A voice clone attack on a small business moves fast. An employee hears the owner's voice — convinced by the familiar cadence, the word choices, the urgency — and processes a wire before anyone else in the building knows a call came in. By the time the real owner walks through the door, funds have cleared. The attack sequence from first ring to empty account can take less than ten minutes. This guide covers what to do from the moment you suspect a call was fraudulent, in the exact order that maximizes your chance of recovering money and stopping the next attack. If you have not yet experienced an attack and want to understand how these calls work, start with the small business voice clone fraud overview.
What Are the First Steps After Suspecting a Voice Clone Call?
The first sixty seconds after a suspicious call are the most important. If a transaction has not completed, you can still stop it. If it has, the clock for fund recovery has already started. These five steps should happen immediately — before any investigation, before any calls to law enforcement, and before any discussion with colleagues.
Stop. Do not complete the requested action.
Halt any in-progress wire transfer, banking detail change, payroll modification, or vendor payment instruction immediately. Do not authorize, confirm, or finalize anything. If the transaction is in a pending state with your bank, call the bank's wire operations line before doing anything else — pending wires can sometimes be stopped before they settle.
Hang up and call back on a verified number from your records.
Do not call back the number that called you — if the call was spoofed, that number connects directly to the attacker. Open your contacts, your email history, or your records and find a previously established number for the supposed caller. Call that number independently. If the real person answers and has no knowledge of the call, the request was fraudulent.
Document everything: time, number shown, what was asked, what happened.
Write down or record the exact time of the call, the number displayed on caller ID, the caller's identity as stated, exactly what they requested, any urgency framing used, and whether any action was taken. This documentation is required for your bank's fraud team, your FBI complaint, your local police report, and your insurance claim. Do not rely on memory — capture it immediately.
Alert the owner and everyone with account access immediately.
Contact the business owner and every employee with payment authority or banking access right now — by phone, in person, or in a group message on a channel you know is not compromised. Brief them on what happened and instruct them to take no payment actions until you have assessed the situation. A second attack call may be incoming targeting another employee.
Freeze any initiated transactions with your bank.
Call your bank's fraud or wire operations line — not the general customer service number — and tell them you have received a suspected fraudulent wire instruction. Ask them to flag or hold any recent outgoing wires for review. Provide the wire details if a transfer was sent. Ask specifically whether the wire has settled or is still in a pending state — pending wires have the highest recovery probability.
Do not reset passwords, wipe devices, or change account credentials before law enforcement has reviewed the evidence. Forensic investigation of a voice fraud attack may require access to call logs, voicemails, email headers, and banking system metadata. Destroying that evidence — even with good intentions — can eliminate your legal standing and your insurer's ability to process a claim.
What Financial Actions Need to Be Reversed Immediately?
The type of financial action taken during the attack determines who you call, in what order, and how much time you have. Wire transfers and banking detail changes have different recovery windows and different points of contact. Act on every applicable item below — simultaneously if you have staff available to split the calls.
Wire transfer sent
Contact your sending bank's wire operations or fraud line now. Every minute between sending and recall matters — receiving banks typically release wired funds to the account holder within one to two business days, and some release same-day. Request an immediate wire recall and provide: the wire amount, the exact date and time sent, the receiving bank name, the receiving account number, and the routing number. If the wire was $50,000 or more, simultaneously file at ic3.gov and activate the FBI Financial Fraud Kill Chain.
Banking details changed
Contact your bank's fraud team and request an immediate reversal of any account detail changes — mailing address, authorized signers, linked accounts, or online banking credentials. If banking credentials were changed, ask the bank to lock the account pending identity verification. Ask for a full audit log of all changes made in the past 48 hours.
Vendor payment redirected
Contact the legitimate vendor directly via a verified phone number from your records — not the contact information from the fraudulent request. Inform them that their banking details may have been impersonated and that a payment was redirected. They may need to file their own fraud report if their identity was used in the attack.
Payroll account changed
Contact your payroll processor's fraud team immediately. Request a hold on any outgoing payroll disbursements until the change can be verified in person with your payroll contact. If employees are expecting payments, notify them through a verified internal channel that a brief hold is in place while a security issue is resolved.
What Law Enforcement Reports Must a Small Business File?
