AI Voice Phishing in 2026, A Comprehensive Field Guide

Voice phishing has been around since cold callers learned how to read a script. What changed in the last twenty four months is that the script no longer needs a human to read it, the voice no longer needs to be the attacker's, and the cost no longer requires a budget. A small team with a laptop and a forty dollar voice cloning subscription can now run an attack that, until very recently, was the exclusive territory of nation state operators.

This is the comprehensive version of what we are seeing on the ground at PIVOT in 2026. It covers attacker economics, the actual mechanics of voice cloning, the conversational tradecraft inside live AI vishing calls, what works in detection, what does not, and a layered defense plan that you can deploy without buying a single new product. Where vendor categories matter, we name them. Where buying a tool is genuinely the right move, we say so. Where you are being sold a fairy tale, we say that too.

TL;DR

1. AI voice phishing combines a cloned voice, a live AI agent (or a human reading a script over the clone), and a SIP origination service that lets the attacker spoof any number.
2. The cost has collapsed from "research lab" to "weekend project". Open source models, real time inference, and unlimited cheap compute closed the gap in 2024 and 2025.
3. The kill chain still relies on rushing a human into a high stakes decision under time pressure. Slow that decision down and the entire attack falls apart.
4. The single highest leverage control is a written, enforced, no exception callback rule for any phone request that involves money, credentials, vendor changes, or system access.
5. Voice biometrics, caller ID, "verified calls" tooling, and AI deepfake detectors are useful as layers but unsafe as primary controls. Pilot before you procure.
6. The defense that works is layered: telephony hygiene, identity hardening (FIDO2), human policy (callback plus safe word), targeted training, and an incident playbook the finance team has actually read.

Why this got dangerous so fast

Three independent shifts converged inside an eighteen month window. None of them are rolling back, and the combined effect is a permanent change in the risk surface for any organisation with a public facing leader.

Voice cloning crossed the consumer threshold

Two years ago, cloning a voice with conversational quality required a research environment, hours of clean audio, and significant compute. Today, several open weight models produce conversational quality clones from less than thirty seconds of source audio. They run on a consumer GPU, and in some cases on a high end laptop CPU. Public APIs from commercial providers offer the same capability for a few cents per minute of synthesised speech.

The implication for defenders is simple. If your CEO has ever been on a podcast, given a conference talk, or appeared in a quarterly earnings call, the audio dataset to clone them already exists, freely indexed by search engines, and the cost to actually produce the clone is a rounding error.

Real time inference removed the playbook constraint

The first generation of AI vishing attacks relied on pre rendered audio. The attacker scripted a short call, generated the audio in advance, and played it through a SIP gateway. The defense was to throw the call off script: ask an unexpected question, request a callback, change the topic. The pre rendered audio could not adapt.

In 2025 and 2026 that constraint is gone. Real time inference services synthesise responses inside the call, with end to end latency low enough to feel like a normal conversation. The attacker is no longer constrained to a pre baked script. They can answer questions, react to objections, and improvise within the persona. We have replayed engagements where the synthesised voice handled an entire ten minute negotiation about wire details, including correct context about an internal project name that the operators had picked up from public LinkedIn posts.

Identity data is unlimited and cheap

The third shift is not a technology shift. It is a data shift. The amount of public, semi public, and breached identity data on senior leaders, finance staff, and engineering managers is now effectively unlimited. Quarterly results decks, conference biographies, podcast appearances, leaked LinkedIn datasets, GitHub commit metadata, and the public facing parts of corporate websites combine into rich target dossiers.

Combined with cheap voice cloning and real time inference, the cost of building a credible voice impersonation of a specific named target dropped to roughly fifteen US dollars and a couple of hours of laptop time, in our internal cost analysis on the last six engagements where we reproduced the attack chain in a controlled red team setting.

The kill chain, in detail

Real world AI vishing attempts in 2026 follow a recognisable five stage pattern. Recognising the stages is the first step toward defending against them.

Stage 1, target selection and reconnaissance

Attackers select targets primarily by access, not seniority. The CFO is a frequent target. So is the controller, the head of finance ops, the assistant to the CEO, the head of payroll, the head of vendor management, and any engineering lead with production credentials. The selection is driven by who can authorise a payment, change a vendor, or release a credential, not by who is on the public exec page.

