It's a Friday afternoon. Your bookkeeper's phone rings. It's you — same voice, same cadence, sounding a little stressed. You're stuck between meetings and need her to wire $14,000 to a new vendor before end of day. You'll explain on Monday. Thanks, you're a lifesaver.
Except it isn't you. You're in your car, phone face-down in the cup holder, oblivious.
This is the scam that's quietly racking up wins against small businesses right now, and if you haven't heard one of these stories from a peer yet, you will soon.
What changed
Voice cloning used to require a computer science degree and hours of clean audio. That's over. Today, free tools online can produce a convincing copy of someone's voice from about three seconds of audio. Not a robotic copy. Not a "sort of sounds like you" copy. A copy that captures your pitch, your pace, the way you trail off at the end of sentences.
Where do scammers get the audio? The same places you've been happily putting your voice for years: a podcast appearance, a LinkedIn video, a webinar recording, a local news interview, a TikTok, even your outgoing voicemail greeting. None of these are mistakes. They're just public.
What's changed is what someone can do with them.
Why small businesses are the sweet spot
A few uncomfortable facts: voice phishing attacks shot up by several hundred percent over the last year. Small business owners are at the top of the target list — not because anyone has a personal vendetta, but because owners typically have payment authority and small teams that move fast. Finance and HR staff in particular get hit the hardest, since they're the ones who can actually move money or change a direct deposit.
The losses aren't small either. The average business hit by a deepfake-related incident loses around half a million dollars. Some have lost more.
And here's the part that should give every owner pause: the scam doesn't fail because the voice sounds wrong. The voice sounds right. It fails — when it fails — because someone slowed down long enough to verify.
What it actually sounds like in practice
The pattern is almost always the same:
- A familiar voice, calling at an inconvenient moment (right before close of business, right before a holiday, mid-rush).
- A request that's urgent but plausible — a wire to a new vendor, a change to a payroll account, a quick gift card purchase for "client appreciation."
- A reason you can't be reached the normal way ("I'm about to walk into a meeting," "my email is acting up," "don't loop in anyone, this is sensitive").
- Pressure to act now and explain later.
If you read that list and thought "honestly, that just sounds like a busy Tuesday at our shop" — yes, that's exactly the point. The scam works because it looks indistinguishable from how real urgency actually feels.
Four guardrails you can put in place this week
You don't need new software. You don't need a security consultant. You need four agreements with your team, and they take about thirty minutes to set up.
1. A verbal safe word for money movement
Pick a word — something nobody outside the team would guess. Any request involving wires, ACH changes, gift cards, or new vendor payments requires the safe word, spoken out loud, before it moves. If the caller can't produce it, the request stops. That's it. The cloned voice can imitate everything except a private agreement that was never said out loud anywhere a microphone could reach.
2. A "callback rule" that's actually a rule
Any unusual financial request gets verified by hanging up and calling the person back on their known number — not the number that just called, not a new number they gave you, not a text thread. This sounds basic. It is basic. It also stops the scam cold, which is why scammers work so hard to make hanging up feel rude or panicked.
3. Permission to slow down
Most of these scams succeed because an employee felt like questioning the boss would get them in trouble. Tell your team — directly, on the record — that pausing to verify a request from you is the right answer, every time, even if it turns out to be real and even if it's mildly inconvenient. They need to hear this from you before the call comes, not after.
4. A two-person rule for anything over a threshold
Pick a number — $5,000, $10,000, whatever fits your business — above which two people have to sign off on a payment. The second person doesn't have to be senior. They just have to be a second human being asking, "wait, did we actually agree to this?"
The honest takeaway
The technology to fake your voice is here, it's cheap, and it's not going away. But the businesses that get burned by this aren't the ones with bad people working for them. They're the ones whose people were never told what to watch for, or never given explicit permission to push back.
Thirty minutes of conversation with your team this week is genuinely all this takes. The next call your bookkeeper gets that sounds exactly like you might be you. Or it might be the most expensive Friday afternoon of your year.
If you'd like help building cybersecurity awareness across your team, reach out. We work with small businesses and nonprofits across Pittsburgh to build practical, no-jargon defenses against this kind of attack.
Able IT Pros
Digital Media and IT Support For The Technologically Challenged