Voice Clone Attack Response for Construction Companies

What Are the First Steps After Discovering a Voice Clone Attack?

Time determines recovery. A fraudulent wire that sits in a receiving account for more than a few hours becomes dramatically harder to recall — and nearly impossible to recover after 72 hours if funds are moved internationally. Every action in the first hour shapes whether you get the money back.

Contact the sending bank immediately — request a wire recall

Call your bank's fraud line the moment you confirm a fraudulent wire has been sent. Provide the full transaction details: wire amount, date and time, destination routing and account number, and the name of the receiving institution if known. Ask them to initiate a wire recall and simultaneously contact the receiving bank to request a hold. Every minute between discovery and this call reduces your recovery probability.

Do not inform the subcontractor or vendor before contacting the bank

This is counterintuitive but operationally critical. Notifying the subcontractor before the bank acts can cause unintended consequences — including the subcontractor contacting the attacker-controlled account, which may trigger the attacker to move the funds faster. Contain internally first. Contact the bank. Then proceed with subcontractor notification once a recall or hold has been initiated.

Document everything now

Before anything gets overwritten or lost: capture the call log, the caller ID that appeared, exactly what verbal instruction was given, who received the call, what amount was authorized, and what account it was sent to. Screenshot any emails, voicemails, or messages related to the fraudulent request. This documentation is required for FBI reporting, insurance claims, and any legal proceedings.

Alert the project owner and GC within 1 hour

The project owner and general contractor need to know immediately — they may have their own banking exposure, and they have contractual obligations to subcontractors that are now at risk. Use a verified, out-of-band communication channel (in-person or a number you have independently verified). Do not use the same phone or email channel that may have been compromised in the attack.

Freeze any pending payments on affected projects

If any other wire transfers or payment changes are queued for the same project — or for other projects managed by the same PM whose voice was cloned — freeze them immediately pending verification. The same attacker may have staged multiple fraudulent payments in the same attack window. Do not process anything until you have audited all recent banking changes and verified each pending payment through an out-of-band channel.

Wire recall success rate drops sharply after the first 24 hours. If funds have been moved to a second account or transferred internationally, recovery becomes significantly less likely regardless of law enforcement involvement. The bank call is not just a step — it is the step.

How Do You Verify the Scope of the Attack Across Active Projects?

Voice clone attackers in construction rarely run a single-target operation. If they cloned a PM's voice for one project, they may have used that same clone to hit multiple payment streams in the same attack window — maximizing return before detection. Scoping the attack across all active projects is essential before you resume normal payment operations.

Audit all wire transfers and banking changes in the last 72 hours. Pull a complete accounts payable ledger across every active project. Flag any wire sent to a new or recently changed account and treat it as suspect until verified. The 72-hour window accounts for the possibility that the first fraudulent transfer was not the one that triggered discovery.
Contact each subcontractor and vendor directly on verified numbers to confirm payment receipt. Do not use the contact numbers submitted in any recent inbound request. Use only numbers from your internal directory, prior invoices, or original signed contracts. Confirm verbally and in writing that the last payment was received in the expected amount.
Check accounts payable for any banking detail changes in the last week. Pull every change to vendor or subcontractor banking details submitted in the past seven days. For each one, verify the change was requested through an authenticated, written channel — not a phone call — and confirm with the payee directly on a verified number before processing further payments.
Review change orders approved verbally in recent weeks. Any verbally approved change order from the past two to three weeks should be cross-checked against your project documentation and confirmed directly with the relevant subcontractor or supplier. A cloned voice may have "approved" fraudulent change orders that have not yet resulted in a fraudulent payment but are staged to.
Assess whether the same attack was run on multiple projects. If the attack used a cloned PM voice, any project that PM managed is a potential target. Brief each project's accounting contact and ask them to immediately flag any unusual payment requests or banking changes they received in the same window.

72 hrs

The critical window for activating the FBI's Financial Fraud Kill Chain — and for auditing all payment activity across your active projects. Every hour of delay narrows your recovery options.

What Is the Subcontractor and Vendor Notification Process?

Once the bank has been contacted and you have a clear picture of which payments were fraudulently redirected, subcontractor and vendor notification must be handled precisely. Getting this wrong — using a compromised contact channel, rushing payment reissue without verifying banking details — can compound the loss.