Filing correctly and completely determines your recovery options, your insurance claim eligibility, and whether federal resources — including the Financial Fraud Kill Chain — can be deployed on your behalf. File every applicable report below within 24 hours of the incident. Each serves a different purpose and none substitutes for the others.
ic3.gov — FBI Internet Crime Complaint Center (required for FFKC)
File at ic3.gov first. This creates the federal record that FBI field offices reference when activating the Financial Fraud Kill Chain. Your IC3 report number is required when you call the FBI. Include: the exact wire amount, the transfer date and time, the receiving bank and account information, the spoofed phone number used in the attack, and any email addresses involved. After filing, call your nearest FBI field office, provide your IC3 number, and explicitly request FFKC activation if the wire was $50,000 or more and within the 72-hour window.
FTC at reportfraud.ftc.gov
File a report with the Federal Trade Commission at reportfraud.ftc.gov. FTC reports feed into the Consumer Sentinel Network used by law enforcement agencies at the state and federal level. This report is separate from the IC3 complaint and does not activate the FFKC — both are required.
Local police report
File a police report with your local department regardless of whether local law enforcement has jurisdiction over the fraud itself. Most business insurance policies and cyber insurance policies require a local police report as a condition of filing a claim. The report number is what your insurer needs — the local investigation is secondary.
Business insurance and cyber policy notification
Notify your business insurance carrier and your cyber insurance carrier (if separate) the same day you file law enforcement reports. Provide your IC3 report number, your local police report number, and all documentation. Ask your insurer specifically: whether the policy covers voice fraud / social engineering losses, whether there are notification deadlines that affect coverage, and what documentation they require before they will process the claim.
SBA resources (if applicable)
The Small Business Administration provides fraud resources and can refer affected businesses to federal agencies. If the attack impacted an SBA-backed loan, line of credit, or government contract, notify your SBA district office — certain fraud events affecting federally-backed financing have specific reporting requirements.
Do not post about the attack on social media, in industry groups, or in public forums before speaking with legal counsel and your insurer. Public disclosure can complicate insurance claims, create liability exposure, and signal to the original attackers that their fraud was discovered — prompting follow-on attacks against the same business while accounts are in flux.
How Do You Tell Your Employees and Customers?
Internal communication needs to happen within 24 hours. External communication — to customers, vendors, and the public — requires legal and insurance guidance first. The sequence matters: getting internal verification controls in place before any external disclosure reduces your exposure to follow-on attacks during the response period.
Brief all employees with payment or banking access within 24 hours
Gather every employee who has authorization to initiate payments, change banking details, or access accounts — in person or on a verified call. Explain what happened factually: a fraudulent call used AI-generated voice to impersonate someone in the organization. Do not assign blame or speculate about internal compromise. At the same meeting, introduce new verification procedures: the passphrase rule and the callback protocol (see the prevention section below). Employees need concrete new procedures to follow, not just a warning that something bad happened.
If customer data was potentially disclosed, notify affected customers
If the attack involved disclosure of customer personal or financial information — account numbers, contact details, transaction history — consult a business attorney in your state before notifying customers. State data breach notification laws vary significantly in their timing requirements, the method of notification required, and who must be notified. Your attorney and insurer should be involved in drafting any customer-facing communication about the incident.
Do not discuss the attack publicly until you have legal and insurance guidance
Hold any external statements — press, social media, vendor communications about the fraud — until your attorney has reviewed the situation and your insurer has been notified. This is not about secrecy; it is about protecting your legal and financial interests during the critical first 72 hours when recovery actions are still possible.
Preserve all evidence before any staff changes or system resets
Before any employee is terminated, any device is wiped, or any account password is reset as a result of this incident, preserve the evidence. This means: download and save all call logs, export voicemail recordings, archive relevant email threads, and capture bank transaction logs. Take screenshots of any account change history. Store copies in at least two locations. Law enforcement and your insurer will need this material, and once it is deleted it cannot be recovered.
How Does a Small Business Prevent the Next Attack Without an IT Department?
The controls that prevent voice clone fraud require no technology, no IT department, and no ongoing cost — except the last one. Implement them all within one week of the incident, beginning with the passphrase at the employee meeting where you brief the team.
Pre-agreed passphrase — set face-to-face with everyone who can authorize payments
The FBI's primary recommendation for preventing voice clone fraud: establish a random, nonsensical passphrase — something like "silver ladder Tuesday" — in person with every employee who has payment authority. No wire transfer, no banking change, no unusual payment of any kind gets processed unless the caller supplies this phrase. Because it is never shared digitally or stored anywhere, no AI system, no data breach, and no social engineering can expose it. Absent the phrase, the employee does not act and verifies through an independent channel before any funds move.
Callback rule — never act on inbound call requests, always call back on a verified number
Establish a firm policy: no payment instruction, banking change, or wire request received on an inbound call is acted upon without a callback to a verified number. The employee hangs up, finds the requester's number in company records (not the number that called), and calls independently to confirm. This rule applies regardless of how familiar the voice sounds, how urgent the request is, or what caller ID displays. Urgency is the attacker's primary tool — the rule eliminates its effectiveness.
