What Are the Immediate Steps After a Voice Clone Attack?
The first hour after discovering a voice clone attack determines how much damage is recoverable. Stop any pending financial instructions immediately. Every step in this phase is about containing the loss and building the evidentiary record your insurer and legal counsel will need.
When a voice clone attack is identified — whether during the call, immediately after, or when the fraud surfaces hours or days later — the response sequence matters as much as the actions themselves. CPA firms that move fast on bank recall routinely recover funds that firms who delay do not. At the same time, the way you document the first response hour becomes the foundation of your professional liability defense.
Stop: hold all pending financial instructions
Do not process any financial instruction that originated from the suspicious call. This includes any wire transfer, payroll change, account modification, or fund movement that was verbally authorized and has not yet been executed. If a wire is already in process at your bank, call the bank immediately — some transactions can be recalled or stopped before they fully settle. Every minute counts.
Document: create the evidentiary record immediately
Before anything else changes, document: the caller ID number displayed, the exact call time and duration, the name the caller identified themselves as, what was requested, what was agreed to or acted upon, and the name of every staff member who was on or involved in the call. Screenshots of call logs, voicemail preservation, and contemporaneous notes are all admissible evidence. Do not rely on memory — write it down within the first 30 minutes.
Alert managing partner and compliance officer within 1 hour
This is not a decision one staff member should carry alone. The managing partner and compliance officer must be notified within the first hour — both to authorize next steps and to begin the internal assessment of whether and how the firm's written procedures were followed. This internal assessment is critical before any external communication, including to the client, the insurer, or law enforcement.
Preserve all records — do not delete or alter anything
Preserve every call log, voicemail recording, email thread, bank record, and internal communication related to the incident. Do not delete, overwrite, or "clean up" anything. Legal holds apply the moment fraud is suspected. Destruction of records — even accidental — can independently create liability exposure or impede your insurer's investigation. Instruct all staff involved to preserve their records immediately.
If client funds moved: bank recall is priority one
Contact the sending bank immediately and request a wire recall. Provide the full wire details: amount, destination routing and account number, reference number, and transaction time. Simultaneously, if you have the destination bank's information, contact them and request a hold on the receiving account. Reference the IC3 report you will file within the hour. The FBI Financial Fraud Kill Chain — which has a 66% recovery rate on losses of $50,000 or more filed within 72 hours — requires the IC3 report as the entry point.
Time is the only variable that matters for fund recovery. The FBI's Financial Fraud Kill Chain (FFKC) froze $561.6 million in fraudulent wire transfers in 2024. The FFKC requires an IC3.gov report filed within 72 hours of a loss of $50,000 or more. Firms that file IC3 reports within the first few hours have materially better outcomes than those that wait for the full picture before reporting. File first, update later.
What Is the Professional Liability Exposure After a Voice Clone Attack?
Professional liability is the second crisis inside the fraud crisis. If your firm acted on a fraudulent verbal instruction and client funds moved, the liability question is immediate: did the firm follow its documented procedures? The answer to that question — and the documentation that supports it — will define your exposure and your insurer's response.
CPA firms occupy a uniquely high-trust position in their clients' financial lives. Clients grant accounting firms verbal authorization authority precisely because efficiency is part of the service. That trust creates professional liability exposure that most general businesses do not face: when a fraudulent instruction results in a client financial loss, the question of whether the firm is responsible is not hypothetical — it is the first question the client's attorney will ask.
Whether a firm bears professional liability for a voice fraud loss depends on several factors, but the most determinative one is procedural: did the firm have documented verbal authorization procedures, and can it demonstrate that those procedures were followed? A firm that had a written callback requirement, a passphrase protocol, and a dual-authorization process — and that followed all of them — is in a legally defensible position. A firm that had no documented procedures, or had procedures it did not follow, is significantly more exposed.
