What Are the First Steps After a Voice Clone Attack?
The first minutes after detecting a voice clone attack determine whether funds can be recovered and whether the incident can be contained. There is a strict order of operations — getting it wrong, or getting it slow, has direct financial and legal consequences for the organization.
The moment a voice clone attack is suspected or confirmed, stop everything. If the call resulted in any action — a wire initiated, an account changed, a payment authorized — halt that action immediately before anything else happens. The first call you make should be to your bank, not to a colleague or your supervisor. Wire recalls are time-sensitive to the point of hours, not days.
Stop any action requested during the call
Before documenting, before notifying leadership — stop the action. If a wire was initiated, call the bank's fraud line immediately and request a hold or recall. If an account change was submitted, contact the vendor or financial institution to reverse it. Every minute the funds remain in transit increases the probability of loss. Speed at this step directly determines recovery outcome.
Document everything you can recall right now
Record the exact call time, caller ID displayed, the name and voice claimed to be calling, exactly what was requested, and exactly what action (if any) was taken. Do this immediately while memory is fresh. Preserve call logs from your phone or the office phone system. Do not delete voicemails, emails, or any related communications. This documentation will be required by law enforcement, the bank, your insurer, and potentially the IRS.
Alert executive director and board chair within one hour
If the executive director was the person impersonated — which is the most common attack vector — notify the board chair first. Do not wait until you have complete information. Notify with what you know: a suspicious call occurred, it appeared to impersonate [name], and [this action] was or was not taken as a result. Leadership needs to be in the loop immediately, not after you have assembled a full report.
Preserve all call logs and related communications
Contact your phone system administrator or carrier to preserve call records before they are overwritten. Screenshot the caller ID from any mobile device involved. Save any text messages or emails that accompanied or followed the call. If your office phone system has call recording, secure that recording immediately. Once evidence is deleted, it is gone — and law enforcement investigations depend on it.
Contact the bank immediately if any funds were moved
Call the sending bank's fraud or wire recall line — not general customer service. Request an emergency wire recall and provide the receiving account number and routing information from the fraudulent instruction. Simultaneously request that the bank contact the receiving institution to flag the account. Some banks also have direct FBI liaison contacts for fraud cases above $50,000 — ask specifically about this. Every hour of delay lowers the probability of recovery.
Do not attempt to contact the attacker's phone number. The caller ID displayed during a voice clone attack is almost always spoofed. Calling it back does nothing useful and may complicate law enforcement tracing. All subsequent contact should go through your bank, your insurer, and law enforcement — not the inbound number.
What Are the Board Reporting Obligations After a Fraud Incident?
Nonprofit boards carry fiduciary responsibility for organizational assets. Most bylaws explicitly require board notification when significant financial incidents occur — and voice clone fraud that results in a wire transfer is a significant financial incident regardless of the dollar amount. Failing to notify the board promptly can itself become a governance failure.
The board chair should be notified within hours of the incident being confirmed — not at the next scheduled meeting, not after legal counsel has been engaged, not after the bank recall is resolved. Immediate notification. The board chair needs to know this happened so they can begin the governance response process in parallel with the operational response.
The full board should be convened within 24 to 48 hours — either as an emergency meeting or through a special written notice process if your bylaws permit. The meeting agenda should cover: what happened and when, what actions were taken, what the current status of any fund recovery is, what law enforcement reports have been filed, and what immediate corrective controls are being implemented.
If the organization has an audit committee, it should be notified separately and simultaneously with full board notification. The audit committee's responsibility for financial controls and oversight makes it a primary stakeholder in both the incident response and the control improvement process.
Board minutes must document the incident and the board's response. This is not optional — it creates the governance record that demonstrates the board took its fiduciary obligations seriously. Minutes should include: the date and nature of the incident, when the board was notified, what the board directed management to do, and what follow-up reporting was required. This documentation is material if the incident requires IRS Form 990 disclosure.
IRS Form 990 Disclosure Considerations
The IRS Form 990 Part VI, Section B asks organizations whether they became aware of a significant diversion of assets during the year. The IRS defines a significant diversion broadly — including unauthorized conversions of assets from the organization's intended use, as well as losses due to fraud. Consult legal counsel immediately to determine whether your specific incident meets the disclosure threshold. The threshold is generally $250,000 or 5% of total assets — but your counsel will assess the specific facts.
The critical point: proactive, accurate 990 disclosure is far less damaging than a failure to disclose that is later discovered. Organizations that minimize or omit material incidents on their 990 face far more serious regulatory consequences than those that disclose transparently and document their corrective response.
