Your CEO's voice is no longer proof: deepfake fraud and how companies defend against it
5 July 2026 · 7 min read
Imagine your phone ringing on a Friday afternoon. Your CEO's voice, his tone, his way of speaking, even the pause he makes when he is stressed. He needs an urgent payment sent to a supplier before end of business, he is in negotiations and cannot talk long. Everything sounds right. Except the CEO never called.
Cloning a voice used to require a studio and a specialist. Today a few seconds of audio is enough, taken from a video call, a social media post or a voicemail, plus a publicly available tool. The scam known as CEO fraud existed before, over email. AI added the voice, and increasingly the video too.
Why this is more dangerous than classic phishing
A phishing email can be read twice. You can check the sender address, you can pause. A phone call puts you under pressure in real time. The attacker controls the pace of the conversation, gives you no room to think, and targets exactly the situations where people skip procedures: Friday afternoon, end of the month, the boss "travelling".
The target is not the CEO but the people around him: finance, accounting, the office manager, anyone who can release a payment or hand over access. Attackers know who is who in advance, because they read your org chart off your website and LinkedIn.
The old advice no longer applies
For years the advice was: if an email looks suspicious, call the person and verify. That advice was written for a world where a voice was proof of identity. It no longer is. The same goes for video calls: real time deepfake video exists and is used in fraud.
That does not mean every call is suspect. It means voice and face cannot be the sole basis for a decision about money or access. Identity gets confirmed through a channel the attacker does not control, never through the one the request arrived on.
Procedures that actually protect you
The good news: the defense does not require expensive technology. It requires rules that hold even when it sounds like the CEO himself is calling.
- Callback rule: every payment request or change of supplier bank details is verified by calling a number you already have on file, never a number provided in the message or call that made the request.
- Two signatures for money: no payment above a defined threshold goes out on a single instruction, regardless of who gives it or how urgent it sounds.
- An internal codeword for emergencies: a word or question known to a small circle, which an attacker cannot find on the internet.
- Urgency is a stop signal, not a speed signal: any request that insists on bypassing procedure "just this once" is treated as attempted fraud until proven otherwise.
- Supplier account changes: always confirmed through a known contact at the supplier, because intercepting and altering payment instructions is one of the most common variants of this scam.
What to do if it already happened
If the payment went out, speed is everything. Call your bank immediately and request a recall and freeze, because the chances of recovery are highest in the first hours. Preserve everything: the number the call came from, recordings if any exist, emails, payment orders. Report the case to the authorities responsible for cybercrime. And do not punish the employee who reported the mistake, because next time it matters far more that someone reports immediately than that they stay silent out of fear.
This is a procedure problem, not a technology problem
An attacker with a cloned voice beats a company that makes decisions based on trusting a voice. He loses to a company where not even the CEO in person can push a payment through outside of procedure. That difference is not made by software but by rules that are written down, rehearsed and apply to everyone.
If your company has no defined process for verifying payment instructions, or has one on paper that has never been tested, that is the place to start. We help companies set up and rehearse these procedures before someone else tests them for you.
Want this handled, without the drama?
INTO MSP runs security, backup and IT for small and mid-size companies. Step one is a short, no-obligation review.
IT Security → Contact