Written authorization required for any wire or banking change
No wire transfer and no vendor banking detail change is executed based solely on a phone call — regardless of who the caller claims to be. Any such request must be confirmed in writing through an independent channel before action is taken. An email thread on a known address, a secure messaging platform, or a signed written form — all are acceptable. A voice call alone, no matter how convincing, is not. This rule creates a second verification point that breaks the verbal-only attack chain completely.
Deploy Vicall for real-time voice clone detection on all business phones
Vicall runs on any iOS or Android smartphone and provides an on-screen verdict — REAL VOICE or SYNTHETIC DETECTED — in under one second on incoming calls. It is the only control that works during the live call itself, before a wire instruction can be completed. No cloud audio transmission — detection runs on-device. For businesses with analog desk phones, an on-premises Mac mini deployment provides the same detection without replacing existing hardware.
$20/month versus a $300,000 average small business voice fraud loss
The average voice fraud loss for a small business is approximately $300,000 — often representing months of operating revenue. Vicall costs $20 per month per line. For a business with five employees who have payment authority, that is $100 per month for real-time detection on every inbound call. There is no per-call cost, no IT department required, and deployment through an MSP partner typically takes under one hour for the entire organization.
Frequently Asked Questions
Yes, but the window is narrow. Contact your sending bank immediately and request a wire recall — banks can sometimes claw back funds before the receiving bank releases them to the account holder. Simultaneously file at ic3.gov and call your nearest FBI field office to request Financial Fraud Kill Chain (FFKC) activation if the wire was $50,000 or more. The FBI's FFKC achieved a 66% success rate freezing funds in 2024, but the report must be filed within 72 hours of the transfer. After 72 hours, domestic recovery odds drop sharply and international transfers become nearly unrecoverable. The three largest U.S. banks reimbursed only 2%, 4%, and 24% of wire fraud victims in 2023 — federal activation of FFKC is the most effective recovery path available to small businesses.
The Financial Fraud Kill Chain (FFKC) is an FBI rapid-response protocol that uses FinCEN's international financial intelligence relationships to freeze fraudulent wire transfers before funds can be withdrawn from the receiving account. To activate it: file a complaint at ic3.gov with full wire details — amount, date and time, receiving bank name, account number, and routing number. Then call your nearest FBI field office, reference your IC3 complaint number, and explicitly ask about FFKC activation. Eligibility requires a wire of $50,000 or more reported within 72 hours of the fraudulent transfer. In 2024 the FBI used the FFKC to freeze $561.6 million with a 66% success rate on activated cases. The majority of small business owners are unaware this option exists — the 72-hour window is the only variable you can control once a wire has cleared.
Customer notification is required if their personal or financial data was disclosed during the attack or if your systems were accessed as part of the fraud. If the attack was solely a wire transfer request and no customer data was involved, notification to customers is typically not legally required — but consult a business attorney in your state, as data breach notification laws vary significantly in timing requirements and scope. Notify your business insurance carrier before making any public statements, as insurers often have specific notification procedures that affect coverage eligibility. Premature or inaccurate public statements about an ongoing fraud incident can create additional legal exposure.
Contact both within the same day, but prioritize the FBI and your sending bank first — every hour matters for fund recovery. The Financial Fraud Kill Chain has a hard 72-hour deadline that cannot be extended. After initiating contact with your bank and the FBI, notify your business insurance carrier or cyber policy carrier that same day. Most crime and cyber policies require prompt notification and have specific documentation requirements. Ask your insurer whether a local police report is required for your claim — most insurers require one, separate from the FBI IC3 complaint — and ask about any deadlines in your policy that could affect coverage if notification is delayed.
Brief all employees with payment or banking access within 24 hours, in person or on a verified call — not by email, which may be monitored or compromised. Keep the briefing factual and forward-looking: what happened, what steps are being taken by the business and law enforcement, and what the new verification rules are going forward. Do not speculate about specific financial losses or assign blame during the initial briefing. Introduce the passphrase and callback protocol at the same meeting so employees leave with concrete procedures — the specific steps they will take on every future payment call — rather than general anxiety about phone calls. Avoid public statements on social media, in industry forums, or to the press until you have reviewed the situation with legal counsel and your insurer.
Stop the Next Attack
Before It Starts.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for every employee with payment authority through the MSP portal in under an hour.
Get StartedRelated Resources
More on phone-based social engineering, voice fraud, prevention, and protection for your organization.