How Do You Handle Donor Relations After a Voice Clone Attack?
Donor communications after a voice fraud incident require legal review before anything goes out. The wrong statement — or premature disclosure — can amplify reputational damage, create additional legal exposure, and undermine the organization's ability to maintain donor relationships. The first rule is to get counsel involved before communicating externally.
Do not post anything on social media, send a mass email to your donor list, or issue any public statement until legal counsel has reviewed the situation and approved the communications plan. This is not about concealment — it is about ensuring that what you say is accurate, legally appropriate, and strategically sequenced to protect donor relationships rather than damage them further.
Donors who were directly targeted or impersonated in the attack must be notified individually. If the attacker cloned a major donor's voice to impersonate them in the call, that donor has a right to know — and they should hear it from you directly, not from a press report or another donor. This is both an ethical obligation and a practical donor-retention imperative.
For donors whose funds were specifically targeted or compromised — for example, a gift or pledge payment that was redirected — individual, personal notification is required. This notification should come from the executive director or board chair, by phone or in person, not by email. The conversation should cover: what happened, that the organization is taking it seriously, what steps are being taken to address it, and what the current status of their specific funds is.
What to Say to Donors Who Inquire
Prepare a factual, calm holding statement for donors who reach out before a formal communication is ready. The statement should acknowledge that an incident occurred, state that the organization is actively responding and working with law enforcement, and commit to a timeline for fuller communication. Avoid minimizing language ("it was just a scam attempt") and avoid catastrophizing language that overstates the impact.
Staff who receive inbound donor calls about the incident should have this holding statement in writing and should not improvise responses. All donor communications should be routed through a designated contact — typically the development director or ED — rather than allowing individual staff members to respond ad hoc.
Document all donor communications as they occur. Dates, names, what was communicated, and the donor's response. This documentation serves multiple purposes: it demonstrates that the organization handled donor relations appropriately, it creates a record for board review, and it provides a baseline for tracking donor retention through the recovery period.
What Law Enforcement Reports Must Be Filed?
Filing law enforcement reports is not optional — it is the mechanism that activates federal fund recovery capabilities, and it creates the documentation record that your insurer, board, and regulators will expect. File all reports in parallel, not sequentially. The 72-hour IC3 window runs from the time of the transfer, not from the time you finish filing other reports.
FBI IC3 — file at ic3.gov immediately
This is the highest-priority filing if any funds were transferred. The FBI's Internet Crime Complaint Center (IC3) report activates the Financial Fraud Kill Chain for losses of $50,000 or more reported within 72 hours of the wire transfer. The Kill Chain allows the FBI to contact the receiving bank and freeze funds before they are withdrawn. In 2024, this mechanism recovered $561.6 million in fraudulent transfers. File as soon as you have the basic incident facts — you can supplement the report later with additional details.
FTC — file at reportfraud.ftc.gov
The Federal Trade Commission collects fraud reports that feed the federal fraud tracking database. An FTC report does not trigger the same recovery mechanism as an IC3 report, but it contributes to the pattern data that helps the FTC identify and act against criminal networks. It also serves as a formal record of the incident for your organization's files and any subsequent regulatory inquiries.
Local police report
File a report with your local law enforcement agency. Most wire fraud cases are ultimately handled at the federal level, but a local police report creates an official incident number that your insurer will likely require. It also establishes the date of official report, which can be relevant to both insurance claims and any subsequent legal proceedings. Request a copy of the report for your records.
Notify cyber liability insurance carrier promptly
Contact your cyber liability insurance carrier as soon as law enforcement reports have been filed. Delayed notification can affect claim eligibility — most policies require prompt reporting, and some specify a notification window of 24 to 72 hours. Provide the carrier with your incident documentation, the law enforcement report numbers, and the bank recall request records. Ask specifically whether your policy covers social engineering fraud — some cyber policies require a separate endorsement for this coverage.
State attorney general notification — check your jurisdiction
Some states require nonprofits to notify the state attorney general's office of significant fraud incidents affecting charitable assets. This obligation varies by state and is typically triggered by losses above a defined threshold. Your legal counsel should advise on whether your jurisdiction requires this notification and within what timeframe. California, New York, and several other states with active nonprofit oversight offices are more likely to have this requirement.
How Do Nonprofits Prevent the Next Voice Clone Attack?
The period immediately after a voice clone attack — when the incident is fresh and leadership is engaged — is the best window to implement controls that were absent before. These five controls, implemented consistently, block the overwhelming majority of voice clone fraud attempts. The goal is to make every future attack fail at step one, before it can proceed to a wire request.
