Three years ago, cloning a voice well enough to fool a coworker required a research lab, hours of clean audio, and a GPU cluster. In 2026, it requires a free trial of a commercial speech model, about thirty seconds of audio scraped from a LinkedIn video, and a phone.
That is the change. Voice cloning crossed the line from research demo to commodity attack tool in late 2023 and has stayed there. Headlines have done a poor job separating the cases that actually happened from speculative writeups, so this post walks through what is documented, how the attacks unfold against a small business, and what defenses hold up.
Upfront: most small businesses are over-buying “AI deepfake detection” products and under-investing in the boring callback procedures that have always defeated wire fraud. The defense story has not changed as much as the threat story.
What is actually documented¶
A handful of real incidents have set the public narrative. They get cited in every vendor pitch deck, so it is worth knowing what each one actually proves.
Arup, February 2024 (Hong Kong)¶
The Arup case is the largest publicly reported AI-assisted fraud against a single company to date. A finance staffer in Arup’s Hong Kong office transferred roughly $25 million across multiple wires after attending a video conference with what appeared to be the company’s CFO and several colleagues. Every other “person” on the call was a deepfake video and synthesized voice. Hong Kong police confirmed the fraud in May 2024.
What it proves: video and voice can both be synthesized convincingly enough to defeat a multi-person video call when the attacker has done reconnaissance and the target has no out-of-band verification step.
What it does not prove: that this technique is being used at scale against small businesses. Arup was a $2.5 billion engineering firm and the attackers invested serious effort. The Arup attack is the high-end case study, not the median.
The 2024-2026 BEC voice-clone wave¶
More relevant to small businesses is the broader pattern documented by the FBI’s IC3, the FTC, and CISA during 2024-2025. BEC (business email compromise) attacks are increasingly supplemented with a follow-up call in which the voice sounds like the CEO, CFO, or a known vendor contact.
The pattern repeats: a spoofed or compromised email instructs a finance staffer to change payment instructions or expedite a wire, and the “confirmation call” they place is intercepted, or an inbound call arrives with a cloned voice pressing urgency. Per-incident losses on the SMB side typically run $30,000 to $400,000.
This is the threat shape that matters for SMBs. Not a live deepfake on a Zoom call. A 45-second voicemail or live call that sounds enough like the boss to get a junior employee to push through a payment change.
MGM-style hybrid social engineering (2023-2025)¶
The MGM Resorts attack in September 2023 is often cited in the AI-voice conversation, but be careful. The publicly reported entry vector was a vishing call to an IT help desk in which the attacker impersonated an employee to get a password reset, using a regular human voice and social engineering, not an AI clone.
It is worth mentioning for the hybrid pattern. Groups operating in 2024-2026 (Scattered Spider is the most associated with this technique) routinely combine LinkedIn reconnaissance, pretexting, and live vishing against help desks. AI voice cloning is now showing up as one more tool in that toolkit.
How the attack unfolds against an SMB¶
The pattern is consistent enough across reported cases that you can almost script it.
Step 1: Reconnaissance. The attacker identifies the target, the owner, and a finance employee. LinkedIn, the company website, podcasts, and YouTube videos are the source material. Thirty seconds of clean audio is enough for a commercial voice model.
Step 2: Setup. The attacker compromises or spoofs an email account, sometimes a real one (credential theft, missing MFA), sometimes a lookalike domain (yourcompany-co.com instead of yourcompany.com).
Step 3: Trigger. An email arrives during a busy moment: payroll week, a vendor invoice cycle, a real travel period for the owner. It asks for an urgent payment change, a new wire, or an expedited check.
Step 4: Voice confirmation. If the employee tries to verify, the call either reaches the attacker (the number in the email is the attacker’s) or an inbound call arrives from a spoofed number with what sounds like the owner’s voice.
Step 5: Payment goes out. Money moves to a mule account, typically converted to crypto within hours, often unrecoverable.
The technical sophistication of the voice clone is rarely the deciding factor. Whether the employee paused to verify through a known-good channel is.
Defenses that actually hold up¶
There is a real product category emerging around AI deepfake detection: tools that analyze audio for synthetic artifacts and flag suspicious calls. Some of these will get better. None of them are reliable enough today to be your primary control, and I would rank them well below the basics on any 2026 SMB budget.
What does hold up:
Multi-channel verification for any financial change¶
The single highest-leverage control. Any request to change payment instructions, add a new payee, or send a wire above a documented threshold gets verified through a second, independent channel. If the request came by email, confirm by phone using a number from your address book, not the number in the email. If by phone, confirm by text or in person.
This is not new advice. It is what the FBI has recommended for BEC since 2015. It defeats AI voice cloning for the same reason it defeated email impersonation: it removes the attacker’s ability to control both sides of the conversation.
Callback protocols with a verification phrase¶
A step further: maintain pre-agreed callback numbers for key personnel and key vendors, paired with a verification phrase that only the real person would know, rotated periodically. If you are wiring six figures based on a phone call, “what is the phrase” should be a step in the script. Awkward is the point. The friction is the defense.
MFA on payment-change requests, not just logins¶
Most SMBs treat MFA as a login control. The higher-impact use is requiring MFA-style approval (a push notification, a hardware key tap, a second-person acknowledgment) on any change to payment instructions in your accounting system, payroll provider, or banking portal. Most major providers offer dual-approval workflows; most small businesses have them disabled.
Employee awareness training that includes audio examples¶
Generic phishing training rarely includes voice. Update annual training to include real samples of AI-cloned voices. The goal is not for employees to detect a fake voice (they often cannot). The goal is for them to recognize that “urgent payment change confirmed by a phone call” is the attack pattern, regardless of whose voice is on the line.
Reduce the public audio footprint where you can¶
If your voice is not already extensively public, think twice before the marketing video that puts thirty seconds of clean audio online. This is not a recommendation to go silent. It is a recommendation to know what you are paying in attack-surface terms for each piece of public content.
(Our Incident Response Policy module covers the callback-protocol playbook in detail.)
What I would not spend money on yet¶
AI voice detection software at the consumer or SMB price tier. The tools that exist in 2026 either produce too many false positives to be operationally useful or work only after the fact on recorded audio, by which point the wire is gone. Enterprise call-center vendors have better integrations, but those products are not priced for SMB. The accuracy curves will improve. They are not where 2026 budget belongs.
Generic “AI security” products without a specific stated control. If a vendor cannot tell you in one sentence what attack they prevent and how, the product is brochure-ware.
What to actually do this quarter¶
- Write a payment-change verification policy requiring a callback on a known-good number for any change to wire instructions, ACH instructions, or new payees. Pick a concrete threshold (often $1,000 is the right floor).
- Pick a verification phrase for the small set of people authorized to direct large transfers. Rotate it quarterly. Make sure your bookkeeper and your bank have it.
- Turn on dual-approval workflows in your accounting system, payroll provider, and banking portal. They are almost always available and almost always off by default.
- Add one real AI-voice example to your next employee training. CISA, IC3, and FTC consumer alerts have public examples.
- Audit your own public audio footprint. You do not need to delete anything. Just know what is out there.
The defense story for 2026 is not new technology. It is the steady reinforcement of out-of-band verification, written down, practiced, and built into the workflow before an urgent-sounding voicemail makes it feel inconvenient.