What Are the Immediate Response Steps?
The first hour after discovering a voice clone attack determines whether funds can be recovered and whether the agency's legal exposure is managed or compounded. Speed on financial containment runs parallel to — not after — internal notifications. These steps must happen simultaneously, not sequentially.
Stop any in-process financial action immediately
If a wire transfer, ACH payment, or vendor payment change was authorized as a result of the call, contact your bank's fraud line within minutes — not hours. Request a wire recall or hold. If the transfer has already settled, contact the receiving bank with full account details and a fraud hold request. Every minute between a settled wire and the fraud hold reduces recovery odds. Assign one person to own this call and stay on it until resolved.
Document everything — with public records awareness
Record the call time, the number that appeared on caller ID, what the caller requested, what was authorized, the names of all staff who were party to the call or the resulting action, and the exact sequence of events. Do this in writing, immediately, before memory degrades. Critically: in most jurisdictions, these documents are public records. Draft all incident documentation with the assumption that it may be FOIA-requested. Do not include speculative language, blame assignments, or unverified assertions.
Alert agency head and general counsel within one hour
The agency's head (mayor, city manager, department director, administrator) and legal counsel must be notified within the first hour — not after financial recovery attempts are complete. Legal counsel needs to begin assessing disclosure obligations immediately, including public records obligations, legislative reporting requirements, and citizen notification timelines. Attorney-client privilege may protect some internal legal communications; identify those early and document accordingly.
Notify IT security — assess for parallel network intrusion
Voice clone attacks are not always phone-only incidents. Sophisticated attackers use voice fraud as a distraction or entry point while simultaneously attempting network access, credential harvesting, or system compromise. Your IT security team must assess whether the attack was limited to the phone channel or whether it was accompanied by email compromise, phishing activity, or unauthorized system access. If any system compromise is suspected, activate your full incident response protocol immediately.
Contact your bank and the receiving bank immediately if a transfer occurred
Call your sending bank's fraud line first — request a wire recall and obtain a case number. Then contact the receiving bank directly with the receiving account number and routing information to request a fraud hold. Provide the IC3 complaint number once filed (see law enforcement section below) to both banks. Document every call: the representative's name, time, what was requested, and what was committed. This documentation will be required for fund recovery and for any insurance claim.
Do not re-verify the attacker's identity by calling back the number that called you. Phone numbers are trivially spoofed. Calling back the displayed number reaches the attacker, not the official being impersonated. All verification must be through independently confirmed directory numbers.
What Are the Government-Specific Notification Obligations?
Private-sector companies have legal counsel and a relatively narrow notification obligation set. Government agencies have multiple overlapping reporting chains — state CISO, Inspector General, legislative bodies, and potentially the public — that activate simultaneously and on tight timelines. Missing any one of them compounds the agency's legal and political exposure.
Unlike private organizations, government agencies operate under a layered set of reporting obligations that span internal chains, state oversight bodies, federal agencies, and the public. Understanding which obligations apply in your jurisdiction before an incident occurs is the ideal; understanding them in the first hour after an incident is the operational reality most agencies face.
State CISO or State IT Office Notification
The majority of states require government agencies — including municipal, county, and state-level entities — to report cybersecurity incidents to the state Chief Information Security Officer or designated state IT office. This requirement exists in some form in most states, though timelines and thresholds vary. Some states require notification within 24 hours of discovery; others within 72 hours. Your state's cybersecurity incident reporting requirements should be in your agency's incident response plan. If they are not, contact your state IT office directly after securing legal counsel.
Legislative Notification for Significant Financial Losses
Many state statutes and local government charters require that losses of public funds above a certain threshold be reported to the relevant legislative body — city council, county board of supervisors, state legislature. The threshold and timeline vary by jurisdiction. This notification is often distinct from the public disclosure obligation and may be required before any public statement is made. Your general counsel should identify whether this obligation applies and within what timeframe.
