ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

AI Voice‑Cloning Scams Targeting Officials and Families: Verify Calls & Report Deepfake Calls Fast

A vintage typewriter displaying the word 'Deepfake' on paper outdoors, highlighting technology contrast.

Introduction — Why AI voice‑cloning calls are a growing risk

Scammers increasingly use AI voice cloning ("deepfake" audio) to impersonate public officials, company executives, and family members — creating urgent, convincing phone calls designed to prompt money transfers, sensitive disclosures, or coercion. U.S. law enforcement and consumer protection bodies have issued warnings after multiple incidents that targeted officials and private citizens, and official reports show AI‑enabled phone fraud is a rising contributor to losses reported to the FBI and other agencies.

This article gives clear, fast steps you can use right now to verify a caller, stop a deepfake scam in progress, collect evidence that investigators need, and report the call to the right agencies and your phone carrier. It’s aimed at families, civic offices, business teams, and security staff who must make rapid decisions under pressure.

How these scams work and why simple caller‑ID checks aren’t enough

Attackers assemble small voice samples from social media, voicemail, broadcasts, or leaked audio, then use consumer or cloud voice‑synthesis tools to produce highly realistic calls. Many popular voice‑cloning services have weak controls that make misuse possible, which has accelerated the problem.

Common technical abuse patterns:

  • Impersonation — a fake "child/relative in trouble" or a purported official demanding secrecy.
  • Business‑email/CEO fraud hybrid — a cloned executive voice asking staff to approve payments or wire transfers.
  • Authority pressure — threats referencing law enforcement, elections, or deadlines to force immediate compliance.

Why caller‑ID and STIR/SHAKEN won’t stop everything: authentication frameworks like STIR/SHAKEN help flag spoofed originating numbers from participating carriers, but they don’t verify the speaker’s voice or stop calls routed through unregulated VoIP providers and international gateways. Attackers can combine number‑spoofing with a synthetic voice to make a call appear legitimate despite authenticity frameworks. That makes human verification and out‑of‑band checks essential.

Fast verification checklist — what to do during or immediately after a suspicious call

If you or someone in your organization receives a high‑pressure or surprising call, follow this checklist in order. These steps are designed to stop scammers quickly and preserve evidence for investigators.

  1. Do not comply. If the caller asks for money, gift cards, account details, passwords, or secrecy — stop the call immediately and do not provide data.
  2. Ask a verification question the caller couldn’t know. Use a previously agreed family safe‑word, or ask for a detail you only share via a separate channel (e.g., "What did I tell you was my backup contact number?"). If you don’t have a safe‑word, arrange one with family and staff now.
  3. Request they call you back on an independently verified number. Say, "I’ll call you back from my phone to the official number I have on file," and hang up. Then call the published number for the agency, company, or family member (not a number the suspicious caller texts or provides). This out‑of‑band callback defeats many live‑spoofing tactics.
  4. Use a secondary channel to confirm. Text, email, or a messaging app message the person or organization using a known contact to confirm the request is legitimate.
  5. Record metadata and preserve evidence. Note the exact time, caller‑ID number as shown, the device used (mobile/landline), and any phrasing or keywords the caller used. If possible and lawful where you are, record the call or save the voicemail. Preserve any texts, links, or screenshots the scammer sent.
  6. Do not call back a number the suspicious caller gave you. Scammers often provide a "callback" number they control. Always use independently verified contact information.

Researchers are also developing technical countermeasures (for example, consumer‑friendly speech jamming and anti‑spoofing detectors), but these are still maturing. Practical human checks remain the fastest defense today.

Quick scripts you can use

Use these short, calm phrases when a call feels off:

  • "I don’t recognize this request. I’ll call you back at the official number I have on file. Goodbye."
  • "Can you tell me the safe‑word we agreed? If you don’t know it, I’ll contact [Agency/Name] through their published number."
  • "I need this request in writing from your official email address before I take action — please send it and I will verify."

How to report deepfake phone calls fast — who to contact and what to include

If you believe you were targeted or defrauded, report the incident promptly. Fast reports help investigators spot campaigns and block fraudulent numbers.

Where to report (U.S. guidance)

  • FBI Internet Crime Complaint Center (IC3) — for fraud or impersonation with financial loss or extortion; use IC3 to detail the event and upload evidence.
  • Federal Trade Commission (FTC) — report phone scams and identity theft at ReportFraud.ftc.gov; the FTC uses reports to detect trends and advise consumers.
  • Federal Communications Commission (FCC) — file complaints about illegal robocalls, spoofing, and carrier failures to authenticate calls (useful if your carrier allowed suspicious origination). Refer to the FCC if you suspect noncompliance with STIR/SHAKEN rules.
  • Your carrier — report the call to your mobile/VoIP provider and ask for call trace or blocking. Carriers can sometimes block recurring origin numbers or escalate to industry trace teams.
  • Local police — if you lost money or face threats, file a police report and include copies of the IC3/FTC submissions to help coordination.
  • USA.gov — use the "Where to report scams" tool if you’re unsure which agency is the best fit.

What to include in your report

  • Date and time of the call (local time zone)
  • Caller‑ID number as shown, call length, and whether it left a voicemail
  • Exact phrasing of the request, threats, or instructions (copy the transcript if possible)
  • Any links, texts, screenshots, or names the caller used
  • Evidence files: voicemail audio, call recording, screenshots, or text logs
  • If money was sent: payment method, recipient info, transaction times, and amounts

Collecting and submitting these details speeds investigations and increases the likelihood carriers and law enforcement can trace the source. The FTC, IC3, and USA.gov provide forms and guidance on the specific fields they need.

Final note for organizations: adopt multi‑factor verification for financial requests (two‑person approvals, written confirmations on corporate email, and vendor whitelists) and run regular staff simulations so people know to use out‑of‑band verification instead of trusting a caller’s voice alone. These process controls are the most reliable defense against audio deepfakes in operations that handle money, access, or sensitive data.

For updates and resources, follow official guidance from the FBI, FTC, and your national consumer protection agency — and establish a family or office safe‑word today if you don’t already have one.

Related Articles

Woman in handcuffs, sitting in a dimly-lit room, appearing contemplative.

Scam‑Baiting Safely: How to Collect Evidence, Avoid Legal Risk, and Help Law Enforcement

Man in formal attire reviewing paperwork, holding glasses. Business setting.

Quishing: How QR‑Code Payment Scams Work and a Step‑by‑Step Guide to Avoid Them

Close-up of hands holding a smartphone and a credit card, implying online payment.

Quishing Explained (2026): How QR-Code Payment Scams Work and 8 Steps to Verify a QR Link