Document whether written authorization procedures were followed
Pull your firm's engagement letters, operational procedures, and any documented wire authorization protocols. Assess honestly whether the staff member who handled the fraudulent call followed those procedures. This internal assessment must happen before any external communication — it determines the liability posture you are defending from. If procedures exist but were not followed, that fact must be disclosed to your insurer and legal counsel; attempting to conceal it will compound the liability.
Contact your professional liability insurer immediately
Most professional liability policies require prompt notification — commonly 24 to 72 hours — of any incident that could give rise to a claim. Late reporting is a leading basis for coverage denial. Call your insurer the same day. Do not wait to know the full scope of losses. Report that an incident occurred, that you are investigating, and that you will provide a complete factual record as it develops. Simultaneously notify your cyber liability insurer if your policy covers social engineering losses.
Engage legal counsel before communicating with affected clients
The most costly mistake CPA firms make after a voice fraud incident is calling the client to apologize before speaking with legal counsel. An apology that includes the words "we should have" or "we failed to" is an admission of liability. Your professional liability insurer's ability to defend the claim may be materially harmed by premature admissions. Engage counsel — preferably one with CPA professional liability experience — before drafting any client communication about the incident.
Assess state CPA board notification requirements
CPA board notification requirements after a professional incident vary significantly by jurisdiction. Some state boards require notification when a licensed professional's conduct is implicated in a financial loss event. Others impose notification requirements through their professional standards rules. Your legal counsel — ideally one familiar with your state's CPA licensing statutes — should make this determination. Do not assume your state does not require notification; the cost of failing to notify when required is worse than the notification itself.
How Do You Handle Client Notification After a Voice Clone Attack?
Client notification after a voice fraud incident is a legal communication, not a customer service one. The content, timing, and channel of your notification must be designed with legal counsel. Done correctly, notification preserves the client relationship. Done carelessly, it becomes exhibit A in a professional liability claim.
Clients who discover that their funds were moved fraudulently — or that their information may have been disclosed — need timely, accurate, and specific communication. The failure mode to avoid is one of two extremes: over-communicating in a way that makes liability admissions, or under-communicating in a way that leaves clients uninformed and feeling deceived. Legal counsel helps you navigate the middle path.
Identify which clients were targeted or affected
Not every client needs to be notified of every voice fraud incident. Identify the specific clients whose: (a) voice or identity was used in the attack, (b) funds were moved or attempted to be moved, or (c) personally identifiable information may have been disclosed during the fraudulent call. The scope of notification is proportional to the scope of impact. Your legal counsel will help you define the threshold for each category based on your state's data breach notification statutes.
Consult legal counsel before drafting any client notification
Every word of your client notification should be reviewed by counsel before it is sent. The notification must state the facts of what occurred, what the firm has done in response, and what steps the client should take — without making liability admissions that could be used against the firm. In jurisdictions with breach notification statutes, there may be required language, required timelines, and required disclosure channels. Counsel identifies which statutes apply and drafts the notification accordingly.
Provide specific facts without admitting liability
Your initial notification should: identify that a voice fraud incident occurred, confirm the specific impact to that client (funds attempted, funds moved, information potentially disclosed), confirm the recovery steps already taken (bank recall filed, law enforcement notified, insurer engaged), and provide a point of contact for questions. What it should not do: speculate on how the attack succeeded, assign blame to specific staff members, or contain language that implies the firm failed a duty of care. Those determinations are for legal proceedings, not client letters.
Offer credit monitoring if client PII was potentially disclosed
If the fraudulent call involved the disclosure of client personally identifiable information — Social Security numbers, account numbers, date of birth, tax identification numbers — offer the affected client credit monitoring services. Many states legally require this offer when certain categories of PII are compromised. Even where not legally required, offering credit monitoring is a documented, tangible step that demonstrates the firm took the client's harm seriously. Document the offer and the client's response.
Document all client communications for regulatory and litigation purposes
Every communication with an affected client — every call, email, letter, and meeting — must be documented in detail. Record the date, time, channel, participants, content of communication, and the client's response. This documentation becomes the evidentiary record that demonstrates the firm's response was timely, transparent, and compliant with notification requirements. It also provides your professional liability insurer with the record they need to evaluate coverage.