Reconnaissance produces a working dossier per target. The dossier typically includes:

1. The target's full name, role, reporting chain, and recent organisational moves.
2. A voice sample of any senior leader the target reports to or works with, used as the cloning source.
3. A list of known active projects, vendor names, and ongoing financial commitments.
4. The target's typical communication patterns: hours, channels, language preferences, and known relationship dynamics.
5. A list of plausible reasons the impersonated leader might call the target on short notice.

Attackers harvest most of this from public sources. The rest comes from breached datasets, social media scraping, and occasionally from a small initial phishing email that drops a benign tracker on the target's machine to capture context.

Stage 2, persona and pretext construction

The persona is not just "the CEO". It is "the CEO, calling from an airport, three minutes before boarding, who needs the wire confirmation to a vendor whose name appeared in a board meeting last week". The pretext layers urgency on top of context, and context on top of plausibility.

A well constructed pretext satisfies four criteria. The caller has a believable reason to be calling. The caller has a believable reason for the request. The request has a believable consequence if not actioned immediately. The expected behaviour from the target matches what the target normally does. If any one of those four breaks, the target slows down, and the attack fails.

Stage 3, channel setup and number spoofing

The attacker provisions a SIP origination service. Most are abuse resistant in name only. Indian, US, and EU markets all have providers that, with minimal verification, will originate calls from arbitrary numbers, including spoofed internal extensions and spoofed local numbers from any country. STIR/SHAKEN raises the bar in some North American markets but is patchy elsewhere and absent in most of South Asia.

The attacker then sets up the inference pipeline. In a simple deployment, this is a public voice cloning API receiving generated text and returning audio, fed into the SIP audio stream by a small orchestrator script. In a more advanced setup, the orchestrator is a real time agent that listens to the target's audio, transcribes it, runs it through an LLM with the persona context, and synthesises the reply, all inside two seconds of latency.

Stage 4, the live call

The call follows a simple arc. The opening establishes the persona and the situation. The middle introduces the pretext and the request. The close drives the action and removes any opportunity for verification. A typical opening sounds like this, scripted in real time by an LLM but voiced in a clone of the target's CEO:

"Hi, sorry to call you out of the blue. I am at Frankfurt about to board, and I just got a note from the bank that the wire to Acme Vendors is sitting in pending status. I need you to confirm the new account before close of business today, otherwise we are going to miss the milestone. Can you pull it up while I am still on the line?"

Three things are happening. The pretext is plausible. The urgency is real (close of business is a clock the target understands). The verification path (pulling up the account while the caller is on the line) is being controlled by the caller. If the target hesitates or asks to call back, the caller has a graceful response ready. They escalate the urgency, name a stakeholder, or pivot to a different request.

Stage 5, monetisation

The end state varies. The most common is a payment authorisation, either a direct wire or a vendor account change that funnels future invoices to the attacker. Other end states include credential disclosure, OTP harvesting (the caller asks the target to read out an OTP "to verify"), or installation of a remote access tool ("our IT helpdesk needs you to run a quick diagnostic, I will pass you to them"). In some advanced cases, the call ends with the target opening the door for a hybrid attack with a follow up video meeting.

Real engagements, lightly anonymised

The following engagements are anonymised composites of real incidents we have triaged in the last twelve months. Identifying details have been changed, the underlying tradecraft is preserved.

Mumbai logistics company, January 2026

A senior accounts manager received a WhatsApp call from a number listed in her contacts as the company's CFO. The voice was an exact match. The pretext was a vendor account change for a logistics partner she had been onboarding for three months. The voice referenced the vendor by name, mentioned the right project code, and confirmed correct details about the negotiated rate.

The accounts manager requested a callback, partly out of habit. The voice on the other end pushed back with believable irritation: "I am about to walk into a meeting, can we just do this now, you can confirm with my assistant after." She held the line, called back through the company directory, reached the actual CFO, who was in his office and had not called her at all. Loss: zero. The control that broke the chain was not technology. It was a single person with a callback habit.

Hyderabad fintech, February 2026

A product manager received a Zoom call invitation from someone using the email signature of a known board member. The invitation was on a Zoom link that looked legitimate but was actually a clone domain. He joined the meeting. The board member appeared on video for thirty seconds, asked for a credential reset on a specific dashboard "for an audit", and then dropped off citing connectivity issues. He followed up by phone five minutes later, voice cloned, and walked the product manager through the reset.

