Deepfake Vishing: When Employees Can No Longer Trust a Familiar Voice
AI voice cloning now lets attackers impersonate executives and IT staff over the phone with just seconds of audio. Here is how deepfake vishing works, who is exposed, and how to test whether your team would fall for it.
TL;DR
- AI voice cloning tools can produce a convincing clone from as little as three to ten seconds of clean audio.
- Deepfake-enabled vishing attempts have surged by more than 1,600% year over year.
- 41% of organisations report experiencing a deepfake combined with social engineering on an audio call, according to Gartner's 2026 CISO survey.
- “I recognised the voice” is no longer proof of identity, and traditional awareness training rarely covers this.
- Vishing simulations that include deepfake techniques are the only reliable way to know whether your team would fall for it.
For years, the advice for spotting a suspicious phone call was simple: listen for anything that sounds off. That advice no longer holds. Real-time voice cloning has moved from research demo to commodity attack tool, and it is changing what social engineering testing needs to cover. A conference talk, a podcast appearance, a town hall recording, or a single LinkedIn video now supplies enough audio for an attacker to clone an executive's voice convincingly. Sectricity's vishing testing already includes deepfake voice techniques on request, because the threat is no longer hypothetical.
How AI Voice Cloning Vishing Works
From Seconds of Audio to a Convincing Clone
Modern voice cloning models need only three to ten seconds of clean audio to produce a clone that is convincing over a phone line. That audio is easy to find: earnings calls, webinars, internal town halls, or a two-minute LinkedIn video are all public or semi-public sources attackers use routinely.
Combining Cloned Voices with Caller ID Spoofing
A cloned voice becomes far more effective when paired with caller ID spoofing, so the call appears to come from a real internal extension or a known vendor number. The combination of a familiar voice and a familiar number removes the two checks most employees rely on instinctively.
Why This Bypasses Traditional Awareness Training
Most security awareness training still frames phishing and vishing as something to catch through suspicious details: a strange email domain, poor grammar, an unfamiliar caller. Deepfake vishing removes exactly those signals. The voice is right, the urgency is plausible, and the request often mirrors a real process, such as a password reset or an urgent payment approval. Training that only teaches employees to trust their gut leaves this gap wide open.
Real-World Attack Patterns
The “IT Support” MFA Reset Call
Attackers clone the voice of a known IT support employee and call staff during a “scheduled” password reset window, asking them to read out a multi-factor authentication code to confirm the reset. Because the voice and the timing feel legitimate, employees comply.
Executive Impersonation for Urgent Transfers
This is a direct evolution of CEO fraud, but voice-based rather than written. A cloned executive voice calls finance directly, references a real deal or supplier, and requests an urgent payment or change to bank details, applying time pressure that discourages verification.
Who Is Most Exposed
Executives and Public-Facing Employees
Anyone whose voice is publicly available through interviews, keynotes, webinars, or podcasts is a viable cloning target, independent of seniority.
Finance and IT Support Teams
These teams are targeted because they can approve payments, reset credentials, or bypass controls under pressure, and both are already primary targets in written business email compromise attacks.
How to Test Whether Your Organisation Would Fall For It
Assuming employees will “just know” is not a control. Vishing testing simulates believable pretexts over the phone, with deepfake voice techniques available on request for organisations that want to test against the most current attack methods. For organisations with executives who are frequent public speakers or media presences, an executive threat analysis maps this specific exposure and recommends concrete mitigations.
Practical Defences Beyond “Just Verify the Voice”
Effective defences replace voice recognition with a process that does not depend on it: mandatory callback verification through a known number rather than the one on the incoming call, pre-agreed code words for high-risk requests such as payment changes or credential resets, and out-of-band confirmation for any request involving money, access, or credentials, regardless of how confident the caller sounds.
Frequently Asked Questions
What is deepfake vishing?
Deepfake vishing is voice phishing that uses AI-generated voice cloning to impersonate a real person, such as an executive or IT support employee, during a phone call in order to manipulate the target into an action like transferring money or revealing a credential.
How much audio does it take to clone someone's voice?
Modern voice cloning tools can produce a usable clone from as little as three to ten seconds of clean audio, which is often available from public recordings such as webinars, interviews, or short video clips.
Can security awareness training alone stop deepfake vishing?
Awareness training helps, but it is not sufficient on its own, because deepfake vishing removes the usual warning signs employees are trained to spot. Verification processes that do not rely on recognising a voice are required alongside training.
Does Sectricity test for deepfake voice attacks?
Yes. Sectricity's vishing testing can include deepfake voice techniques on request, to assess whether employees would recognise and correctly handle a cloned-voice call.
Is deepfake vishing the same as CEO fraud?
They are related but not identical. CEO fraud traditionally refers to written impersonation, typically by email. Deepfake vishing applies the same impersonation logic to a live phone call using a cloned voice, which removes different verification cues than a written message does.
How can finance and IT teams protect themselves against this?
By using verification steps that do not depend on recognising a voice, such as mandatory callback to a known number, pre-agreed code words for sensitive requests, and out-of-band confirmation before acting on payment or credential-related requests.
Related services and resources
Deepfake vishing sits at the intersection of two things Sectricity tests directly: how convincing a social engineering pretext can be made, and how prepared your organisation is to resist it. Our vishing testing service can incorporate deepfake voice techniques to simulate this exact scenario, and our executive threat analysis is designed for organisations whose leadership has a public voice profile worth protecting. For a broader view of how social engineering assessments are structured, read our Social Engineering Assessment guide, and for the written equivalent of this threat, see our article on CEO fraud.