Inspector General Notification
Federal agencies have a statutory obligation to notify the relevant Inspector General of significant fraud incidents, including voice-enabled wire fraud. Many state agencies and some municipalities also have Inspector General offices or internal audit functions with similar notification requirements. The IG or internal audit office serves as an independent oversight body and its notification must not be delayed pending legal advice on other fronts.
Public Records Obligations: Document Accordingly
This is the obligation most agencies fail to manage in the first hours. Every email, incident report, internal memo, and documented communication created during incident response is potentially a public record subject to FOIA or state equivalent requests. Press, advocacy organizations, and political opponents file records requests on government cybersecurity incidents routinely. This does not mean documents should not be created — thorough documentation is essential. It means every document should be written with factual precision, without speculation, and with awareness that it may eventually be public.
Constituent and Citizen Notification if Data Was Accessed
If the voice clone attack was accompanied by a data breach — unauthorized access to citizen records, financial information, personally identifiable information, or protected data — state breach notification laws require notifying affected individuals within a defined window. In most states this is 30–72 hours from discovery of the breach. Some federal programs (HHS for healthcare data, GLBA for financial data) have their own notification requirements. Legal counsel must assess which statutes apply and begin drafting notification language immediately, even if the final breach scope is not yet determined.
How Do Interagency Coordination and Law Enforcement Reports Work?
Government agencies have access to law enforcement channels not available to private organizations. Using them correctly — and in the right sequence — maximizes both the probability of financial recovery and the quality of the criminal investigation. Filing in the wrong order or missing a reporting channel entirely can reduce recovery options.
FBI: Local Field Office and IC3
File at ic3.gov immediately — this is the Internet Crime Complaint Center and the mechanism that activates the FBI Financial Fraud Kill Chain for wire transfers of $50,000 or more reported within 72 hours. After filing and obtaining a complaint number, contact your local FBI field office directly. Government fraud cases involving public funds frequently receive prioritized attention. Provide the IC3 complaint number when you call the field office. The two filings — IC3 and field office — are complementary, not redundant.
CISA: Cybersecurity and Infrastructure Security Agency
CISA is the federal hub for cybersecurity incident coordination across all levels of government. For federal agencies, CISA reporting is mandatory for significant cyber incidents under FISMA within 72 hours. For state and local governments, CISA reporting is not always statutorily mandatory but is strongly recommended: CISA can provide technical assistance, threat intelligence sharing, and coordination support at no cost. CISA's 24/7 reporting hotline is 888-282-0870. CISA's Regional Cybersecurity Advisors are stationed throughout the country and can provide in-person support to state and local agencies upon request.
State Police Cybercrime Unit
Every state has a cybercrime unit within the state police or attorney general's office. These units handle state-level cybercrime investigations and often have jurisdiction that complements the FBI's federal investigation. Contact your state's unit directly and provide the same documentation you provided to the FBI. State-level law enforcement may be better positioned to address the local dimensions of the attack, particularly if the attacker is believed to be operating within the state.
Federal Agencies: US-CERT and CISA Mandatory Reporting
For federal civilian executive branch agencies specifically, reporting significant cyber incidents to CISA (which absorbed US-CERT's functions) is mandatory under FISMA. The reporting threshold covers incidents that may affect the confidentiality, integrity, or availability of federal information or systems — a voice clone attack that resulted in unauthorized financial transactions or data exposure meets this threshold. Mandatory reports must be filed within 72 hours of identifying the incident. Agencies that fail to file within the mandatory window face a separate compliance exposure on top of the incident itself.
Sequence matters. File IC3 before contacting media or issuing any public statement. Law enforcement requests that agencies not disclose details that could compromise an active investigation. Coordinate all public communications through legal counsel and public affairs after law enforcement has been notified and provided guidance on what can be disclosed.
How Do You Manage Public Disclosure Obligations?