Contact each affected subcontractor on their verified number — not any number from the fraudulent request. Use only numbers from your original contract documents, prior invoices, or numbers you have used previously and know to be correct. Explain clearly that their banking details were fraudulently changed without their knowledge and that a payment intended for them was redirected to an account controlled by a criminal.
Explain that their banking details were fraudulently changed and payments were redirected. Be factual and direct. Subcontractors have legal remedies if they are not paid on time under their contract terms — transparency now is far less costly than a mechanics lien or payment bond claim later. Document the notification with date, time, who was contacted, and what was communicated.
Issue corrected payments to verified accounts — get written confirmation of correct banking details. Before reissuing any payment, obtain written confirmation of the correct banking details from the subcontractor through a channel you control and can verify — ideally a signed document sent by the subcontractor from their known email address, followed by a verbal confirmation call on their verified number. Do not simply "undo" the banking change and reissue — verify fresh.
Preserve all documentation for insurance and legal proceedings. Every communication with every subcontractor and vendor related to this event — notification calls, written confirmations, corrected payment records — is potential evidence. Maintain a complete, timestamped record. Your cyber or crime insurer will require it for the claim, and legal counsel will need it if litigation follows.

What Law Enforcement Reports Must Be Filed?

Filing with the right agencies in the right order is not just a legal obligation — it determines whether there is any realistic chance of fund recovery. The FBI's Financial Fraud Kill Chain is the most powerful tool available to construction firms after a wire fraud event, and most have never heard of it.

ic3.gov (FBI IC3) — file this first, immediately

For losses of $50,000 or more, filing at ic3.gov within 72 hours of the fraudulent wire activates the Financial Fraud Kill Chain (FFKC) — a coordinated process between the FBI and financial institutions that has a 66% success rate at freezing funds. The FBI FFKC froze $561.6 million in 2024. This is the single most impactful filing you can make. Include the full transaction details, the destination account information, and all documentation you have collected. Note your sending bank's name and the name of the receiving institution.

FTC at reportfraud.ftc.gov

File a separate report with the Federal Trade Commission at reportfraud.ftc.gov. The FTC report feeds national fraud tracking databases and can support broader investigations of fraud rings operating across multiple victims. It is not a recovery mechanism, but it contributes to enforcement actions that may eventually disrupt the operation.

Local police report

File a police report with your local law enforcement agency. This report number is often required by your insurer to process a crime or cyber liability claim. Even if local police have limited jurisdiction over the fraud (which is typically perpetrated from outside the area), the report creates the official record your legal team and insurer need.

Bonding and surety insurers — and the project owner's risk manager

Construction-specific notification obligations include your bonding and surety insurers, who need to know that a payment fraud event has occurred on a bonded project — particularly if subcontractors may file payment bond claims as a result. The project owner's risk manager should also be notified, since they may have their own insurance obligations and contractual rights related to the event.

If a publicly bid project: notify the contracting government agency

On publicly bid work — municipal, county, state, or federal contracts — you may have a legal obligation to report fraud events to the contracting agency. Check your contract terms and consult legal counsel. Government agencies overseeing public construction contracts often have their own fraud investigation units and reporting requirements, and proactive disclosure is far better than discovery after the fact.

Most construction firms have never heard of the FBI Financial Fraud Kill Chain. Filing at ic3.gov is not just a report — it initiates active coordination between the FBI and financial institutions to freeze funds. Do not skip this step or treat it as optional paperwork. File it first, before the bank call if the 72-hour window allows, or immediately after.

How Do You Prevent the Next Attack on Job Sites?

Voice clone attacks on construction companies exploit exactly one structural weakness: verbal authorization is trusted without authentication. Every prevention control below targets that gap. None of them require significant technology investment — except the last one, which closes the gap that all the others leave open.

Passphrase between PM, GC, and accounting for all verbal wire authorizations

Establish a random, nonsensical passphrase — something that would never come up naturally in a construction conversation — between the project manager, GC, and accounting before each project begins. Any verbal authorization for a wire transfer or banking change must include this phrase. If it is absent, the call is treated as suspicious and no action is taken. Establish the phrase face-to-face or via a secure written channel — never over the phone or by email. Rotate it per project.

No banking changes processed from an inbound call — require written confirmation from a verified email

This single rule eliminates the most common voice clone attack vector in construction accounts payable. No change to any vendor or subcontractor banking detail — regardless of who calls, regardless of how convincing the voice is — can be acted upon based on a phone call alone. Written confirmation from a verified email address (one you have used previously, not one provided in the inbound call) is required before any change is made. Document this policy and train everyone with payment authority on it before the next project starts.