What Law Enforcement Reports Must Be Filed?
Filing law enforcement reports is not optional — it is the mechanism that activates fund recovery programs and satisfies insurer reporting requirements. The IC3 report is the most time-sensitive: for losses of $50,000 or more, the FBI Financial Fraud Kill Chain must be activated within 72 hours to have its best chance of freezing funds in transit.
Many firms delay law enforcement reporting because they want to "have all the facts" first or because they are uncertain whether the incident is severe enough to report. Neither reason is valid. File immediately with what you know; reports can be updated. The cost of not filing promptly is measured in unrecovered funds and potential coverage gaps — not in incomplete reports.
IC3.gov — FBI Internet Crime Complaint Center
This is your highest-priority report and the most time-sensitive. For any fraud loss of $50,000 or more, filing with the FBI IC3 within 72 hours activates the Financial Fraud Kill Chain — the FBI's interagency program to freeze and recover fraudulent wire transfers. The FFKC has a 66% success rate and froze $561.6 million in 2024. File immediately at ic3.gov with all available transaction details: sending bank, receiving bank, routing and account numbers, wire amount, and call details. Your IC3 report number is what you reference in all subsequent bank and law enforcement contacts.
FTC report at reportfraud.ftc.gov
File a report with the Federal Trade Commission at reportfraud.ftc.gov. FTC reports contribute to the national database used to identify fraud patterns, connect related cases, and support enforcement actions. Your FTC report does not activate the same fund recovery mechanism as the IC3 report, but it creates an official federal record of the incident and may be required documentation for your insurer's investigation.
Local police report
File a local police report even if local law enforcement is unlikely to investigate the specific fraud. The police report creates an official record that an incident occurred — a document your insurer will require and that may be needed for state CPA board notifications or client-facing documentation. When filing, provide the IC3 report number as a cross-reference. Some local departments have financial crimes units that will escalate significant cases.
State CPA board notification (if required by jurisdiction)
As described in the professional liability section: state CPA board notification requirements vary. Some boards require notification when a licensed professional's conduct is implicated in a client financial loss. Your legal counsel should confirm whether notification is required in your state and, if so, the required timeline, format, and content. Do not make this determination without counsel — the consequences of late or deficient notification to a licensing board can extend beyond the fraud incident itself.
Notify professional liability and cyber liability insurers
Insurer notification is a legal reporting obligation under your policy terms, not a discretionary step. Notify both your professional liability insurer and your cyber liability insurer on the same day the incident is confirmed. Provide: the date and nature of the incident, the estimated financial exposure, the law enforcement reports filed (with report numbers), and the steps the firm has taken to contain the damage. Late notification is the most common basis for coverage denial in professional liability claims — do not give your insurer that basis.
How Does a CPA Firm Prevent the Next Attack?
Prevention controls after an incident serve two purposes: they actually reduce the risk of a repeat attack, and they create the documentary record that defends against professional liability claims arising from the current one. Implement these controls as formal engagement procedures — not security overhead — because that framing is accurate and it matters legally.
The controls that prevent voice clone fraud are not exotic. They are procedural disciplines that the accounting profession has understood in the context of written authorizations for decades. The gap is applying them specifically to verbal channels — recognizing that a phone call from a client voice is not a sufficient authorization for a financial transaction, any more than an unsigned letter would be.
Formalize verbal authorization procedures in engagement letters
Add explicit verbal authorization procedures to your standard engagement letters going forward. The engagement letter should state: no wire transfer or fund movement will be processed based solely on a verbal request; all verbal requests for financial transactions must be confirmed with a written instruction from the client's verified email address on file; and the firm reserves the right to require additional verification for any instruction above a defined dollar threshold. Having these procedures in the engagement letter means both parties have acknowledged them — which is your first line of professional liability defense.
