What Are the Immediate Steps After a Voice Clone Attack on HR?
The first 60 minutes determine whether you can stop additional damage. Your payroll processor can freeze changes that haven't processed yet. Your banks can initiate recalls on payments that have cleared. Every minute the fraudulent account information stays active in your payroll system is a minute another disbursement can go to the wrong account.
When a voice clone call successfully deceives an HR or payroll team member, the fraudulent change enters your payroll system and begins moving toward disbursement. Your response in the first hour is not administrative — it is operational containment.
Freeze all pending payroll changes immediately
Call your payroll processor — not email, not ticket — and request an immediate freeze on any direct deposit changes that have been made but not yet processed. If your next payroll run has not disbursed, the fraudulent banking information can still be halted before any money moves. This is the single most time-sensitive action in the entire response sequence.
Identify every affected employee
Pull the payroll system change log for the attack window — every direct deposit modification made during the period the fraudulent call could have been received. Each modified record is a potentially affected employee. Cross-reference with any employees who have already reported missing paychecks. This list drives your employee notification, reversal requests, and law enforcement reports.
Contact your payroll processor and banks to initiate reversal
Contact the payroll processor with the specific employee records affected and request reversal or cancellation of any fraudulent payments already processed. Simultaneously contact your originating bank — the bank your organization sends payroll through — and provide the fraudulent receiving account details. Request both an ACH recall and a fraud hold on the receiving account. Give the receiving bank the same details; a fraud hold on their end prevents the criminal from withdrawing funds that have already settled.
Document everything now, while it is fresh
Create an incident log immediately: the exact time the fraudulent call was received, the name of the HR staff member who handled it, what the caller said, what was requested, what was processed, and when it was discovered. Document call logs, any caller ID information, and the payroll system change records. This contemporaneous documentation is the foundation of your insurance claim, law enforcement report, and any employee or legal proceedings.
Alert CHRO, CFO, and legal counsel within one hour
This is not an HR-only incident. The CHRO needs to manage employee relations and communication. The CFO must assess financial exposure, authorize emergency pay-cycle corrections, and notify cyber liability and crime insurance carriers. Outside legal counsel must immediately assess breach notification obligations under state law — particularly if employee PII was accessed — and advise on employment law exposure related to the affected employees' pay obligations.
How Do You Handle the Affected Employees?
Employees whose paychecks were fraudulently diverted are victims of the same crime your organization is — they did nothing wrong and their livelihood was affected without their knowledge. How you notify and support them in the first 24 hours shapes both their legal exposure and yours. Transparency and speed matter as much here as in the technical response.
Affected employees must be notified personally before any mass communication goes out. A mass announcement before individual notification forces employees to self-identify whether they are affected — which creates confusion, panic, and a flood of HR calls at exactly the moment your HR team is already overwhelmed managing the incident response.
Notify each affected employee personally first
Call each employee whose direct deposit was fraudulently changed before sending any organization-wide communication. Use their personal cell phone number — not their work email, which they may not see quickly, and not a communication channel that could be monitored. The call should come from their direct manager or HR business partner, not a general HR line. Personal notification signals that the organization takes their situation seriously and has already identified them as affected.
Explain factually what happened
Be direct: their direct deposit banking information was fraudulently changed through a voice clone phone call to HR, and their most recent paycheck may have been deposited to an account they do not own. Do not minimize it, speculate about whether the funds can be recovered, or offer premature reassurance that everything will be fine. Employees need accurate information to make their own decisions — including whether to notify their personal bank or take steps to protect their own accounts.
Commit to making them whole — and deliver on that commitment
Under federal and state wage payment laws, your organization is obligated to pay employees on the scheduled pay date regardless of what caused the non-payment. Make this commitment explicitly and immediately: the affected employee will receive their full pay, and the organization is not waiting for bank recovery to issue that payment. Reissue checks or emergency direct deposits as quickly as operationally possible — for most affected employees, missing a paycheck creates immediate personal financial hardship.
Provide a clear timeline for corrected payment
Give each employee a specific date — not "as soon as possible" — by which their corrected payment will be issued. If your payroll system cannot process an off-cycle run quickly enough, consider cutting a physical check or initiating a wire transfer directly. Uncertainty about when they will be paid amplifies the financial stress for employees who live paycheck to paycheck, and it creates legal risk if the employer misses wage payment deadlines under state law.
Offer identity theft monitoring if PII was also accessed
If the voice clone attack also resulted in exposure of employee Social Security numbers, dates of birth, bank account numbers, or other personal data — whether through a separate data access event or as part of the same call — offer affected employees credit monitoring and identity theft protection services at the organization's expense. This is both the right thing to do and a meaningful demonstration of good faith that can reduce the risk of employee litigation.
Do not issue a mass announcement before you have personally notified every identified affected employee. Mass communications cause unaffected employees to flood HR asking whether their pay is at risk, consume response capacity your team needs for the actual incident, and may result in affected employees learning about the incident from a colleague rather than from HR — which destroys trust at exactly the moment you need it.
Can the Fraudulent Payroll Payment Be Reversed?
