Biometric Face and Voice Spoofing Fraud
AI-generated voice clones and face-swapped video are used to defeat voice and facial recognition authentication, impersonate victims to banks and contacts, and authorize fraudulent transactions that sound and look convincingly like the real person.
Last reviewed: 5 July 2026
What this scam is
Biometric face and voice spoofing fraud uses artificial intelligence to synthesize a convincing clone of a real person's voice, face, or both, from publicly available or stolen source material such as social media videos, podcast audio, or video calls. The resulting synthetic media is then used to defeat voice-recognition banking authentication, pass a video identity verification step, or simply convince a human on the other end of a call or video chat that they are speaking with the genuine person.
This differs from traditional impersonation scams in that the fraud specifically targets biometric authentication systems — voiceprint matching, facial recognition login, or liveness detection — that many institutions adopted precisely because they were believed to be harder to fake than a password or a written signature. As voice-cloning and face-synthesis tools have become cheaper and require less source material to produce convincing results, this assumption has eroded rapidly.
The fraud can target both institutions, such as a bank's voice-authenticated call center or a video-based know-your-customer check, and individuals, such as a colleague or family member receiving what sounds and looks like a real video call from someone they trust asking for an urgent favor or transfer.
How it works
The fraudster first gathers source material of the target: voice samples from public videos, interviews, voicemail greetings, or even brief phone calls, and photos or video clips from social media profiles. Modern voice-cloning tools can produce a usable clone from as little as a few seconds to a few minutes of clean audio, and face-synthesis tools can generate a convincing video overlay from a modest set of still images.
With the synthetic voice or face ready, the fraudster initiates contact with a target institution or individual, using the cloned voice in a phone call to a bank's voice-authenticated line, or a face-swapped live video call to a contact who expects to see the real person. The request typically involves urgency — an emergency wire transfer, an urgent password reset confirmation, or a plea for immediate financial help — designed to prevent the recipient from pausing to verify through another channel.
Because the biometric match appears to succeed, or the human recipient sees and hears what looks and sounds like someone they know, the transaction or disclosure often proceeds without the secondary scrutiny that a text-based or unfamiliar-voice scam attempt might trigger. Detection typically occurs only after the fact, when the real person is contacted separately and confirms they made no such call or request.
Why this scam works
The fraud exploits the deep-seated human and institutional assumption that voice and face are uniquely personal, near-impossible to fake convincingly, and therefore trustworthy on their own — an assumption that held largely true for most of history but has been undermined by the rapid improvement and accessibility of generative AI tools. Urgency compounds the effect: a request that sounds and looks like a trusted person in a hurry short-circuits the instinct to hang up and call back through a known, separate channel, especially when the biometric match itself, whether human or automated, appears to confirm authenticity.
A typical pattern
A scammer collects several minutes of a target's voice from a podcast interview and a handful of public photos and short videos from social media, feeding them into a widely available voice-cloning and face-synthesis tool. Using the cloned voice, the scammer calls the target's bank claiming to be the target and requests a large wire transfer, defeating the bank's voice-recognition authentication system trained on the real customer's voice. The bank's system flags a slight anomaly but accepts a follow-up live video call in which a face-swapped version of the target's likeness appears to confirm the transaction verbally. By the time the real customer is contacted for an unrelated matter and mentions they made no such request, the wired funds have already been moved through several accounts and cannot be recovered.
Common red flags
- An urgent request for money or credentials by phone or video that discourages hanging up to verify
- Slight audio artifacts, unnatural pauses, or robotic tone in an otherwise familiar-sounding voice
- A video call with subtly unnatural lighting, blinking, or lip-sync mismatches
- A request to keep the matter confidential or avoid telling other family members or colleagues
- Insistence on completing the transaction during the call itself rather than allowing time to verify
- A caller who avoids answering specific personal questions only the real person would know
- Bank or institutional voice authentication flags an anomaly but a human overrides it under pressure
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Cloned voice of a relative]: I'm in trouble and need you to send money right away, please don't tell anyone yet.
[Cloned voice claiming to be a bank representative]: We need to verify a large transfer, please confirm your voiceprint again.
[Face-swapped video call from a 'colleague']: I need you to approve this wire transfer urgently before the deadline.
This is [Cloned voice of an executive]: Please process the payment to the new vendor account today, it's time-sensitive.
[Cloned voice of a family member]: My phone is broken, I'm calling from a friend's number, can you send funds now?
Common variations
- Voice cloning used to defeat bank call-center voice authentication
- Face-swapped live video calls impersonating a family member or colleague requesting funds
- Synthetic voice used in a fake emergency call from a supposed relative in distress
- Deepfake video used to pass a remote identity verification or know-your-customer check
- Cloned executive voice used in a business email compromise-style urgent wire transfer request
How to verify before you act
If you receive an urgent call or video request involving money or sensitive information, even one that sounds and looks exactly like someone you know, hang up and independently contact that person through a previously established phone number or in-person, never a number or link provided during the suspicious call itself. Agree in advance with family members and close colleagues on a verbal safe word or independent verification step for any urgent financial request made by phone or video. If you manage or rely on voice or facial biometric authentication for a financial account, ask the institution what additional verification steps exist beyond the biometric match alone.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Individuals and executives with substantial public voice or video content online
- Family members of people with a public social media presence
- Bank customers using voice-authenticated phone banking
- Employees authorized to make wire transfers at their organization
What to do immediately
- Hang up or end the call immediately and independently contact the person through a known, saved number
- Contact your bank directly to flag or reverse any transaction authorized under suspected spoofing
- Alert other family members or colleagues that a spoofing attempt referencing them occurred
- File a report with your bank's fraud department and request a review of the authentication failure
- File a police report documenting the incident, including any recordings or screenshots available
- Review and tighten privacy settings on public voice and video content where practical
How to prevent it
- Establish a verbal safe word or independent verification step with close family and colleagues for urgent financial requests
- Never authorize a transfer or disclosure based solely on a phone or video call, however convincing, without independent callback verification
- Limit the amount of clear, high-quality voice and video content of yourself posted publicly where practical
- Ask your bank what safeguards exist beyond voice or facial biometric authentication alone
- Treat any urgent, emotionally charged request for money or credentials with extra scrutiny regardless of who it appears to be from
- Use a callback to a known, saved number rather than any number provided during the suspicious contact itself
Evidence to preserve
- Any recording, voicemail, or screen recording of the suspicious call or video
- Call logs showing the number or platform used to make contact
- Bank transaction records and any authentication logs from the institution
- Screenshots of any related text or email correspondence around the same time
- Police report number and copy
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can voice-cloning fraud really defeat bank voice authentication?
Yes, modern voice-cloning tools have been demonstrated to defeat some voice-authentication systems, which is why many banks now require additional verification steps for large or unusual transactions rather than relying on voice alone.
How much audio or video does a scammer need to create a convincing clone?
Some tools can produce a usable clone from as little as a few seconds of clear audio or a small set of photos, meaning even limited public content can be enough to attempt a spoof.
What is the single best defense against this kind of fraud?
Independent verification through a separate, previously known channel — never trusting a call or video alone for a request involving money or sensitive information, however convincing it sounds or looks.