Laurence Lai
blog

Your Voice Can Be Cloned in Three Seconds

may 2026  ·  7 min read  ·  by laurence lai

Three seconds of audio. That's all it takes for modern AI to clone someone's voice well enough to fool the people who hear it every day. Not a dodgy robocall. Not a stilted recording. A real-time, natural-sounding voice that can hold a conversation, respond to questions, and say things the real person never said.

If that sounds like something from a film, it isn't. It's happening right now to real businesses, and the people getting caught out aren't careless or naive. They're busy, trusting, and completely unaware that the technology has moved this fast.

it's not just voice

Voice cloning gets the headlines, but it's only part of the picture. AI can now generate convincing video of someone's face in real time. Deepfake video calls have already been used to impersonate senior executives on Teams and Zoom calls, authorising payments that ran into the millions. The person on screen looked right, sounded right, and said all the right things. It just wasn't them.

Then there's the phishing. The old giveaways are gone. No more "Dear Valued Customer" or dodgy spelling. AI-written phishing emails are grammatically perfect, contextually aware, and increasingly personalised. They reference real invoice numbers, real supplier names, and real conversations. They look exactly like the emails you're used to getting, because the AI has been trained on millions of them.

why small businesses are the target

Big companies have security teams, fraud detection software, and multi-layer approval processes. A fake phone call from the CEO asking for an urgent bank transfer hits three checkpoints before anyone moves a penny.

Small businesses don't have that. If the boss calls and says "can you pay this invoice today, I'll explain later," most people just do it. There's no fraud team. There's no secondary approval. There's trust, and that trust is exactly what these scams exploit.

The attackers know this. They're not guessing. They research businesses on LinkedIn, Companies House, and social media. They know who the director is, who handles the money, and who's likely to pick up the phone on a Friday afternoon. The AI just makes the impersonation convincing enough to close the gap.

what these scams actually look like

These aren't abstract threats. Here's what's actually landing in real businesses right now:

  • The boss call. Someone in your team gets a phone call that sounds exactly like you. Caller ID shows your mobile number (spoofed). You're asking them to make an urgent payment to a supplier, new bank details, you'll explain when you're back. It sounds completely natural because it is your voice.
  • The supplier email. An email arrives from what looks like a regular supplier, same email format, same tone, same signature. The only change is the bank details for payment. The email address is off by one character, or it's been sent from a compromised account. AI wrote the body so it reads exactly like the supplier's usual style.
  • The video call. A Teams or Zoom call with someone who looks and sounds like a known contact. They're asking for something that feels slightly unusual but not alarming enough to refuse. The video quality is good enough, the voice matches, and nobody thinks to question it because they can see the person talking.
  • The voice message. A WhatsApp voice note from the boss, sent from a number that looks right. "I'm in a meeting but can you sort this out for me before 3?" It sounds exactly like them because it is their voice, reconstructed from clips on social media, podcasts, or even a previous phone call.

how to spot it

The technology is good but it's not perfect. Not yet. There are still signs if you know what to listen and look for:

  • Unnatural pauses or rhythm. Cloned voices sometimes hesitate in odd places, or the pacing feels slightly off. The words are right but the flow isn't quite natural.
  • Emotional flatness. AI can mimic a voice but it often struggles with genuine emotion. If someone who's usually animated sounds strangely calm, or vice versa, that's worth noticing.
  • Video glitches. Deepfake video can flicker around the edges of the face, especially around the hairline, ears, and jawline. Unusual blinking patterns, teeth that look slightly wrong, or lighting that doesn't quite match the background are all tells.
  • Urgency and pressure. This is the biggest red flag of all, and it's not technical. Almost every one of these scams relies on time pressure. "Do it now." "Don't wait." "I need this before end of day." Legitimate requests can wait for a verification call. Scams can't.
  • Unusual requests. New bank details, different payment methods, requests to bypass normal procedures, anything that breaks the routine. These are the moments to pause, not speed up.

The technology fools your eyes and ears. The urgency fools your judgement. The scam only works if both happen at the same time.

how to verify

Spotting the signs is useful but it's not enough on its own. The real protection is verification, and it doesn't need to be complicated:

  • Call back on a known number. If someone phones asking for a payment or a change to bank details, hang up and call them back on the number you already have saved. Not the number that just called you. Not the number in the email signature. The one in your phone.
  • Use a code word. Agree a verbal code word with anyone in the business who can authorise payments. Something simple that would never come up naturally. If they can't give it, the request doesn't happen. This sounds old-fashioned. It works.
  • Never trust caller ID. Phone numbers can be spoofed in seconds. The fact that it shows the boss's mobile number means absolutely nothing. Caller ID is a label, not a guarantee.
  • Verify bank detail changes by phone. If a supplier sends new payment details by email, call the supplier on a number you already have and confirm. Every time. No exceptions. This one rule alone would prevent the majority of payment fraud hitting small businesses.
  • Two-person sign-off on payments. No single person should be able to authorise and execute a payment on their own, especially if it's a new payee or changed bank details. Even in a two-person business, having a "one asks, one confirms" rule adds a layer that most scams can't get past.

things you can do today

You don't need a security budget or an IT department. These are things any small business can put in place this afternoon:

  • Set a payment threshold. Any payment above a certain amount (even just a few hundred pounds) requires verbal confirmation from a second person. Decide the number and stick to it.
  • Brief your team. Five minutes is enough. Tell them: if anyone calls asking for money, new bank details, or anything unusual, they should verify before acting. No one will ever be in trouble for checking. They will be in trouble for not checking.
  • Lock down your voiceprint. Think about how much of your voice is publicly available. Podcast appearances, YouTube videos, conference talks, social media clips. You can't remove them all, but be aware that anything with your voice on it is training data for a clone.
  • Check your email security. Make sure your business email has two-factor authentication turned on. A compromised email account is often the starting point for these scams, because the attacker can read your sent items and learn exactly how you write.
  • Question urgency. Build a culture where "I need to check first" is always the right answer. If someone pushes back on that, it's either a scam or a management problem. Either way, it needs sorting out.

this isn't going away

The technology that makes these scams possible is getting cheaper, faster, and more accessible every month. The voices will get better. The videos will get smoother. The emails will get harder to distinguish from real ones.

But the defence hasn't changed. Verify. Confirm. Don't let urgency override process. The scams work because people trust what they hear and see without checking. The fix is simply to check. It takes thirty seconds and it could save you everything.

I help small businesses stay secure without overcomplicating things. If you want to tighten up your setup or just want a second opinion on where you're exposed, let's have a chat.

→ let's have a chat → what i do

you might also like

→ when ai makes the decision, who's actually responsible? → website chatbots used to be terrible. mine aren't. → your business runs on software you've never approved
← back to blog