“ A successful scam call can result in account takeover, unauthorised payments, credential compromise, or the installation of malicious software“
Scam phone calls used to be easy to identify. A robotic tone, a strange accent, or a script that didn’t quite hold up under questioning. That’s no longer the case. AI-generated voices in 2026 can now be completely indistinguishable from a real human being. This isn’t a future concern. It’s happening right now, and businesses across the UK are in the crosshairs.
How sophisticated have these attacks become?
A recent account from a senior IT security professional illustrates just how far these attacks have progressed. After receiving what appeared to be a routine support call, they spent over 20 minutes in a fast-moving, two-way conversation with what they later confirmed was a fully AI-driven system.
What made it remarkable wasn’t just the voice. The system listened and responded naturally when interrupted, placed the caller “on hold to speak with a manager,” and was able to trigger real-looking verification emails and push notifications to the target’s phone in real time, using a technique known as a Google DKIM Replay Attack to make those messages appear entirely legitimate.
In total, nine distinct attack methods were coordinated simultaneously, all orchestrated by a voice that most people would have no reason to question. The attack had even begun earlier that day, with preparatory emails sent through the Google account recovery process so they could be referenced on the call as “proof” of legitimacy.
Red flags to Watch For
Even when the voice sounds entirely convincing, there are behavioural patterns that can indicate a scam call is in progress:
- An unexpected call claiming to be from a bank, technology provider, or software company – particularly Microsoft, Google, or your IT support team.
- A caller who creates urgency – warning of a security breach, suspicious activity on your account, or an imminent deadline requiring immediate action.
- A request to verify your identity during the call, or to confirm a code that has been sent to your device.
- Being asked to approve a login notification, grant remote access, or install software – even if the caller offers to “walk you through it.”
- Verification “evidence” offered by the caller – such as emails or notifications sent at their request – used to prove they are who they say they are.
- A caller who discourages you from hanging up and calling back on a number you have independently verified.
A Verification Protocol to Combat AI Voice Scams
We recommend that all staff follow this process whenever they receive an unsolicited call relating to accounts, systems, money, or identity – regardless of how plausible the caller sounds:
- Do not confirm or deny anything. Politely decline to provide information, approve requests, or take any action during the call itself.
- Obtain the caller’s name and department. Note it down, but do not use it to verify their identity — this information is easy to fabricate.
- End the call. Explain that you will call back. A legitimate organisation will always support this.
- Find the contact number independently. Use the official website or a document you already hold — never a number provided by the caller.
- Report the attempt. Whether or not you believe the call was genuine, inform your IT team or line manager. Patterns of attempted contact are important to track.
The threat posed by AI voice scams is not limited to individual employees being caught off guard. A successful scam call can result in account takeover, unauthorised payments, credential compromise, or the installation of malicious software – all without a single click on a phishing link.
What can your business do?
Staff awareness is one of the most effective controls available. Businesses that invest in regular security briefings, clear internal procedures, and an open reporting culture are significantly better placed to identify and resist these attempts before they cause harm.
If you would like to review your organisation’s current approach to social engineering threats, or ensure your team is equipped with up-to-date guidance, we are here to help.