The product manager reset the credential, posted the new credential into the chat as requested, and only realised something was wrong when the actual board member responded to a different unrelated message thirty minutes later. Total time inside the kill chain: under fifteen minutes. The control that would have broken this chain: phishing resistant MFA on the target dashboard.

Delhi NCR healthcare provider, March 2026

A finance team received a series of calls over four days, each from a number resembling an internal extension, each from a "regional head" voice none of them had heard before. The first three calls were innocuous: confirming meeting times, asking for a vendor address, asking who handled medical equipment procurement. The fourth call asked for a wire confirmation against a real, ongoing equipment order, with a believable reason for the urgency.

The finance team paid the wire. Loss: forty seven lakh rupees. Recovery: partial, after a months long process with the receiving bank in another country. The control that would have broken this chain: out of band confirmation on any payment authorisation, regardless of urgency, without exception.

Voice biometrics, caller verification, and other shiny things

You will be sold a lot of products that promise to solve this problem. Most of them are useful as layers. None of them are safe as the primary control.

Voice biometrics

Voice biometric authentication enrolls a user's voice and uses it to verify them on subsequent calls. Most modern systems are vulnerable to high quality voice cloning, especially when the cloning model has been trained on the target's actual voice. Some systems include liveness checks (asking the caller to repeat a randomised phrase). These help against pre rendered audio attacks but not against real time inference, which can produce arbitrary speech on demand.

Verdict: Useful as a soft signal in a layered authentication flow. Unsafe as the only authentication for high value actions. Treat a passing voice biometric like a passing password: necessary but not sufficient.

STIR/SHAKEN and verified calls

STIR/SHAKEN attaches a cryptographic attestation to a call's caller ID, signed by the originating carrier. In markets where it is enforced (parts of North America), it raises the bar against cheap number spoofing. In markets where it is not enforced (much of South Asia, parts of Europe), it does not exist as a control.

Even where enforced, the attestation only proves the originating carrier knew the caller. A compromised SIP account at a legitimate carrier produces a valid attestation. Treat it as a useful but soft signal.

AI deepfake detectors

Several vendors ship audio deepfake detectors. Under lab conditions on archival audio, accuracy can be reasonable. In real call conditions (compressed codecs, network jitter, background noise), accuracy drops quickly. Worse, the detection landscape and the generation landscape are in a continuous arms race. A detector that works against today's models will quietly fail against next quarter's models.

Verdict: Pilot before procuring. Never deploy as a primary gate. If you do deploy one, treat it as an alert source, not a blocker, and have a clear human escalation path.

"Verified caller" platforms

A few platforms (Truecaller, branded calling solutions from telcos) attach a verified identity badge to outbound calls. These help legitimate businesses prove they are not phishing the recipient. They do not help defenders detect when a phisher impersonates a known business, because the phisher's call is on a different infrastructure that does not flow through the verifier.

Verdict: Helpful for outbound brand protection. Not a defense against inbound vishing.

Detection at telephony scale

If you operate a SOC and you want to detect AI vishing programmatically, the signals are real but require correlation across systems that most SOCs do not currently combine.

Signal one, novel caller plus high value action

A login from an unmanaged device immediately following a phone call from a new number, on a high value account, is a worthwhile alert. Joining the signals requires a feed from your telephony platform (which numbers each user received calls from, and when) into the same SIEM that ingests identity events. Most large organisations have both feeds. Few correlate them.

Signal two, sequence anomalies

A pattern we see often: a target receives a brief, innocuous call from a new number (the attacker's reconnaissance), then a longer call from the same number two days later (the attempt). On its own, neither call is suspicious. The sequence is. A simple rule that flags any user who took a long call from a new number that was first observed in the past seven days is a useful low priority alert.

Signal three, geography and time

Voice cloning attacks are often run from infrastructure in a different time zone from the target. A spike of calls to your finance team between 11pm and 4am local time, originating from numbers that have never called your organisation before, is worth investigating.

Signal four, content pattern

Where you have call recordings (with appropriate consent), simple keyword detection on transcribed audio for the words "wire", "urgent", "confidential", "do not tell anyone", "before close of business", combined with caller novelty, is a high precision detector. The attack scripts have not gotten clever. The bait is the same as it was in 2018.