Establish a pre-agreed passphrase with each client for wire authorizations
Establish a pre-agreed, randomly generated passphrase with each client specifically for use when authorizing financial transactions verbally. Set this passphrase at engagement onboarding — face-to-face or via secure written channel — and document it in the client file. No verbal wire authorization is acted upon unless the caller provides the passphrase. This single control defeats the overwhelming majority of voice clone attacks, because the attacker cannot know a passphrase that was never spoken aloud or transmitted digitally.
Written confirmation required for every financial transaction
A verbal call — even one where the passphrase was provided and a callback was completed — is not sufficient authorization to initiate a financial transaction. Require a written instruction from the client's verified email address on file before any wire, payroll change, or account modification is processed. The verbal call starts the authorization process; the written instruction from a verified channel completes it. This two-channel requirement means that an attacker who successfully clones the voice still cannot move funds without also compromising the client's verified email.
Callback to verified number before any transaction
After receiving a verbal financial instruction — regardless of whether the passphrase was provided — always hang up and call the client back on the number from your verified client file. Do not call back the number that just called you. If the call was spoofed, your callback reaches the real client and reveals the fraud before any instruction is acted upon. If the real client confirms the instruction, your callback is documented evidence that you applied an out-of-band verification step. This is the simplest and highest-impact single procedural control.
Deploy Vicall for real-time synthetic voice detection on firm phones
Vicall detects synthetic and AI-generated voices on live calls in under one second — on-device, no cloud required, on any smartphone. When a call comes in from a client's number using a cloned voice, Vicall displays SYNTHETIC DETECTED before any financial instruction is heard or acted upon. Deploy on the phones of all client services staff, client relationship managers, and any team member who receives client calls about financial matters. For CPA firms deploying across a practice, Vicall's MSP partner portal provides centralized deployment and management across all staff devices.
Frequently Asked Questions
Liability depends heavily on whether the firm followed its documented procedures. A firm that had no written authorization requirement, no passphrase protocol, and no callback verification in place — and processed a wire solely on an incoming call — faces significant professional liability exposure. A firm that can demonstrate it followed documented procedures (callback to a verified number, written confirmation requirement, dual authorization) is in a materially stronger legal position. Engage legal counsel before making any liability admissions to the affected client. Premature admissions can jeopardize your professional liability coverage.
The most valuable documentation includes: the firm's written engagement procedures for verbal financial instructions as they existed before the incident, call logs and any recordings showing what verification steps were taken, records of any written confirmation requested or received, evidence of callback attempts to the client's verified number on file, and dual-authorization sign-off logs. If Vicall was deployed and flagged the call, preserve that alert log as well. This documentation package is what your professional liability insurer and legal counsel will need to evaluate and defend the claim.
Requirements vary by jurisdiction. Some state CPA boards require notification when a firm's professional conduct is implicated in a financial loss event, particularly where client funds were moved. Several states also have data breach notification laws that may apply if client personally identifiable information was disclosed during the attack. Engage legal counsel with knowledge of your state's CPA licensing regulations and data breach statutes before making a determination on board notification. Do not assume your state does not require it — the cost of failing to notify when required exceeds the cost of the notification itself.
Do not apologize in a way that admits liability before consulting legal counsel — your professional liability policy may be affected by premature admissions. Do communicate promptly and transparently: contact the client, confirm the facts of what occurred, and outline the recovery steps you have already taken (bank recall request, IC3 filing, insurer notification). Offer to assist with their own reporting. The client relationship can survive the incident if the firm demonstrates swift action and transparency; it rarely survives the perception of concealment or a delayed, reluctant notification.
Most professional liability and cyber liability policies require "prompt" or "timely" notification, which courts have interpreted as between 24 and 72 hours in fraud incidents. Some policies specify an explicit deadline. Late reporting is a common basis for coverage denial. Notify your professional liability insurer and your cyber liability insurer simultaneously, as soon as you have confirmed that a fraudulent instruction was acted upon or that an attempt occurred. Do not wait for the full scope of losses to be determined before reporting — report immediately and update as the facts develop.
Protect Your Firm From
The Next Attack.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy across your entire practice through the MSP partner portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.