The CFO got a call from the CEO. Or at least, it sounded exactly like the CEO.

The voice matched. The cadence matched. Even the filler words were right. The CEO was traveling in Singapore for a conference. The CFO knew that. The call came from a +65 number. Everything checked out.

The caller needed an urgent wire transfer. $2.3 million CAD to a vendor account for a time-sensitive acquisition. Strict NDA. Don’t loop in legal or finance until it’s done.

The CFO started the transfer process. Then she did something that saved the company: she texted the CEO directly on Signal to confirm. The CEO had no idea what she was talking about.

What We Found When We Got Called In

I was part of the incident response team. Here’s the attack chain we reconstructed:

  1. Initial access: A phishing email to an executive assistant 23 days earlier. Her account was compromised via a fake Microsoft 365 login page.
  2. Reconnaissance: Over 3 weeks, the attacker read thousands of emails, identifying the CEO’s travel schedule, communication style, and ongoing deals.
  3. Voice cloning: The CEO had multiple public speaking videos on YouTube. That’s enough audio for a convincing voice clone with current tools.
  4. The call: A +65 number calling at 7:40am local time, when the CFO would just be starting her day.

The Voice Clone Was Not Sophisticated

The voice model was likely generated using one of several commercially available voice cloning services — some of which are free. The attacker didn’t need a research lab or custom ML pipeline. They needed publicly available audio and 20 minutes.

What Should Have Stopped This

  • The EA’s account had no MFA. The initial phishing would have failed otherwise.
  • There was no out-of-band verification protocol for wire transfers.
  • The CEO’s conference talk videos were unreviewed from an OSINT perspective.

What did work: the CFO’s instinct to verify via Signal, and the bank’s anomaly detection on the wire instruction.

What You Should Do Now

1. Establish a wire transfer verification protocol — any transfer above your threshold requires a callback to a known number or a pre-established code word.

2. Mandate MFA everywhere. Phishing-resistant MFA (FIDO2/passkeys) where possible.

3. Brief your finance team on deepfake audio. A 5-minute demo is more convincing than any policy document.

The wire didn’t go through. But the attacker was in that environment for 23 days reading sensitive emails. The wire was the visible attack. The email access was the real breach.