Establish a pre-agreed passphrase with key staff
The executive director, board treasurer, and any major vendors with whom the organization conducts financial transactions should each establish a pre-agreed passphrase with finance and operations staff. This phrase is agreed upon face-to-face or through a previously verified secure channel — never by email or phone. Any phone call requesting a wire or financial action must supply the passphrase before the request is processed. An AI voice clone cannot supply a passphrase it has never heard. This is the single most effective low-cost control available.
No wire or grant transfers from inbound call requests — written and verified only
Establish a formal written policy: wire transfers and grant disbursements are never processed based solely on an inbound phone call. Any phone request initiates a written confirmation requirement — the requestor must follow up by email from a known, verified address, and the instruction in that email must match what was requested verbally. This policy cannot be waived for urgency. An ED who is truly the one calling will understand why this policy exists and will provide the written confirmation. An attacker will not be able to.
Dual authorization for all transfers above board-approved threshold
Require two separate individuals, contacted through independent channels, to authorize any transfer above a defined dollar threshold. For most nonprofits, $5,000 is a reasonable starting threshold — the board should set the exact number based on the organization's operating profile. The second authorizer must independently verify the legitimacy of the request, not simply confirm what the first person told them. The dual authorization requirement cannot be waived for urgency — if a request cannot wait for dual authorization, that itself is a red flag.
Deploy Vicall on ED, development director, and finance staff phones
Vicall's on-device synthetic voice detection identifies AI-generated audio in under one second. Staff members who handle wire authorizations, grant disbursements, and donor communications see a REAL VOICE or SYNTHETIC DETECTED verdict before the conversation proceeds to a financial request. A SYNTHETIC DETECTED verdict ends the call immediately — regardless of how convincing the voice sounds. Deploy Vicall on the phones of any staff member who can authorize or initiate financial transactions, starting with the executive director and the finance lead.
Add voice fraud protocol to annual board governance training
Voice clone fraud is now a material financial risk for nonprofits — it belongs in annual governance training alongside fiduciary duties, conflict of interest policies, and whistleblower protections. Board members need to understand the attack vectors, their own reporting obligations if they receive a suspicious call, and the controls the organization has in place. Including this in annual training also creates a documented record that the board was informed and engaged on this risk — relevant for both regulatory and donor trust purposes.
Frequently Asked Questions
It depends on the amount and whether funds were actually lost. The IRS Form 990 Part VI asks about significant diversion of assets. The IRS defines a significant diversion as any unauthorized use of assets that the organization's management or governing body believes to be significant — typically $250,000 or 5% of total assets, whichever is less. Consult legal counsel immediately after any successful fraud incident to determine your specific 990 disclosure obligation. An attempted attack that was stopped before any funds moved generally does not trigger a 990 disclosure requirement.
Notify major donors whose voices were used personally, by phone or in-person — not by mass email. Lead with what happened factually, what the organization did to stop or address it, and what steps you are taking to prevent recurrence. Do not speculate about how the attacker obtained the voice sample. Have legal counsel review the outreach script before contact. Most donors respond well to direct, calm, prompt disclosure — and poorly to learning about an incident through press reports or third parties.
A single fraud incident does not automatically jeopardize 501(c)(3) status. The IRS is concerned with patterns of governance failure, not isolated incidents. What matters is the organization's response: did it have appropriate controls in place, did it report the incident properly, did it take corrective action, and did it make the required Form 990 disclosures? Organizations that respond quickly, document thoroughly, and implement stronger controls are in a significantly better position with regulators than those that minimize or conceal the incident.
Recovery is possible but time-dependent. The FBI's Financial Fraud Kill Chain — activated through an IC3 report at ic3.gov — has frozen over $560 million in fraudulent wire transfers. The mechanism only works if the report is filed within 72 hours of the transfer and the loss is $50,000 or more. Separately, contact the sending bank immediately to initiate a wire recall — the earlier the recall request, the higher the probability of recovery before funds are withdrawn from the receiving account. Cyber liability insurance may cover losses not recovered through bank recall or law enforcement action.
Transparency and documented corrective action are the two most effective tools. Donors who are notified directly, receive a clear account of what happened, and see evidence that the organization has implemented stronger controls are far more likely to remain engaged than donors who learn about an incident secondhand. Major donors should receive personal outreach from the executive director or board chair. All donors should receive a written update — either individually or through a newsletter — that explains the incident factually, avoids minimizing language, and lists the specific controls now in place. Timing matters: communicate before the story can spread through other channels.
Stop the Next Attack
Before It Reaches Your Finances.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your executive director, development staff, and finance team through the MSP portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.