Business Email Compromise via Phone Calls
Fraudsters combine spoofed emails with follow-up phone calls, impersonating executives or banks by voice to pressure finance staff into authorising fraudulent transfers.
Part of: Business Email Compromise (BEC)
Last reviewed: 1 June 2026
Phone calls add a powerful human dimension to business email compromise. A fraudulent email is reinforced by a live voice that conveys authority, urgency, and reassurance, making the request far harder to resist. This blended approach is sometimes called voice-assisted BEC.
Caller ID can be spoofed to display a familiar name or number, so the call appears to originate from an executive, a supplier, or a bank. Hearing a confident voice insisting on immediate action overrides the careful judgement staff might apply to a written message alone.
How this scam works on Phone calls
The scheme usually begins with an email that introduces a payment request or a change of bank details. Shortly afterwards the target receives a phone call from someone claiming to be the executive, the supplier, or a bank representative, confirming the email and stressing that the matter is urgent.
The caller may already know details about the organisation, gathered from public sources or a prior breach, which lends credibility. They guide the employee through the steps, discourage them from consulting colleagues, and frame any hesitation as a risk to an important deal or deadline.
If the staff member proceeds, the funds are sent to an account controlled by the criminal. Advances in voice technology mean the caller may even sound like a specific known person, further eroding the victim's defences until the loss is later uncovered.
Common red flags
- A phone call that pressures you to confirm an emailed payment request
- Caller ID showing a familiar name or number but an unfamiliar voice
- Insistence on completing a transfer immediately during the call
- A caller discouraging you from verifying through other channels
- A voice that sounds slightly off or unusually scripted
- A request to keep the conversation confidential from colleagues
How to protect yourself
- Hang up and call back on an official number you have independently verified
- Never authorise payments based on a phone call alone, even if expected
- Treat caller ID as unreliable and verify identity through a second channel
- Apply dual-authorisation rules to all transfers regardless of how requested
- Brief staff that executives can be impersonated convincingly by voice
- Confirm any change of bank details in writing through a trusted contact
How to report it
- Report the call to your national fraud or cybercrime reporting service
- Notify your bank immediately to attempt recovery of any funds sent
- Document the caller's number, time, and claims for your security team
Frequently asked questions
Can a scammer really make a phone call appear to come from my CEO?
Caller ID can be spoofed to show any name or number, so the display is not proof of identity. Voice can also be imitated. The only reliable check is to hang up and call the person back on a number you already trust, not one supplied during the call.