AI Voice Cloning Scams: The 12-Second Call That Cost £12,500
This week's tip is the one keeping Greater Manchester finance teams up at night. The technology is genuinely impressive — and used by criminals, it's genuinely dangerous. The good news: the fix takes 30 seconds and costs nothing.
The £12,500 phone call
A Greater Manchester accountancy practice called us in last month after a nasty week. Their finance manager — let's call her Sarah — got a phone call that sounded exactly like her managing director. Same voice, same Mancunian accent, same slight cough he'd had for years.
The "MD" said he was in a client meeting and needed an urgent supplier payment released before close of business. £12,500, sort code and account number sent by text moments later. Sarah did what any good finance manager does — she actioned it.
The real MD was, at that moment, sitting in traffic on the M60. The voice on the phone was an AI clone built from a 90-second video he'd posted on LinkedIn six weeks earlier.
By the time we walked through the door, the money was gone, the bank had opened a fraud case, and Sarah was beating herself up. Our job wasn't to lecture — it was to put a simple rule in place so it could never happen again.
Worth saying plainly: Sarah's firm wasn't one of ours. If they had been, the callback rule and the M365 controls behind it would already have been in place — and the £12,500 would still be sitting in the firm's account.
Why this matters
- Voice cloning attacks rose by more than 1,300% year-on-year in the UK. Cyber Security Breaches Survey 2025, GOV.UK.
- 28% of UK adults have been targeted by an AI voice scam, with one in twelve victims losing money. NCSC guidance referencing Starling Bank / Mortar Research, 2024.
The fix
The rule is boring, low-tech, and devastatingly effective. We deploy it as part of our Secure State offering — alongside MFA, payment approval workflows and the staff awareness training that turns "I felt rude pushing back" into "calling back is just what we do here".
Three things you can do this week
🏠 At home
Agree a family safe word with parents, children and partners over dinner tonight. If anyone claiming to be family rings asking for money in an emergency, ask for the word. No word, no transfer. Costs nothing, takes 30 seconds, and works against every voice-clone scam in circulation.
🏢 At work
Put a callback rule in writing as one control inside a properly hardened cyber posture. Any voice instruction to pay money, change bank details or share credentials must be verified by calling back on a known internal number — not the one that just rang in. We package this with MFA, payment approval workflows and staff awareness training as part of our Secure State offering — if you're rolling it out yourself, the rule alone is only half the job.
🌍 For everyone
Audit your public audio footprint. LinkedIn videos, podcast appearances, Companies House recordings, even Instagram stories — three seconds is enough. You don't need to disappear from the internet, but think before the next quick selfie video.
What actually stops a voice clone scam?
Honest comparison — we've talked finance teams through all four.
| Approach | What it does | Cost | Stops the £12,500 scam? |
|---|---|---|---|
| Callback rule | Verify any voice instruction by phoning back on a known number | Free | ✅ Yes — every time |
| Family safe word | Code phrase only your family knows | Free | ✅ Yes — for personal calls |
| Payment approval workflow | Two-person sign-off on transfers above a set limit | Built into M365 / accounting platforms | ✅ Yes — adds a second human check |
| Voice biometrics | Software that scores whether speech is AI-generated | £££ — enterprise-only | Partial — false positives common |
What this looks like locally
We've helped accountancy practices in Stockport, law firms in Altrincham, dental groups in Oldham and not-for-profits in Tameside put callback rules into their day-to-day. The pattern is always the same: one team meeting, a one-page policy document, and the first time someone politely says "Sorry boss, I just need to ring you back on the office line" — everyone exhales.
For a deeper look at how this fits into a broader security baseline, see our piece on Cyber Essentials vs Cyber Essentials Plus — payment fraud controls are exactly the kind of thing the assessor looks for.
Frequently asked
How can I tell if a voice on the phone is AI?
Honestly — you usually can't. The technology is good enough that close colleagues are fooled. Don't try to spot it. Hang up and call back on a known number — that's the only reliable defence.
How much audio does an AI voice clone need?
As little as three seconds. A single LinkedIn video, podcast clip or voicemail greeting is enough for the better tools.
Is voice cloning illegal in the UK?
Using it to defraud is fraud — illegal under the Fraud Act 2006. The technology itself isn't illegal, which is why criminals can buy it cheaply on the open market.
Should I take my LinkedIn videos down?
No. The audio is already out there for anyone who's ever spoken in public. Focus on the callback rule — that's what actually stops the attack.
What should I do if I think I've been targeted?
Stop. Hang up. Call the real person on a known number. If money has moved, contact your bank's fraud line immediately and report it to Action Fraud on 0300 123 2040.
Does Cyber Essentials cover voice cloning?
Not directly — voice cloning is a social engineering attack, not a technical one. But the Cyber Essentials mindset of "verify before you trust" is exactly the right starting point.
"Hang up. Call back. Every time. No exceptions." — Brett Casterton, Inology IT
I'm one form away.
I'm Brett at Inology IT — based in Tameside, looking after businesses right across Greater Manchester. Drop your details below and I'll be in touch within one working day.
Last reviewed by Brett Casterton, May 2026.