Back to Knowledge BaseSecurity & Passwords

    How to Spot AI Voice Scams and Deepfake Phone Calls

    8 min read
    Updated 30 April 2026

    What Is an AI Voice Scam?

    Attackers can now clone almost anyone's voice from a few seconds of audio — a podcast, a webinar, a LinkedIn video, even a voicemail greeting. They then phone someone in your business pretending to be the cloned person, and ask for a transfer, a gift card purchase, or login credentials.

    These scams have gone from rare to mainstream during 2025 and 2026. Australian businesses have lost millions. The technology is cheap, the audio is convincing, and the social pressure ("I am in a meeting, just do it now") is intense.

    This article shows you how to recognise the warning signs and — more importantly — how to verify any voice request before acting on it.

    Common Scenarios in Australian SMBs

    • A "CEO" calls the bookkeeper from an unknown mobile asking for an urgent transfer to a new supplier
    • A "client" calls reception asking for staff details "for an invoice"
    • A "manager" calls a junior team member asking them to buy gift cards "for a client thank-you" and read out the codes
    • A "staff member" calls IT asking for a password reset because they are "locked out and travelling"
    • A "tradesperson" calls the office to redirect a payment to a new bank account "because their old one was compromised"
    The common thread is urgency, authority, and a change to a normal process — typically a new bank account, a new payment method, or a new contact channel.

    Warning Signs During the Call

    The voice itself is hard to fault — that is the whole point. The warning signs are in the behaviour:

    • The call comes from an unknown number or a number that does not match the person's usual one ("I lost my phone, this is a borrowed one")
    • The caller refuses to let you call them back on their normal number
    • The caller pressures you to act right now ("I am about to walk into a meeting", "the supplier is on the other line")
    • The caller tells you to keep it quiet ("do not mention this to anyone else", "this is confidential")
    • The request bypasses normal process (a new bank account, a new payment method, a payment under the usual approval threshold)
    • The caller cannot answer a basic question that the real person would know
    • There is unusual background silence, audio glitches, or strange pauses (AI voices sometimes have very clean backgrounds)
    • The caller speaks in slightly unusual phrasing or uses words the real person does not use
    If two or more of these are present, treat the call as a scam until proven otherwise.

    The Single Best Defence: Call Back on a Known Number

    If the request involves money, login details, or anything urgent — hang up and call the person back on their normal number that you already have saved. Not the number that called you. Not the number on the email signature in this morning's email. The number that lives in your contacts from before today.

    If the real person answers, you can confirm the request in 30 seconds. If they do not know what you are talking about, you have just stopped a scam.

    This single habit defeats almost every voice scam. Build it into your business: "Any unusual financial request gets verified by callback. No exceptions, no apologies."

    Use a Family or Team Code Word

    For high-trust requests (a CEO calling the CFO, a parent calling a teenager about money), agree a code word in advance that only the real people know. Ask for it during the call. AI cannot guess a code word.

    A simple code word — even something silly like "wombat" — is more effective than any technical control.

    Set Up Process Controls

    The technical advice is simple:

    • Two-person approval for any payment over a threshold you choose (often $500 to $5,000 for SMBs)
    • Out-of-band verification for any new bank account or supplier — staff must independently phone or email the supplier on previously known contact details
    • Cooling-off for unusual transfers — a minimum 30-minute wait between approval and execution gives you time to second-guess
    • Documented payment process that staff are trained on, with management explicitly saying "I will never ask you to bypass this"
    The hardest part is the cultural one: making it socially acceptable for a junior staff member to push back on a "CEO" call. Leadership has to give explicit, repeated permission to verify.

    Warning Signs Around the Call

    • An email lands first ("I am about to call you about a payment, please action immediately when I do")
    • A new mobile number suddenly appears in your contacts list
    • A staff LinkedIn profile is targeted with new connection requests in the days before
    • A senior person's voice has been featured in recent media (interview, podcast, conference panel) — this is when they become an easy cloning target
    • Voicemail greetings have been changed or recorded recently

    What to Do If You Acted on a Scam Call

    If money has already been transferred:

    • Phone your bank immediately — the first 60 minutes are the best chance of clawing money back
    • Phone the receiving bank if it is different — request a recall
    • Report to ScamWatch at scamwatch.gov.au
    • Report to ReportCyber at cyber.gov.au/report
    • Report to police and request a report number for insurance and bank claims
    • Tell your IT team in case the attack also involved compromised email accounts
    If credentials were given out:

    • Change the password immediately for the affected account
    • Sign out everywhere (Microsoft 365: mysignins.microsoft.com → Sign out everywhere)
    • Reset two-factor authentication if needed
    • Phone your IT team to check for sign-in alerts and forwarding rules
    • Warn other staff — voice scams often run in waves through the same business

    Tips for Your Whole Team

    • Run a 10-minute team briefing on AI voice scams. Roleplay one scenario — the bookkeeper takes a call from "the CEO" asking to pay a new supplier. Practise the callback.
    • Add a single sentence to your finance policy: "All payments to a new account, or any payment outside the usual approval process, must be verified by callback to a known number, regardless of who is calling."
    • Make sure your finance team knows it is safe and expected to push back on senior staff. The CEO should explicitly say so in writing.
    • Reduce voice samples available online — for very senior staff or finance staff, consider not posting long videos with their voice publicly
    • Combine voice verification with strong technical controls — Conditional Access, MFA on email, and payment-platform 2FA

    Need Help?

    If you would like Netluma IT to run a voice-scam awareness session, review your payment-approval workflow, or harden Microsoft 365 against the common follow-up attacks, get in touch.

    Phone: 1300 521 162 Email: helpdesk@netlumait.com.au

    Was this article helpful?

    Still Need Help?

    If you are still having trouble, our support team is here to help.

    Email HelpdeskCall 1300 521 162

    Related Articles

    How to Reset Your Microsoft 365 Password

    4 min read

    How to Set Up Two-Factor Authentication (2FA)

    5 min read

    How to Spot Phishing Emails

    5 min read

    Browse Other Categories

    Email & CalendarSecurity & PasswordsMeetings & CollaborationDevices & ConnectivityMicrosoft 365Mobile DevicesPrinting & ScanningRemote WorkFile Management & BackupCommon Error MessagesWindows TroubleshootingKeyboard, Mouse & PeripheralsGoogle Workspace