AI Fraud: Protecting your business from deepfake calls

Cybercriminals continue to develop increasingly sophisticated methods and technologies to perpetrate fraud, gain access to confidential information, and compromise accounts. In addition to traditional cybercrime tactics – such as phishing campaigns and malware attacks – they are increasingly exploiting trust, human error, and employee vulnerabilities through telephone-based social engineering schemes. The growing use of voice-enabled technologies has created new opportunities for fraud, while advancements in artificial intelligence (AI) are further enhancing cybercriminals’ ability to deceive victims and conduct increasingly convincing and effective attacks.

In 2026, the FBI added a dedicated section on AI fraud in its annual Internet Crime Report, underscoring that voice cloning and deepfakes have emerged as major fraud threats and urging businesses to bolster verification steps.

AI-supported fraud is blurring the lines between what’s real and what isn’t. In addition to the threat it poses to a society navigating the digital world, AI fraud has the potential to bring significant reputational, financial and security risks to companies. Particularly concerning is the development of deepfake audio, which is allowing cybercriminals to execute more elaborate social-engineering attacks by phone.

What is deepfake audio?

Deepfake audio generated through voice cloning technology represents one of the most sophisticated emerging tools in AI-enabled cyberattacks. Threat actors create synthetic voice models by training algorithms on audio samples of targeted individuals, often sourced from publicly available content such as speeches, presentations, corporate videos, podcasts and media interviews. To facilitate deepfake-enabled fraud schemes, advanced attackers can produce highly convincing voice replicas using as little as 3–10 seconds of high-quality audio, while larger audio datasets – up to 20 minutes or more – can further improve the realism, accuracy, and effectiveness of the cloned voice.  

Once a sufficiently robust deepfake audio profile is built, it can be used with specialized text-to-speech software to create scripts for the fake voice to read.

In one widely reported incident, a company’s CFO received an urgent phone call that perfectly mimicked their CEO’s voice. Believing it was a legitimate directive, the CFO authorized a $243,000 transfer – only to learn later the call was an AI-cloned voice deepfake. 

In 2025, the FBI received over 22,000 reports of scams involving AI-generated voice or video – with reported losses approaching $893 million. This underscores how rapidly deepfake and voice-cloning scams have grown into a serious corporate threat.

What can you do about deepfake fraud?

• Train and test staff regularly. Provide awareness sessions on emerging threats like deepfake voice fraud, and run periodic drills (e.g., simulate a suspicious phone call) so employees can practice safe responses. 
  
• Encourage employees to pause and verify unexpected requests, even when they appear to come from senior executives, particularly if they bypass normal processes or convey unusual urgency. 
  
• Pay attention to any requests for deviations from organizational processes around wiring money or sensitive transactions. 
  
• Require a second channel verification. If any urgent request involves financial transactions or sensitive data – even if it seems to come from a trusted executive – pause and verify it via a known contact method (e.g., call the executive back on their official number or confirm via a company email). 
  
• Enforce dual approvals for critical transactions. Structure payment processes so no single individual can request, approve, and execute a transfer alone. This ‘four-eyes’ principle reduces the risk of a fraudster exploiting a lone employee. 

While deepfake audio is an emerging AI-driven threat, traditional phone scams (‘vishing’) remain prevalent and continue to exploit human trust. It’s important to guard against both conventional and high-tech voice scams.

What is voice phishing (vishing)?

Vishing (voice phishing) is a longstanding social engineering tactic in which criminals use telephone calls or voice messages to deceive individuals into disclosing sensitive personal, financial or account information. Typically, the fraudster impersonates a trusted organization – such as a financial institution, government agency or reputable company – to persuade victims to reveal information such as account credentials, banking details or credit card numbers. While the objective is similar to that of phishing emails, vishing relies on voice-based communication and human interaction to exploit trust, create a sense of urgency and manipulate individuals into taking actions that may compromise their security.

The FBI consistently finds that phishing (including vishing phone scams) is one of the most commonly reported forms of corporate fraud each year.

How can you protect yourself against vishing and social engineering attacks?

• Never disclose sensitive information – such as Social Security numbers, account details, addresses, passwords or internal organizational information – to an unsolicited caller. 
• Always verify the caller’s identity before sharing any information. Request the caller’s name, department, and contact information, then independently confirm their identity by contacting the organization through a trusted phone number obtained from an official source or internal directory.  
• If a caller appears suspicious or pressures you for an immediate response, it is appropriate to say, “I would like to verify your request and will contact you back through official channels.” Criminals frequently create a false sense of urgency to discourage verification and critical thinking. 
• Do not assume a caller is legitimate simply because they appear to be an employee, executive, vendor or trusted business contact. Exercise caution whenever a caller requests sensitive information, access to systems or details about the organization. Avoid sharing information about reporting structures, internal processes, or personnel – particularly individuals in sensitive functions such as Human Resources, Finance, Treasury or Funds Transfer Operations.  

What are some common red flags of vishing attempts?

Be alert for the following indicators that a caller may be attempting to commit fraud:  

• The caller requests information about organizational structures, reporting relationships, employees or other sensitive internal information.
• The caller emphasizes urgency, insisting that immediate action is required. Requests that pressure individuals to bypass normal procedures or act quickly should be treated as a warning sign and independently verified. 
• The caller claims to represent a government agency, financial institution, technology provider, or technical support team and requests confidential information, credentials, passwords, account details or access to systems.
• The caller discourages verification, insists on secrecy, or attempts to bypass established approval and authentication processes.
• The caller requests information or actions that are inconsistent with normal business practices or established procedures.

When in doubt, pause, verify and follow established security protocols before taking any action.

At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.