Government agencies do not control whether a voice clone incident becomes public — they only control when and how. In most jurisdictions the incident will eventually be public record. Proactive, factual disclosure managed through legal counsel and public affairs is almost always a better outcome than a reactive disclosure forced by a records request or media inquiry.
Work With Legal Counsel and Public Affairs From Hour One
The public affairs and communications function should be activated within the first hour, in parallel with financial recovery and law enforcement notification. The reason is not to manage optics — it is because disclosure obligations often have their own statutory timelines that are separate from financial recovery timelines. Public affairs staff need to begin drafting holding statements while legal counsel determines what can and cannot be disclosed without compromising law enforcement operations.
Proactive Disclosure Is Usually the Better Strategy
Many experienced government communications professionals will tell you that proactive disclosure — a factual statement released by the agency before the story breaks through a records request or press tip — consistently produces better outcomes than reactive disclosure. Proactive disclosure allows the agency to frame the narrative: what happened, what was done immediately, what was protected, and what steps are being taken to prevent recurrence. Reactive disclosure — where the first public account comes from a reporter's FOIA request — removes that control entirely.
What a Public Statement Should and Should Not Contain
A public statement on a voice clone attack should include: a factual description of what occurred (an AI-generated voice was used to impersonate a government official in a phone call to staff); what action was taken (financial recovery steps initiated immediately, law enforcement notified); what was protected (citizen data was not accessed / the transfer was halted before settlement); and what is being done going forward (security controls are being upgraded, staff training is being implemented). A public statement should not include: the specific financial amount if it would compromise the investigation, the names of individual staff members who were targeted, details of the technical attack method that would assist future attackers, or any information that law enforcement has asked to be withheld.
Media Inquiry Protocol
Designate a single spokesperson — typically the public information officer or the agency head — for all media inquiries. All staff should be instructed to refer any press contact to the designated spokesperson. Consistent, factual communication through a single channel prevents contradictory statements that undermine the agency's credibility and complicate the legal record.
How Do Government Agencies Prevent the Next Attack?
The most effective moment to implement prevention controls is immediately after an incident, when institutional will is highest and the reality of the threat is concrete rather than theoretical. Government agencies that conduct remediation without also implementing structural controls against recurrence are in the same position twelve months later — with a harder public record to manage the second time.
Pre-agreed passphrases between finance staff and authorized requestors
Any phone instruction for a wire transfer, vendor payment change, or financial authorization must be accompanied by a pre-agreed passphrase established face-to-face between the requestor and the finance staff member. The passphrase must be random, nonsensical, and never documented in any written record or digital channel. If a caller — regardless of how convincing the voice sounds — cannot supply the passphrase, the call is terminated and the request is escalated through a written channel. This control is independent of any technology and costs nothing to implement.
No payments processed from inbound calls — written request required
Implement a formal financial controls policy that prohibits initiating or modifying any wire transfer, ACH payment, or vendor banking change based solely on an inbound phone call. All payment actions must originate from a written request submitted from a verified government email address and approved through the documented authorization chain. If an official needs to authorize an urgent payment, they submit the request in writing and it proceeds through the standard approval process — urgency does not override the control.
Dual authorization for all wire transfers
Every wire transfer — regardless of amount — requires independent authorization from two separate officials, contacted through independent channels. The second authorizer must independently verify the legitimacy of the request, not simply confirm what the first person told them. Dual authorization cannot be suspended for urgency or emergency circumstances. If anything, emergency scenarios should trigger heightened verification, not bypassed verification — attackers specifically construct emergency pretexts to pressure staff into skipping controls.
Deploy Vicall on finance, HR, and executive admin phones
Vicall's on-device synthetic voice detection delivers a real-time REAL VOICE or SYNTHETIC DETECTED verdict before any instruction is acted on — in under one second. Finance clerks, procurement officers, HR staff, and executive administrators who receive the SYNTHETIC DETECTED signal end the call immediately, regardless of how compelling the scenario or how convincing the voice. For government offices on analog phone systems, Vicall deploys via an on-premises Mac mini with no cloud dependency and no data sovereignty concerns.
