When familiar voices deceive: How Voice Cloning puts your internal controls to the test

In departments such as accounting, procurement, and the IT service desk, countless requests are processed every day. Some involve urgent payments, others require changes to supplier master data or password resets. Most of these requests are entirely legitimate. However, a single manipulated request can be enough to cause significant financial damage.

Fraudsters are increasingly targeting these everyday situations. AI-powered Voice Cloning makes it possible to create highly convincing imitations of real people’s voices and make them say virtually anything. In many cases, just a few seconds of publicly available audio is enough to do so. As a result, seemingly legitimate instructions and approvals can be used to persuade individuals to take actions they would otherwise question or refuse. 

A study published by business.com in 2024 highlights the growing concern among organisations. 32 percent of executives surveyed said they lacked confidence in their teams’ ability to identify Deepfake fraud attempts.¹Yet many organisations still rely on their employees to detect fraudulent requests. If a deception goes unnoticed, there are often no controls in place to prevent the resulting damage. In such cases, a single successful manipulation can be enough to cause significant financial loss.

Deepfake Fraud is rarely random. In most cases, fraudsters use targeted social engineering techniques to exploit processes in which urgency, confidentiality, or personal communication play an important role. The risk is particularly high when verbal instructions are accepted without independent verification.

Examples of high-risk scenarios include:

• Payment approvals by phone, voicemail, or video call
• Changes to master data based on phone instructions
• Purchasing requests that require immediate action
• Password resets or identity approvals in the IT help desk
• Instructions that bypass normal approval processes

CEO Fraud Deepfakes create additional pressure. Employees believe they are speaking to a senior leader who demands confidentiality and expects immediate action. These attacks are especially effective when individuals are under time pressure, new to their role, or unable to verify an instruction through an independent channel.

Many organisations underestimate how convincing an AI Voice Scam can be. But Voice Cloning Detection alone is not enough. Effective controls must continue to protect critical processes even when a fraudulent instruction appears credible and the deception is not recognised immediately.

An effective Internal Control System does not need to identify every fraud attempt immediately. What matters is that critical actions cannot be triggered by a single instruction.

For example, payments above a defined threshold should always require a second approval. Changes to supplier or bank account information should be confirmed using previously verified contact details or a separate communication channel before any action is taken. Similarly, password resets in the IT help desk should be based on a structured identity check rather than a verbal request alone.

Controls like these significantly reduce the risk of AI Voice Cloning Fraud. They add safeguards that continue to work even when a Voice Deepfake makes a request seem authentic. Security authorities recommend exactly this approach: unusual or urgent requests should not be acted on immediately, but confirmed through an independent channel first.

Many organisations already have controls in place to reduce fraud risk. The challenge is often determining whether those controls are applied consistently and deliver the intended level of protection. Risk managers should therefore ask three key questions:

• Which risks are covered by our existing controls?
• Which measures are consistently applied in day-to-day operations?
• Where do gaps still exist?

When dealing with AI Voice Cloning Fraud, defining controls is only the first step. Organisations need a clear understanding of who is responsible for controls, which risks they mitigate, and whether they are effective in practice. Without that transparency, weaknesses can easily go unnoticed.

This is why control management is essential. With BIC Internal Control, risks, controls, and responsibilities can be linked in a structured way, making it easier to identify gaps and strengthen the control environment where it matters most. This is particularly important when addressing AI Voice Fraud and other forms of Deepfake-enabled deception.

The growing threat posed by Voice Cloning makes one thing clear: a familiar voice is no longer a reliable way to verify someone’s identity. Therefore, controls must continue to provide protection even when manipulated instructions appear genuine. Callback procedures, additional approvals, and structured identity checks provide important safeguards against AI Voice Cloning Fraud. To remain effective, even the strongest protective measures must be applied consistently and reviewed on a regular basis.

Companies that systematically connect risks, controls, and responsibilities become more resilient to Voice Cloning, AI Voice Fraud, and other forms of Deepfake Fraud.

Reduce Your Deepfake Risk with BIC GRC

¹Source: https://www.business.com/articles/deepfake-threats-study/ 

²Source: https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video