For years, cyber security awareness programmes have focused on helping employees spot suspicious emails. That was the right focus to have; email has long been one of the most common ways attackers gain access to an organisations’ systems. Employees have been taught to look for unexpected attachments, unusual requests, and messages that don’t quite feel right.

But attackers aren’t standing still.

Voice cloning, deepfakes, and AI-powered impersonation attacks are creating a new challenge for organisations because they target something many people instinctively trust: a familiar voice.

Voice cloning has moved beyond the realm of science fiction. What was once seen as an emerging technology is now widely available, increasingly convincing, and alarmingly easy to use.

The concern isn’t just that attackers can clone voices, it’s that people naturally trust them. When a message arrives in your inbox, you might pause to question whether it’s genuine but when somebody who sounds like your manager calls and asks for help, that same scepticism doesn’t always kick in.

That’s why voice cloning is becoming such a powerful tool for cybercriminals.

Why We Trust Voices More Than Emails

Years of awareness campaigns have taught people to question unexpected messages and think carefully before clicking links or sharing information. Even if they don’t consciously realise it, many employees have developed habits that help them assess whether an email looks legitimate.

Voice communication is different. When we hear someone speak, particularly someone we know or recognise, our instinct is to trust what we’re hearing. A familiar voice feels personal, authentic, and much harder to fake. That’s why voice cloning has become such an attractive tool for cybercriminals.

Imagine you’re halfway through a busy afternoon when your phone rings. It’s your Finance Director; or at least, it sounds exactly like them.

They apologise for calling out of the blue and explain they’re in a meeting. They need you to approve a payment before the end of the day or send across some information for an urgent client request. Everything about the conversation feels normal. The voice is familiar, the tone is right, and nothing immediately raises suspicion.

Except it isn’t them.

Voice Cloning Has Become Accessible to Everyone

The most concerning aspect of voice cloning is how easy it’s become.

A few years ago, creating a convincing synthetic voice required specialist knowledge, expensive technology, and significant time. Today, some AI tools can generate a realistic voice clone from as little as three seconds of audio. That recording could come from a podcast appearance, a LinkedIn video, a company webinar, a conference presentation, or even a short clip shared on social media. Many senior leaders already have enough publicly available audio for attackers to create a believable impersonation.

Once that voice has been cloned, it can be used in phone calls, voicemails, or voice notes that appear to come from a trusted colleague or senior leader. An employee who would immediately question a suspicious email may be far less likely to challenge a familiar voice asking them to act quickly.

This is what makes voice cloning such a significant enterprise risk. The technology is no longer restricted to sophisticated threat actors; it’s becoming a commodity capability accessible to anyone willing to use it.

As the barriers to entry continue to fall, organisations need to assume that voice impersonation will become a more common part of the threat landscape.

Why Voice Cloning Works Best Alongside Other Attacks

Voice cloning isn’t replacing traditional social engineering techniques; it’s strengthening them.

The most successful attacks don’t rely on a single interaction. Instead, attackers build credibility across multiple channels before asking their target to take action.

An employee might receive an email that appears to come from a supplier. Later that day, they receive a Teams message that reinforces the same request, then a phone call arrives from what sounds like a senior leader confirming that the request is legitimate.

Each interaction makes the next one feel more believable. By the time the employee is asked to transfer funds, approve access, or share information, the request feels familiar and trustworthy.

AI is making these attacks easier to create and far easier to scale. Attackers can generate convincing emails, tailored messages, and cloned voice calls in a fraction of the time it would’ve taken in the past.

The result is a much more sophisticated form of social engineering that many organisations aren’t prepared for.

The Awareness Gap Organisations Need to Address

Many security awareness programmes are still heavily focused on email-based threats. Employees are trained to inspect links, recognise phishing emails, and report suspicious messages. While those skills are important, they don’t fully prepare people for attacks that arrive through phone calls, voice notes, collaboration platforms, or a combination of all three.

The challenge isn’t teaching employees how AI voice cloning technology works, but teaching them how to respond when a request feels genuine.

When a familiar voice asks for urgent action, people need the confidence to slow down, verify the request, and follow established processes. That behaviour is far more important than understanding the technical details behind the attack.

As social engineering tactics become more sophisticated, awareness training needs to reflect the reality employees face.

Why Story-Driven Training Makes a Difference

One of the biggest challenges with emerging threats like voice cloning is that they can feel abstract until people experience them in context.

Most employees understand that deepfakes and AI-generated voices exist, but that doesn’t automatically mean they’ll recognise an impersonation attempt when it happens.

People don’t learn how to respond to pressure by reading a policy document, They learn by seeing realistic situations unfold and understanding how attackers manipulate trust.

That’s why story-driven awareness training is becoming increasingly valuable.

Cyber Police is MetaCompliance’s live-action cyber awareness series, designed to bring real cyber threats like voice-cloning to life through storytelling. Using realistic characters, workplace scenarios, and dramatised attacks, it shows employees how modern cyber threats unfold, how trust is manipulated, and how seemingly ordinary situations can quickly escalate into serious incidents.

By seeing attacks unfold through the eyes of the people involved, employees develop a much stronger understanding of how to recognise suspicious behaviour and respond effectively.

Building a Culture of Verification

As voice cloning becomes more common, organisations need to rethink how trust is established.

Employees should never be expected to determine whether a voice is real or AI-generated just by listening. The technology is too convincing for that to be a reliable defence.

Instead, organisations need clear verification processes for requests involving payments, sensitive information, credentials, or access to systems.

  • If a request is unusual, verify it.
  • If a request creates urgency, verify it.
  • If a request involves money or sensitive data, verify it.

Most importantly, employees need to feel comfortable doing so. A strong security culture encourages people to question requests when necessary, even if they appear to come from senior leaders.

That small pause to verify information can prevent a costly mistake.

The Future of Social Engineering Has Already Arrived

Voice cloning is often discussed as a future threat, but organisations need to prepare for it today. The technology is becoming more accessible, the quality is improving rapidly, and it’s becoming increasingly difficult for people to spot. In fact, McAfee found that 70% of people aren’t confident that they could tell the difference between a cloned voice and a real one, highlighting just how believable these attacks have become.

The organisations that respond effectively will be the ones building cultures where verification is routine, employees feel confident challenging unusual requests, and awareness training reflects the threats people are most likely to face.

When hearing a familiar voice is no longer proof of identity, trust needs to be earned, not assumed.

Find Out More About Cyber Police

Cyber Police uses drama to bring real cyber threats to life, sparking conversation and challenging assumptions. Each season tackles the threats employees are most likely to face, from phishing and ransomware to deepfakes, and reimagines them as gripping episodes. By seeing threats through the eyes of those affected, employees gain clearer awareness and the confidence to respond effectively.

Find out more about Cyber Police and discover how story-driven awareness training helps employees recognise modern cyber threats, challenge suspicious behaviour, and respond with confidence in real-world situations.