Skip to main content
Tradecraft & Kit

Voice-clone fraud is a protective-intelligence problem now

The technique that took $25m from Arup can spoof a principal's instruction, a duress call or a driver's change of plan. Incoming EU disclosure law binds the honest, not the criminal, so the defence is a verification protocol.

1 Jul4 min read
Listen0:00/0:00
Voice-clone fraud is a protective-intelligence problem now
OpsCon Intelligence

Voice and video impersonation has moved from a curiosity to a working attack against protected people and the organisations around them. The reference case remains Arup: in 2024 the engineering firm confirmed a Hong Kong employee was tricked into making 15 transfers totalling around US$25 million after a video call populated with deepfaked versions of the CFO and colleagues, built from footage of real meetings. No arrests, no recovery.

For protective teams the relevance is direct. The same technique that spoofs a finance approval can spoof a principal's instruction to staff, a duress call to a family member, or a change of plan to a driver. Cloning a usable voice now takes seconds of public audio.

Regulation is arriving but will not carry the load. Under Article 50 of the EU AI Act, deployers using AI to generate or manipulate deepfake audio, image or video must disclose it, with obligations applying from 2 August 2026; the European Commission published a Code of Practice on AI-generated content on 10 June. That compels the lawful. It does nothing to a criminal running an impersonation.

Operator implication: the defence is process, not detection on the call. Set a verification protocol, a call-back on a known number, a challenge phrase, a second channel, for any instruction that moves money, changes a movement, or shares sensitive detail. Rule that no one, including the principal, can authorise those on a voice or video call alone. Rehearse it, because staff who have not practised will comply under pressure.

Disclaimer. The Ops Con Intelligence briefings are compiled from open-source reporting and provided for situational awareness and professional development only. They are not operational, security, legal, financial or travel advice, and no reliance should be placed on them for any decision. Information may be incomplete, time-sensitive or change without notice โ€” always verify independently before acting. The Ops Con accepts no liability for any loss arising from use of this content.

SFJ Awards Approved Centre
Armed Forces Covenant
CPD Member #22285
Insignia Awards Approved Training Provider