Authored by: Bryan Lachapelle, President & CEO
The phone rings. On the other end is a voice that sounds exactly like the Executive Director’s supervisor - familiar tone, same cadence, and a sense of urgency in every word. The request is clear: send a wire transfer or share confidential client data, immediately.
There’s no reason to doubt the request. Everything about the call feels authentic. Most employees, especially in hierarchical organizations like long-term care and retirement homes, instinctively trust leadership. But what if the person on the other end wasn’t actually their boss?
This is no longer science fiction. Thanks to AI-powered voice cloning, a convincing imitation can be created using just a few seconds of recorded speech. Cybercriminals are leveraging this technology to carry out highly targeted, emotionally manipulative attacks that are proving devastating for organizations.
How AI Voice Cloning Is Rewriting the Rules of Cybercrime
For years, organizations have trained staff to spot phishing emails by watching for typos, suspicious links, and odd requests. But few have trained their ears to question the voices of people they trust. That’s exactly what cybercriminals are now exploiting.
Voice cloning tools can create near-perfect replicas of someone’s voice using short samples - often pulled from interviews, press releases, social media videos, or even voicemails. Once a model is trained, the attacker can type anything they want, and the AI will deliver it in a tone and inflection nearly indistinguishable from the real person.
This isn’t a niche skill anymore. With widely available AI tools, a scammer doesn’t need to be a coding genius. All they need is a short recording and a script. From there, the damage can be swift and costly.
From Phishing to “Vishing” - The Evolution of Business Email Compromise
Historically, Business Email Compromise (BEC) relied on fake or hijacked email accounts. These scams tricked employees into sending payments or sensitive data, but they were text-based and could often be caught by email filters.
Voice cloning introduces a far more dangerous twist.
Now, scammers use AI-generated voices to conduct what’s called “vishing” (voice phishing). These calls bypass the safeguards built into email systems and directly manipulate the human element. When someone hears their boss sounding urgent or distressed, they’re more likely to act without verifying.
Why It Works: Emotional Manipulation and Chain of Command
AI voice scams are successful because they exploit two key factors: organizational hierarchy and emotional pressure.
In sectors like long-term care, where structure is vital and stakes are high, staff are trained to follow instructions - especially from leadership. Attackers often time their calls right before weekends or holidays, when verification is harder and staff are eager to avoid escalation.
Worse yet, the cloned voices can mimic emotional states like stress, exhaustion, or anger - further disarming the victim’s judgment.
The Detection Problem: Why We Can’t Just “Listen Closely”
Unlike suspicious emails, fake voices are much harder to detect. There are few, if any, reliable real-time tools to catch voice deepfakes. And human ears? Not very reliable.
Some early warning signs may include robotic intonation, odd background noise, or inconsistent breathing. But as the technology improves, even these tells are vanishing. That’s why relying on hearing alone is not enough. Organizations need protocols.
How Organizations Can Protect Themselves
1. Evolve Security Training
Many organizations still focus cybersecurity awareness on email threats and password management. It's time to expand that training.
Employees - especially those handling finances, resident data, or executive communication - should receive simulation-based training on voice phishing scenarios. Teach them how to pause, verify, and escalate rather than react under pressure.
2. Establish Verification Protocols
A robust verification process can stop even the most convincing voice attack. For example, never act on a voice request involving money or data without secondary confirmation -ideally through a different communication channel.
If someone receives a call from a supposed executive, they should hang up and verify the request through an internal extension, secure messaging app like Teams, or a known safe word/challenge response system.
3. Adopt a “Zero Trust” Voice Policy
Even a familiar voice should not be treated as proof of identity. Move toward a “zero trust” policy where verification is required for all high-stakes actions, regardless of who’s calling.
Looking Ahead: Identity Verification in the AI Era
As synthetic voices (and soon, real-time video deepfakes) become more convincing, we may see a return to in-person verification for high-risk approvals or the adoption of cryptographic authentication for voice communications.
Until such safeguards are widespread, the best protection is a culture that questions, verifies, and takes its time. Slowing down approvals, requiring callbacks, and using multi-step verification can stop scammers in their tracks.
Preparing for the Next Wave of Cyber Threats
The impact of a voice cloning attack isn’t just financial. It can erode trust, damage reputations, and spark legal fallout. Imagine a fake recording of a CEO saying something offensive going viral before the truth is uncovered.
Long-term care organizations need more than IT tools. They need communication protocols, simulation-based training, and a proactive cybersecurity partner who understands both the technology and the emotional stakes involved.
Is your organization prepared to detect and stop a deepfake voice attack before it spreads? If not, now is the time to act.
