AI voice cloning has crossed from research labs into WhatsApp inboxes. With a 30-second sample — pulled from a LinkedIn video, a podcast clip or a voicemail greeting — an attacker can synthesise a convincing version of anyone's voice and call your CFO, your parent or your assistant.
How the attack is built
Step 1: the attacker harvests a public audio sample. Step 2: it is fed into a commercial voice-cloning model (ElevenLabs-style, but increasingly open-source). Step 3: the synthetic voice is used live or as a pre-rendered voice note. The call usually comes from a new number with the right country code, and the story is always urgent: an emergency, a transfer, a hostage scenario.
Why traditional 'trust your ear' fails
The human ear is poor at detecting modern clones, especially over phone codecs that already compress and distort. Your brain fills in the gaps based on the relationship: if you expect your mother's voice, you'll hear your mother's voice.
The codeword defense
Agree on a private codeword with anyone who could plausibly call you in a crisis: your spouse, children, parents, your CEO and your finance team. The word must never be shared digitally. When in doubt, ask for it. A real human will say it; a clone will improvise and fail.
- Call comes from a new or foreign number
- Caller insists on secrecy
- Refuses to switch to live video
- Urgency: 'do it now, I'll explain later'
- 1.Hang up. Call back on the known number stored in your contacts.
- 2.Ask the codeword. No codeword = no action.
- 3.For finance teams: require dual approval for any transfer initiated by voice.
- 4.Lock down public audio: trim LinkedIn videos, remove voicemail greetings with your name.
Want this lesson delivered live to your team?
Tailored workshops for SMEs, families and organisations — in English or Spanish.
Book a workshop →