Defense plan, layered and prioritised

Here is what we recommend after these engagements, in order of impact per dollar.

Layer one, human policy

1. Two minute callback rule. Any phone request involving money, credentials, vendor changes, or system access pauses the call. The receiver hangs up, looks up the requester through the company directory, and calls back on the directory number. The receiver is empowered to refuse to act if the callback fails. No exceptions, including for the CEO.

2. Shared safe word. A short phrase that lives in finance, executive, and engineering team members' heads. Not in a Slack channel, not in a wiki, not in an email. If a caller cannot produce the safe word on demand, the call ends. This sounds like spy fiction. It works because the attacker has no way to acquire it.

3. No urgency rule. Real internal urgency almost always has a paper trail. If a phone request has no email, no ticket, no signed approval, and the only push is the call itself, that is the signal to slow down.

Layer two, identity hardening

1. FIDO2 / WebAuthn MFA for any account that authorises money, accesses production systems, or holds executive privileges. Push and SMS factors are not enough.

2. Short lived sessions and conditional access. A stolen session that expires in fifteen minutes is much less dangerous than one that expires in twelve hours.

3. Step up authentication on high value actions. Even within an authenticated session, require a fresh authentication for any payment over a defined threshold or any vendor account change.

Layer three, telephony hygiene

1. Internal directory of verified numbers maintained by IT, not by individual assistants. Attackers commonly pivot through assistants to plant fake numbers.

2. Dedicated finance and exec lines with restricted inbound rules. Where possible, route external inbound calls to these lines through a verification system or a human receptionist.

3. Telephony log feed to SIEM. If you do not have it, get it. Without it, the correlation in the previous section is impossible.

Layer four, training, targeted and current

1. Role specific simulations. Simulate AI vishing against finance, executive support, and engineering on lifecycle. Generic awareness videos do not move the needle.

2. Updated awareness content. If the deck still says "look for grammar mistakes" or "voices are usually robotic", update it. Show staff what current generation cloning sounds like, with permission.

3. Reward reporting, not perfection. Public recognition for the person who hangs up and calls back is a stronger control than any tool. Make it visible.

Layer five, incident response

1. Pre written playbook for vishing incidents that covers wire recall procedures with the bank, session revocation, credential rotation, forensic capture of call metadata, and communication to internal stakeholders.

2. A relationship with your bank's fraud team before you need it. Wire recalls succeed or fail in the first six hours.

3. A no blame post mortem culture. People who fall for an AI vishing attack should be able to report it without fear. If they cannot, you will discover the loss days later instead of in real time.

What we are watching for in the rest of 2026

Three trends will likely define the next twelve months.

Hybrid attacks are becoming the default. The voice only attack is being replaced by an email, voice, and video sequence within a thirty minute window. We covered this in detail in our 3D phishing guide. Plan for it.

AI agents are running the calls autonomously. Earlier attacks were a human reading a script with cloned audio. Newer attempts use a real time agent that handles the entire conversation without a human at all. This means the attacker can run dozens of calls in parallel with no per call cost.

Targeting is shifting downward. A year ago, the targets were finance directors and CFOs. We are now seeing successful attacks against accounts payable specialists, helpdesk technicians, and vendor onboarding analysts. The defense pattern that protects only senior leaders does not generalise.

Closing checklist

If your team takes one thing from this post, make it the callback rule. It costs nothing, it works, and it does not depend on any vendor. Everything else is layering.

Five things to do this week:

1. Write a one page callback rule and circulate it to finance and executive teams.
2. Pick a safe word with your senior team. Do not write it down.
3. Replace push and SMS MFA with FIDO2 for any account with payment authority.
4. Get a feed of telephony logs into your SIEM. Even a basic feed unlocks valuable correlation.
5. Run one targeted vishing simulation against finance this quarter. Use a current attack pattern. Do not run a generic one.

If you want to test your team end to end against a current AI vishing kill chain under a controlled red team engagement, this is something we run regularly. Request a briefing.

For the multimodal version of this attack, where voice combines with email and video on the same target, see our 3D phishing guide. For the email side of the same problem, see our spear phishing 2026 guide.