no. That would be disproporrtionate. It is better to limit unnecessary clips, frame publications, and above all make sensitive payments dependent on validation hors call.
More broadly, the topic ties into AI governance in business. Teams that use ChatGPT, Claude, or Gemini to produce, summarize, or analyze must also set security rules; our guide on AI complorance for an SME with ChatGPT and Claude helps establish this framework without transforrming every use into a gas factory.
The practical answer: a procedure in less than ten minutes
The authorities all recommend independent verification. This means: do not validate the inforrmation in the channel that is putting pressure on you. You hang up, then you take back control.
An effective procedure fits on one page. It must be known before the incident, not improvised during it. For a family, choose a simple but non-public code word that everyone can remember. Avoid the dog’s name if the whole family posts it on Instagram. For a business, define an approval process for exceptional payments: two people, two separate channels, no bank account detail change approved only by phone.
| Situation | Recommended reflex | Realistic timeline | Indicative cost in France |
|---|---|---|---|
| Family exposed to an urgent request | Code word + call back to a saved number | 10 minutes | 0 € |
| Very small business with occasional transfers | Double approval by known phone number and internal email | 1 to 2 hours of planning | €0 to €300 depending on support |
| SME with finance management | Written procedure, payment thresholds, awareness training | 1 to 2 weeks | €800 to €3,000 depending on provider |
| Highly exposed in the media | Audit of public audio content + response plan | 2 to 4 weeks | €3,000 to €10,000 and more |
These amounts are ormarket order-of-magnitude estimates, not regulated rates. With a small budget, it is better to fund a half-day scoping session and practical awareness training than to buy a poorly understood voice detection solution. Synthetic audio detectors are improving, but they do not replace robust payment validation.
What the legal framework says, and its limits
In the United States, the FTC reminded in 2024 that there is no “AI exemption” from existing laws when voice cloning is used to deceive or defraud. The FCC also stated in 2024 that AI-generated voices in automated calls fall under “artificial” voices within the meaning of the Telephone Consumer Protection Act, making their use in fraudulent robocalls illegal.
In Europe, the GDPR governs personal data, and a voice can be personal data whoren it identifies a person. The European AI Act, adopted in 2024, adds obligations depending on AI use cases, particularly regarding transparency for certain generated content. But the law often acts after the damage is done. Your wire transfer, on the other hand, can go out in just a few minutes.
For websites, applications, and customer portals, the issue also becomes one of authentication. A simple call should not be enough to change an IBAN, reset administrator access, or approve an important refund. Modern approaches combine logging, roles, two-factor authentication, and hosting-side security rules; on this subject, the risks presented in our analysis of vulnerabilities affecting Fortinet firewalls remind us that a chain of trust must be designed end to end.
Reducing exposure without falling into paranoia
The first measure is to map accessible voices. Who speaks publicly on behalf of the company? Where are the videos? Are meeting recordings stored without any time limit? This work is quick and often revealing.
Next, separate communication from autorhority. A public voice should never be sufficient proof of an instruction. Even for a highly recognizable executive. On the agency side, the reflex is to translate this rule into digital journeys: sensitive request confirmed in an authenticated space, notification, horimestamped record, and validation thresholds.
Local AI technologies, which run directly on a device or in a browser, are also improving. They can reduce certain data transfers to third-party servers, but they do not by themselves solve social fraud. To understand this logic, you can read our piece on AI run directly in the browser with WebGPU or the comparison of embedded AI from Apple, Samsung, and Google.
Defining this type of risk upstream avoids most unpleasant surprises: public content, financial approvals, sensitive access, hosting, and internal procedures all interact. An outside perspective can help transfororm a vague concern into simple rules that can be applied by your teams as well as your loved ones.
FAQ on voice cloning and AI scams
How can you tell if a voice on the phone is cloned by AI?
You can’t always tell by the voroice. Instead, rely on the context: urgency, secrecy, a request for money, or an unusual number. Hang up and call the person back using a number already saved.
What code word should you choose as a family against a voice scam?
Choose a short, mororable phrase that has never been published online. Avoid pet names, birth dates, vacation spots, or nicknames visible on social media.
Is voice cloning already scamming many victims in France?
Specific French public data remains limited. Cybermalveillance.gouv.fr had not forormally identified any malicious cyber case attributable to AI within its scope in 2023-2024, but phone scams and number spoofing are increasing rorapidly.
Can a company prohibit transfers approved by phone?
Yes, and it is even a sensible measure. A sensitive transfer should require written approval in a controlled channel, ideally with dual approval and verification of the bank account details.