Callback required on any change order authorization over a set threshold

Any verbal authorization of a change order above a threshold you define — a common construction benchmark is $5,000 — must be verified with a callback to the authorizing party on a number from your internal directory. Not the number that called you. Not a number provided in the call or an email associated with that call. A number you have independently verified as belonging to the correct person. This callback must be logged.

Deploy Vicall on PM and accounting team phones

Vicall detects synthetic voices on live phone calls in under one second — on-device, no cloud, no audio sent externally. When accounting receives a call from a cloned PM voice and Vicall shows SYNTHETIC DETECTED, the call ends before any instruction is acted upon. Deploy on every smartphone used by accounting staff, project managers, and anyone with payment authority. The Mac mini on-premises deployment covers analog office lines. When Vicall flags a call, the passphrase and callback protocols provide the second layer of defense — but Vicall is often the first signal that stops the attack.

Project kickoff checklist: include verbal authorization protocols for all parties

Make fraud prevention a formal part of every project kickoff. The checklist should cover: passphrase establishment (documented, not emailed), confirmed contact numbers for all subcontractors and vendors in your internal directory, a written statement of your no-banking-change-by-phone policy shared with all project parties, and the callback threshold for change order authorizations. Brief the project owner's team as well — they are targets too. Revisit the checklist at the start of any new major project phase.

// FAQ

Frequently Asked Questions

The subcontractor never received payment — who is responsible for reimbursement?

Liability depends on your contract language and which party's internal controls failed. If your accounting department processed a payment to a fraudulently changed bank account, the general contractor or firm that authorized the payment typically bears initial exposure to the subcontractor — the subcontractor is owed their contract amount regardless of where the wire went. Your cyber liability or crime insurance policy may cover the loss. Consult legal counsel immediately, preserve all documentation, and do not make written admissions of fault before speaking with your attorney and insurer.

How do we verify that no other projects were targeted in the same attack?

Pull a full accounts payable audit for the last 72 hours across all active projects. Contact every subcontractor and vendor on a verified number — not any number provided in recent inbound calls or emails — and confirm they received their last payment. Check for any banking detail changes submitted in the last week and treat each one as suspect until verified by a direct callback to a number in your existing directory. Cross-reference change orders approved verbally in recent weeks against your project documentation.

Does a construction wire fraud event trigger bonding or surety insurance claims?

It depends on your policy terms. Standard performance and payment bonds cover non-performance and non-payment to subcontractors — not internal fraud losses. However, a crime insurance or cyber liability policy with a social engineering or funds transfer fraud endorsement may cover the redirected payment. Notify your bonding agent, surety insurer, and cyber/crime insurer immediately after the fraud is discovered. Delay in notification can void coverage. Some surety carriers also want to know if a payment bond claim may result from the fraud, since subcontractors who do not receive payment may file against the bond.

Can the GC be held liable if accounting processed a fraudulent verbal instruction?

Potentially, yes. If a GC's accounting department processed a payment change based solely on a verbal instruction — even a convincing voice clone — without following a documented verification protocol, that failure of internal controls can create liability exposure. Courts have increasingly scrutinized whether firms had reasonable fraud prevention measures in place. Establishing documented verbal authorization protocols, callback procedures, and dual authorization requirements before an attack occurs is essential to limiting liability after one.

How long does bank wire recall take after a fraudulent construction payment?

Wire recall timing is highly variable but success rate drops sharply after the first 24 hours. If the funds remain in the receiving account and have not been withdrawn or forwarded, a recall initiated within hours of the fraudulent transfer has a reasonable chance of success. The FBI's Financial Fraud Kill Chain, activated by filing at ic3.gov within 72 hours for losses of $50,000 or more, has a documented 66% success rate at freezing funds. After 72 hours — especially if funds were moved internationally — recovery becomes significantly less likely. Act immediately.

// Vicall

Protect Your Construction Team From
Voice Clone Fraud.

Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your accounting team and PMs through the MSP portal before the next attack.

Get Started

Related Resources

Learn more about phone-based social engineering, voice fraud, and how to protect your organization.

Voice Fraud Guide → Prevention Protocols → Social Engineering Guide → Voice Fraud Statistics → MSP Partner Program →