ACH payroll reversals are legally possible but strictly time-sensitive — and success is not guaranteed even when initiated immediately. The faster you move, the better your odds. The NACHA rules give you a window, the FBI gives you a kill chain, and your banks give you a fraud hold process. Use all three simultaneously, not sequentially.
Payroll fraud recovery involves multiple parallel tracks. No single mechanism guarantees recovery — but running all available tracks simultaneously maximizes the probability that at least one succeeds before the criminal withdraws the funds.
ACH reversal through your payroll processor
Under NACHA operating rules, ACH credit entries can be reversed within five banking days of the settlement date if the entry was made in error. Contact your payroll processor immediately with the fraudulent transaction details and request a reversal. Note that NACHA reversals require a legitimate reason — "erroneous amount" or "wrong account" — and the payroll processor will need the original transaction details to submit the reversal correctly. This is the fastest mechanism if the payroll run has only recently processed.
Bank-to-bank recall on both sides
Contact your originating bank — the bank your organization's payroll ACH originates from — and request a wire recall or ACH return. Simultaneously provide the fraudulent receiving account details to the originating bank so they can contact the receiving institution directly. Also contact the receiving bank yourself with the fraud details and request a fraud hold on the account. Banks are increasingly cooperative on fraud holds when law enforcement reports are filed concurrently — which is why the IC3 report and bank contact should happen on the same day.
FBI Financial Fraud Kill Chain for losses over $50,000
If the total amount of diverted payroll across all affected employees reaches or exceeds $50,000, and you file an FBI IC3 report at ic3.gov within 72 hours of discovery, the FBI's Financial Fraud Kill Chain can be activated. This is a coordinated law enforcement mechanism that has a documented 66% success rate for freezing funds before they are withdrawn or transferred internationally. In 2024, the Kill Chain froze $561.6 million in fraud proceeds. This mechanism only works within the 72-hour window — filing at hour 73 eliminates the option.
Pay employees regardless of recovery outcome
Do not make employee payment contingent on recovery of the fraudulent payment. Even if every reversal attempt fails and no funds are recovered, the employer's wage payment obligation to the affected employees remains in full force. The employer absorbs the loss through insurance, reserves, or as an operating cost — not by withholding or delaying employee wages. Conditioning employee payment on recovery exposes the organization to wage theft claims and regulatory action.
Document all reversal attempts for insurance and legal purposes
Every call to your payroll processor, every bank contact, every IC3 submission — log the date, time, name of person spoken with, reference or case number, and outcome. Your crime insurance or cyber liability carrier will require documentation of good-faith recovery efforts as part of the claims process. The absence of this documentation is one of the most common reasons payroll fraud insurance claims are reduced or denied.
What Law Enforcement Reports Must Be Filed?
Law enforcement reporting after a payroll voice clone attack is not optional and not merely procedural. The FBI IC3 report is the trigger for the Financial Fraud Kill Chain. The FTC report contributes to national fraud pattern analysis. The local police report is required documentation for most insurance claims. And if employee PII was accessed, state breach notification requirements may impose their own reporting deadlines with real legal consequences for non-compliance.
FBI IC3 — ic3.gov
File with the FBI Internet Crime Complaint Center at ic3.gov as soon as you have the basic incident details documented. For payroll losses of $50,000 or more, this filing activates the Financial Fraud Kill Chain. For smaller losses, it still contributes to federal fraud pattern tracking and may connect your incident to a broader criminal operation the FBI is already investigating. Include the fraudulent account details, total diverted amount, date and time of the call, and the IC3 case number in your incident log.
FTC — reportfraud.ftc.gov
File a report with the Federal Trade Commission at reportfraud.ftc.gov. FTC reports do not directly activate a recovery mechanism, but they contribute to national fraud databases used to identify and prosecute criminal organizations operating voice clone schemes at scale. If the criminal group responsible has targeted other organizations, your report may be the connecting data point that enables a prosecution.
Local law enforcement — police report
File a police report with your local law enforcement agency. The local police report is required documentation for the vast majority of crime insurance claims — your carrier will ask for it. The report also creates an official record of the incident that can support employee claims against the criminal and provides a basis for any civil litigation the organization may pursue against an identifiable perpetrator. Even if local law enforcement has limited capacity to investigate sophisticated voice clone fraud, the report is necessary infrastructure for everything else.
Cyber liability and crime insurance carriers
Notify your insurance carriers immediately — on the same day as the incident if at all possible. Most cyber liability and crime insurance policies have strict notice requirements, and delayed notification can void coverage or reduce the claim payout. Provide your insurers with the incident documentation, the law enforcement case numbers, and the bank contact records. Ask specifically about coverage for both the employer's direct loss and the cost of making affected employees whole.
State breach notification — if employee PII was accessed
If the voice clone attack also resulted in unauthorized access to employee Social Security numbers, bank account numbers, dates of birth, or other personally identifiable information — whether through the HR call itself or through a concurrent data access event — your organization almost certainly has breach notification obligations under one or more state laws. All 50 states have data breach notification statutes. State-mandated notification timelines vary from 30 to 90 days, with some states requiring notification within 72 hours for certain categories of data or breach size. Engage legal counsel immediately to assess which states' laws apply based on where your employees reside.
