The fraud has learned to talk
Invoice fraud used to arrive by email, full of odd phrasing and suspicious addresses. The new version phones you, in your managing director's voice, or joins a video call wearing your finance director's face. Voice-cloning tools now need only a short sample of someone speaking, easily harvested from a podcast, a webinar recording or a LinkedIn video, to produce a convincing imitation.
This is not theoretical. In 2024 the engineering firm Arup confirmed that an employee in its Hong Kong office had been deceived into transferring around £20 million after a video call in which the other participants, including a figure appearing to be the chief financial officer, were deepfakes. The same year, fraudsters attempted to impersonate the chief executive of the advertising group WPP using a voice clone and publicly available footage; that attempt was caught. Large firms make headlines, but SMEs are attractive precisely because they have fewer verification layers between a phone call and a payment.
How the scam actually unfolds
Most incidents follow the same sequence, and knowing it is half the defence:
- 1. Research: fraudsters gather audio and video of a director from podcasts, event talks and social media, and map the firm's structure from LinkedIn and Companies House.
- 2. Cloning: the samples train a voice model; for video calls, footage may be puppeted in real time.
- 3. Contact: the call arrives on WhatsApp or a spoofed number, often late on a Friday or during known travel, when checking is hardest.
- 4. Pressure: the request is urgent and confidential, commonly framed as a sensitive acquisition, a supplier emergency or a tax deadline.
- 5. The ask: transfer to a new account, change a supplier's bank details, or buy high-value vouchers.
Notice that the technology only carries steps two and three. Steps four and five are classic social engineering, and that is where your defences work best.
Need a hand with this?
Our team delivers IT & Cyber Security for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →
Warning signs during the call
Deepfakes are improving quickly, so treat these as prompts for suspicion rather than a reliable test:
- Urgency combined with secrecy: any request that must be done now and told to no one is the signature of this fraud.
- Refusal to switch channels: the caller resists moving to a number or meeting link you already have on file.
- Audio oddities: flat emotional range, slight lag before answers, and awkwardness when interrupted mid-sentence.
- Video oddities: blurring at the hairline and jaw, lighting that does not match the room, lip-sync drift, and reluctance to turn sideways or pass a hand across the face.
- A payment pattern you have never used: new beneficiary, new urgency, new confidentiality.
The honest advice from security teams is that humans should not expect to spot a good deepfake in the moment. Process, not perception, is what saves you.
Verification rules that actually stop it
A handful of written, rehearsed rules defeat almost every version of this attack:
- Callback rule: any payment instruction or bank-detail change received by phone, video or message is verified by calling back on a number from your own records, never one supplied in the request.
- Code word: agree a challenge phrase known only to directors and the payments team for authorising unusual transfers. A voice clone knows the voice, not the word.
- Dual authorisation: two named people must approve any payment above a threshold you set, with no single-person exceptions.
- Supplier detail changes: always confirmed via the contact on the original contract, and use your bank's Confirmation of Payee check when setting up the payee.
- No seniority exceptions: the scam depends on junior staff being afraid to question the boss, so the policy must state that directors expect to be verified and will never penalise it.
Write these into your payments procedure and rehearse them. A rule that exists only in someone's memory dissolves under a convincing, angry, urgent voice.
Train the team, not just the technology
Email filters and call blocking help, but this fraud targets people, so the training budget matters more than the software budget. Brief everyone who can move money or change payee details, including anyone who covers the role during holidays, since fraudsters deliberately strike when the usual person is away. Run a short tabletop exercise twice a year: play out a fake CEO call and let the team practise saying no to a superior.
Assume your directors' voices are already cloneable; anyone who has spoken at an event, on a webinar or in a marketing video has provided ample material, and withdrawing from public life is not a realistic defence. Build the controls instead. The Take Five to Stop Fraud campaign offers free, well-made briefing material that suits SME teams, and your bank's fraud pages will document Confirmation of Payee and payment-limit controls you may not be using.
Key Takeaway
Assume any voice or video can be faked and defend with process, not perception. Adopt five written rules: callbacks on numbers from your own records, a code word for unusual transfers, dual authorisation above a set threshold, contract-verified supplier detail changes, and no seniority exceptions. Rehearse them twice a year, brief holiday cover staff, and if money moves, call your bank via 159 immediately and report to Action Fraud within the first hour.
If it happens: the first hour
Speed determines how much you recover, so pin this sequence to the wall:
- 1. Call your bank immediately to attempt a recall; from the UK you can dial 159, the secure anti-fraud line that routes you to most major banks.
- 2. Report to Action Fraud (actionfraud.police.uk or 0300 123 2040), or to Police Scotland on 101 if you are in Scotland.
- 3. Preserve evidence: call logs, messages, meeting invitations and recordings.
- 4. If personal data was exposed, assess whether the ICO must be notified within 72 hours.
- 5. Inform your insurer, and debrief the team without blame; punished victims stay silent, and silence helps the next fraudster.
Reimbursement rules introduced in late 2024 mean some victims of authorised push payment fraud, including many micro-businesses, can recover losses, but limits and conditions apply, so prevention remains far cheaper than recovery. If you want help hardening your payment processes and staff training against this threat, our team at Thind Global Services can help.