Incorporate voice fraud protocols into agency security policy and annual training
Prevention controls that exist only in practice — but not in documented policy — cannot be enforced, audited, or tested. Formalize passphrase protocols, inbound call payment prohibitions, dual authorization requirements, and Vicall deployment in the agency's official financial controls and cybersecurity policy documents. Conduct annual tabletop exercises that simulate a voice clone attack scenario so staff experience the pressure of the scenario in a training environment rather than a live one. Track completion and include voice fraud training in the annual security awareness program.
Frequently Asked Questions
In most jurisdictions, yes. Incident reports, internal communications, and documents created in response to a cybersecurity incident at a government agency are subject to public records laws, including FOIA at the federal level and equivalent state statutes. This is why documentation discipline from the first hour matters: records created during incident response may ultimately be requested by the press, the public, or oversight bodies. Work with your general counsel from the outset to understand which documents may carry privilege and which will be subject to disclosure. Some communications with legal counsel may be protected by attorney-client privilege, but operational incident documents generally are not.
If the voice clone attack was accompanied by a network intrusion and citizen data — personally identifiable information, financial data, or protected records — was accessed, most states have breach notification laws that require notifying affected citizens within a defined window (commonly 30–72 hours depending on jurisdiction). Some federal programs carry their own notification requirements: HHS regulations govern healthcare data breaches, GLBA governs financial data, and FERPA governs student education records. Your general counsel and state CISO office should be consulted immediately to determine applicable timelines and notification requirements. Begin drafting notification language as soon as a potential breach is identified — do not wait until the scope is fully confirmed.
File an IC3 report at ic3.gov immediately after discovering a fraudulent wire transfer. The FBI Financial Fraud Kill Chain is activated for losses of $50,000 or more reported within 72 hours of the transaction. In 2024, the FBI froze or recovered $561.6 million through this mechanism. After filing the IC3 report, contact your local FBI field office directly and reference the IC3 complaint number. Provide the full wire transfer details: sending bank, receiving bank, account numbers, routing numbers, dollar amount, and transaction timestamp. Speed is the critical variable — funds in transit can sometimes be frozen before they reach and are withdrawn from the recipient account. Government agencies should pre-identify their local FBI field office contact before an incident occurs.
The Cybersecurity and Infrastructure Security Agency (CISA) serves as the federal hub for cybersecurity incident coordination across government at all levels. For federal agencies, reporting significant cyber incidents to CISA is mandatory under FISMA within 72 hours. For state and local agencies, CISA reporting is not always mandatory but is strongly recommended: CISA can provide technical assistance, threat intelligence, and coordination support at no cost. CISA's 24/7 reporting hotline is 888-282-0870. CISA maintains Regional Cybersecurity Advisors stationed throughout the country who can provide in-person support to state and local governments. CISA also maintains the Shields Up advisory program, which provides current threat intelligence specifically relevant to government infrastructure targets.
Personal liability for a government employee who authorizes a fraudulent wire transfer is uncommon but not impossible. Most jurisdictions extend qualified immunity to public employees acting within the scope of their duties. However, if an employee deviated from documented financial control procedures — bypassed dual authorization requirements, failed to apply established verification protocols, or acted negligently in departing from standard operating procedure — they may face administrative disciplinary action, and in extreme cases, civil or criminal liability. This is why post-incident legal review and appropriate staff support are critical. The employee who was deceived is a victim of a sophisticated fraud; the institution's response should reflect that reality while also conducting a factual review of whether established controls were followed. Personal liability risk is significantly reduced when employees can demonstrate they followed all applicable procedures.
Stop Voice Clone Fraud
Before It Happens.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Government deployment available including on-premises for analog infrastructure.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.