AI voice scams are aimed at your finance team — one rule stops the costly ones
Cloned-voice 'pay this now' calls are the fastest-growing fraud of 2026. The defence isn't clever technology. It's a habit.
A scam that sounded like science fiction a couple of years ago is now routine. Criminals use AI to clone a voice from a short clip of public audio, then call your finance team posing as the boss or a supplier, asking for an urgent payment or a change to bank details. It's convincing because it's the right voice saying the right thing under time pressure, and in 2026 it's the fastest-growing category of fraud.
How the scam actually works
It usually runs in steps. A scammer gathers a little public audio (a podcast clip, a webinar, a voicemail greeting) and clones the voice. Then comes a call or voicemail: an urgent payment 'from the boss', or a supplier asking to update their bank details before the next invoice. Often it's paired with a matching email so the story holds together. The caller ID looks right too, because spoofing a number is trivial. Everything is designed to make you act before you think.
The numbers are not small
Authorised push payment fraud, where someone is tricked into sending money themselves, cost UK victims £576 million in 2025, up almost a fifth on the year before. High-profile cases have seen large sums moved on the strength of a faked voice or video call. For a smaller business, a single successful 'change our bank details' scam can be a very bad day.
The defence is a habit, not a gadget
Here's the reassuring part. The single most effective defence costs nothing: any change to payment details, and any unexpected or urgent payment request, gets verified on a separate channel before anyone acts. A phone call back to a known number, not the one in the email or on the caller ID. Make it a firm rule that no one is in trouble for slowing a payment down to check, and you've defended against the most expensive scams going.
Back it up with the basics
Around that habit, the usual fundamentals still earn their keep: multi-factor authentication so a stolen password isn't enough, staff who know the current scams and feel safe flagging them, and good email filtering. None of it is exotic, and together it closes off the routes these scams rely on.
What this means for your business
Put one rule in place this week: every payment change or urgent payment request gets verified by a call-back to a known number, no exceptions, no one in trouble for checking. We help South West businesses build that habit and the technical basics around it, through staff awareness training and the security fundamentals that Cyber Essentials covers.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.