The “Deepfake” Voice Check: Protecting Your AP Team from Urgent Audio Scams

Article summary: AI voice cloning has made it possible for attackers to call your accounts payable team sounding exactly like your CEO, and the requests they make follow a predictable formula. Deepfake voice scams are an evolution of business email compromise, and AP teams are the primary target because they can move money. A simple voice check playbook is the most effective defense available. 

The call sounds like your CFO. The cadence is right. The urgency is familiar.

A wire transfer needs to go out today. It’s confidential. The normal approval process doesn’t apply this time.

This is a deepfake voice scam, and accounts payable teams are its most valuable target. Not because they’re careless, but because their job is to move money quickly when leadership asks.

Building strong controls around financial approvals is no longer just about locking down system access. It’s also about what happens when the phone rings and the voice on the other end sounds exactly right.

Why Accounts Payable Teams Are the Primary Target

Accounts payable (AP) teams handle what attackers care about most: payments. They process invoices, authorize wire transfers, and manage vendor banking details. They’re also trained to respond quickly to requests from leadership, especially when a request comes marked urgent and confidential.

That combination of financial authority and habitual responsiveness makes AP teams the top target for impersonation-based fraud.

Business email compromise (BEC) has been among the most expensive fraud categories in the US for years. This is where attackers impersonate an executive or vendor over email to redirect payments. Now, attackers are adding voice to the same playbook.

Business email compromise cost US businesses $2.77 billion in 2024 alone.

According to the FBI’s 2024 Internet Crime Complaint Center report, BEC ranked as the second-highest source of financial losses across all cybercrime categories, with over 21,000 complaints filed that year. Adding a cloned voice to the same attack makes the deception significantly harder to dismiss.

How a Deepfake Voice Scam Actually Works

A deepfake is AI-generated audio, video, or both that realistically replicates a real person. In a voice scam, the attacker builds a voice clone from publicly available recordings.

Voice cloning tools require only a few seconds of sample audio to produce a convincing replica. The result matches the target’s tone, cadence, and accent closely enough to mislead people who speak with them regularly.

The FTC has flagged voice cloning as one of the most difficult scams to detect, precisely because it exploits a form of trust people aren’t trained to question: recognizing a familiar voice.

More than 1 in 4 executives say their organization has already faced a deepfake fraud attempt targeting financial or accounting data.

In a Deloitte poll, 25.9% of executives reported at least one deepfake incident in the past year, and 51.6% expect attacks to increase. 

The formula across every documented case is consistent: authority (a trusted figure is calling), urgency (it needs to happen today), and secrecy (don’t involve anyone else). These three levers are chosen specifically to suppress the verification habits that would otherwise stop the transfer.

It’s the same impersonation logic behind reply-chain phishing attacks, where attackers hijack trusted conversations to manufacture compliance. The difference is that voice is far harder to dismiss in the moment.

Three Scenarios Your AP Team Should Know

The details change. The structure doesn’t.

The urgent wire transfer

The “CFO” or “CEO” calls directly about a same-day transfer for a confidential deal. There’s always a reason the normal approval chain shouldn’t apply. 

In early 2024, engineering firm Arup lost $25 million after a finance employee was convinced by a video call in which every participant, including the CFO, was AI-generated.

The vendor account change

A familiar supplier calls to notify the AP team that their banking details have changed. The voice matches the contact on file. The request seems routine. This version is effective because it doesn’t require an immediate transfer.

The confidential deal

An executive calls ahead of a public announcement and asks for a payment to move before news breaks. The secrecy framing is what makes this version effective: it gives the target a built-in reason not to verify with colleagues.

Your AP Team’s Voice Check Playbook

The strongest defense against a deepfake voice scam isn’t a detection tool. It’s a consistent process your team follows every time, regardless of how convincing a call sounds.

1. Never approve a payment based on a call alone

A phone call is a heads-up, not an authorization. Any payment request or account change should require confirmation through a second, pre-established channel before anything moves. Think of it as multi-factor verification for financial approvals: one input is never enough to confirm identity or intent.

2. Hang up and call back on a known number

If a call creates urgency around a payment, hang up and call the person back on a number already verified in your systems. Not a number provided by the caller. Attackers can spoof caller ID, and the number they give you may route directly back to them.

3. Set a team code word

Pre-agreed verification phrases are a layer that voice technology cannot bypass. Ferrari executives foiled an executive impersonation attempt in 2024 simply by asking the caller a personal question the real CEO would have been able to answer.

4. Treat secrecy requests as a red flag

Legitimate executives don’t typically ask AP staff to bypass review processes or keep a payment confidential from colleagues. If a caller says “don’t loop anyone else in” or “this needs to stay between us,” treat that as a reason to escalate through official channels rather than a professional courtesy to honor.

5. Limit publicly available voice samples

The FBI has warned that attackers harvest voice audio from public recordings, including webinars, conference sessions, LinkedIn posts, and social media. Encourage senior staff to think carefully about the volume of audio published under their name, particularly recordings where they speak at length.

Ready to Build Your Team’s Defense?

Deepfake voice scams work because the voice sounds like someone your AP team already trusts. The protection isn’t a technical product. It’s a set of habits.

The businesses that stop these attacks aren’t necessarily better equipped. They’re just harder to rush.

Contact Sound Computers to schedule a consultation. We can help you put a practical AP security protocol in place and make sure your team knows what to listen for. Call us at (860) 577-8060, reach us online, or email info@soundcomputers.net.

Article FAQs

What is a deepfake voice scam?

A deepfake voice scam uses AI-generated audio to impersonate someone you recognize and persuade you to take a financial action. The voice is cloned from publicly available recordings, and the result can be convincing enough to fool people who interact with that person regularly.

Why are AP teams specifically targeted?

AP teams have direct authority over payments and are trained to respond quickly to instructions from leadership. That combination of financial control and responsiveness to urgency is exactly what attackers need.

How do attackers clone someone’s voice?

Voice cloning software can produce a convincing replica from just seconds of audio, sourced from webinars, recorded meetings, video posts, or saved voicemails. The output closely matches the original speaker’s tone, cadence, and accent. Some tools are accessible to anyone with an internet connection and a free account.

What should my AP team do when they receive a suspicious call?

Hang up and call the person back using a number already verified in your systems, not one provided by the caller. Require any payment or account change to be confirmed through a second channel before acting. If the caller emphasizes urgency or secrecy, treat that as a reason to pause and escalate, not to proceed.