Do not delay law enforcement reporting to "gather more information first." The value of the FBI IC3 report depends entirely on speed. A report filed at 71 hours may still activate the Financial Fraud Kill Chain. A report filed at 73 hours cannot. Every hour spent internally deliberating about whether to report is an hour the criminal spends moving funds beyond the reach of any recovery mechanism.
How Does HR Prevent the Next Payroll Voice Clone Attack?
The controls that stop payroll voice clone attacks are procedural, technical, and cultural. No single control is sufficient alone. But the most critical single change is eliminating the phone call as a sufficient channel for processing direct deposit changes — because as long as a phone call alone can update banking information, voice cloning will remain a viable attack vector regardless of how convincing the detection challenge becomes.
Eliminate phone calls as a sufficient channel for direct deposit changes
This is the foundational control. Any request to change an employee's direct deposit banking information — regardless of how convincing the caller sounds, what number appears on caller ID, or what urgency is expressed — must require a written request submitted through the employee self-service portal using the employee's own authenticated credentials. A phone call alone is never sufficient authorization for a banking change. This policy must be written, enforced, and applied without exceptions.
Out-of-band callback to the employee's number on file before any change
Even when a written request has been submitted through the employee portal, require a callback to the employee's personal phone number on file in HR — not a number provided during the request — before the change is processed. This out-of-band verification step confirms that the authenticated portal user and the phone number associated with the account are the same person. An attacker who has successfully phished an employee's portal credentials cannot also intercept a call to the employee's personal number without a level of access that triggers other fraud indicators.
Manager co-approval for all direct deposit changes
Require that every direct deposit change be co-approved by the employee's direct manager through a separate, authenticated channel — not a forwarded email from HR, but a direct approval request sent to the manager's verified corporate email. The manager approval requirement adds a second human checkpoint who knows the employee personally and can flag an unusual request. It also means a successful attack requires deceiving two different people through two different channels — which is significantly harder than deceiving one HR generalist by phone.
Deploy Vicall on all HR and payroll staff phones
Vicall's on-device synthetic voice detection provides a REAL VOICE or SYNTHETIC DETECTED verdict in under one second, before the conversation proceeds to the request. When an HR staff member receives a call about a sensitive payroll change, Vicall surfaces the verdict in real time. A SYNTHETIC DETECTED verdict ends the call and triggers the verification protocol — regardless of how convincing the cloned voice sounds. Deploying Vicall on HR staff phones is the only control that directly intercepts the attack at the moment it occurs, rather than relying on procedural compliance under social engineering pressure.
Quarterly voice clone training specifically covering direct deposit scenarios
KnowBe4 data shows that security awareness training reduces susceptibility by 86% over 12 months. For HR staff, that training must specifically simulate the direct deposit voice clone scenario — a simulated call from a "cloned employee voice" requesting a banking change, with the HR staff member practicing the correct verification response under realistic pressure. Training that covers phishing emails or generic vishing does not build the specific reflex that stops payroll diversion. The scenario must match the actual attack: an urgent, convincing, employee-voice call requesting a routine-seeming payroll change.
Frequently Asked Questions
Yes. Under the Fair Labor Standards Act and equivalent state wage payment laws, employers are obligated to pay employees on the scheduled pay date regardless of the method or cause of non-payment. If a fraudulent direct deposit change results in a misdirected paycheck, the employer must still pay the employee in full on the agreed schedule. The employer's recourse is against the fraudster and through insurance — not against the employee.
ACH reversals must be initiated within five banking days of the settlement date under NACHA rules. In practice, the sooner you act the better — contact your payroll processor and originating bank immediately. If the ACH has already settled and funds have been withdrawn from the receiving account, reversal becomes significantly harder. This is why notifying the payroll processor before the next disbursement cycle is the single most time-sensitive action.
Almost certainly yes. All 50 U.S. states have data breach notification laws that are triggered when Social Security numbers are accessed or acquired without authorization. State notification timelines vary from 30 to 90 days, with some states requiring notification within 72 hours for larger breaches. Consult legal counsel immediately if PII was accessed — notification requirements may also extend to state attorneys general and, in some cases, federal regulators.
The answer depends on whether the employee followed established procedures. If your organization had written controls requiring out-of-band verification or written requests for direct deposit changes, and the employee bypassed those controls, discipline may be appropriate. If no such procedures existed, the failure is organizational — not individual. Disciplining employees who were deceived by sophisticated AI voice cloning, without having given them the tools or training to detect it, is both legally risky and counterproductive to your security culture.
Create a contemporaneous incident log recording: the exact date and time of the fraudulent call, the name of the HR staff member who received it, verbatim or near-verbatim account of what was said, what change was processed, when it was discovered, and every remediation step taken with timestamps. Preserve call logs, voicemails, payroll system change records, and all bank communications. This documentation supports your insurance claim, demonstrates good-faith remediation to employees, and establishes the factual record if litigation arises.
Stop Voice Clone Attacks on HR
Before They Process.
Real-Time Detection.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your HR and payroll teams through the MSP portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.