Voice Clone Fraud Targeting CPA Firms

Why CPA Firms Are High-Value Targets

CPA firms occupy a uniquely dangerous position in the voice fraud threat landscape. Unlike most businesses — where a fraudulent wire instruction must overcome multiple layers of internal controls — accounting firms are specifically engaged by clients to act on financial instructions efficiently and with limited friction. A business owner who calls their CPA and says "please wire $50,000 to this account" expects that instruction to be executed. The entire value proposition of the accountant-client relationship includes responsive execution of financial instructions.

Voice clone criminals have identified this structural characteristic and are exploiting it directly. By cloning a client's voice and calling the CPA firm — or cloning the CPA's voice and calling the client — they can access the financial flows that the accounting relationship was designed to facilitate. The FBI IC3 2024 Annual Report documented $2.77 billion in Business Email Compromise losses, with financial and professional services firms (including accounting) consistently among the highest-exposure sectors.

The risk is compounded by the high-trust, phone-heavy nature of accounting relationships. Clients frequently call their accountants to discuss financial matters verbally before formal written instructions follow. This means a fraudulent call from a "client" voice fits seamlessly into the existing workflow pattern — it is not anomalous, it is routine.

$16.6B

Total cybercrime losses in 2024 (FBI IC3 Annual Report). Professional services firms including CPA and accounting practices are high-exposure targets due to client fund access and trusted verbal relationships.

Attack Patterns Targeting CPA Firms

Client Impersonation: Calling the CPA to Move Client Funds

This is the most direct and highest-value attack pattern. A criminal clones the voice of a client — a business owner, an executive, a trust beneficiary — and calls the CPA firm. The request: authorize a transfer from the client's managed account, escrow account, or business account held under the firm's oversight. The scenario is typically framed with urgency — a deal closing, an IRS penalty deadline, a vendor payment that must clear today.

The CPA staff member on the phone hears the client's voice, on the client's number (spoofed), with a plausible financial scenario. Without a pre-established passphrase or a written-confirmation requirement for wire instructions, the firm processes the transfer. The client calls the next day asking about their account, and the fraud surfaces. Recovery is rare and often incomplete.

Voice clone fraud grew over 400% in 2025. Only 3 seconds of audio — a voicemail greeting, a podcast clip, a prior call recording — is required to produce a convincing clone. Many of a CPA firm's clients are business owners who have publicly available audio from local news, chamber of commerce events, or YouTube.

CPA Impersonation: Calling the Client to Request Funds

The mirror-image attack: a criminal clones the CPA's voice and calls the client. The scenario is typically an "urgent IRS issue" — an unexpected liability requiring immediate payment, a penalty notice that must be addressed before a filing deadline. The cloned CPA voice instructs the client to wire funds to a specific account "that handles IRS remittances." The client, trusting their accountant, complies.

This attack is particularly effective because clients already expect to receive calls from their CPA about tax matters, and urgency around IRS deadlines is completely normal. The attacker does not need to manufacture an implausible scenario — the IRS-urgency pretext is one that every CPA client has experienced in a genuine form.

IRS Impersonation with Voice Cloning

A variant of this attack targets clients directly, using cloned voices of IRS personnel — sourced from publicly available congressional testimony recordings, IRS training videos, or government-posted audio. The sophistication of voice cloning has raised IRS impersonation attacks to a new level of credibility. Clients who previously hung up on robotic-sounding IRS scam calls are now more susceptible when the voice sounds authentic and human.

Deepfake vishing attacks rose 1,633% in Q1 2025 alone (Keepnet Labs). CPA firms whose clients receive these calls face the downstream consequence: clients who send money to fake IRS accounts then call their accountant in distress, expecting help — and sometimes expecting reimbursement if they believe the firm was involved in the communication.

Payroll Client Fraud: Redirecting Payroll Runs

Many CPA firms manage payroll for small business clients. A criminal who knows a firm handles payroll for a client company calls the firm impersonating a client executive, requesting that the next payroll run include a new bank account or that the payroll for specific employees be redirected. (This attack pattern is described in full detail in our guide to voice clone fraud targeting HR and payroll teams.) This attack targets the firm's operational role rather than its investment or escrow access, but can result in substantial losses across an entire payroll run.

Social engineering accounts for 36% of all corporate incident response cases in 2025 (Palo Alto Unit 42). For CPA firms, the social engineering surface is particularly large: clients, vendors, tax authorities, and banking partners all have legitimate reasons to call — and each relationship is a potential attack vector.

Professional Liability: What Happens When a CPA Firm Is the Vector

When a CPA firm acts on a fraudulent verbal instruction and client funds are lost, the firm faces a difficult conversation: did they follow their own documented procedures? If the firm had no written authorization requirement for wire instructions, no passphrase protocol, and no voice verification in place — and they processed a wire based solely on a phone call that sounded like the client — their professional liability exposure is significant.

State CPA boards and professional liability insurers are increasingly scrutinizing the phone verification procedures that firms have in place. A firm that can demonstrate it followed documented procedures — required written confirmation, callback to a verified number, dual authorization — is in a materially different legal position than one that cannot. Implementing the five prevention controls is not just a security measure; it is a professional liability risk management measure.

Prevention Protocol for CPA Firms

Five controls address the core risk. Frame them as standard engagement procedure additions — not security overhead.

Pre-agreed passphrase with each client for verbal authorizations

The FBI recommends establishing a pre-agreed, nonsensical passphrase for any verbal authorization that will result in a financial transaction. For CPA firms, establish this passphrase at engagement onboarding — face-to-face or via secure written channel — and make it a firm policy that no wire instruction will be processed from a verbal request unless the passphrase is present. Document this in your engagement letter.

Callback on a verified directory number

Never act on wire instructions received in an incoming call. Always hang up and call the client back on a number from your verified client file — not the number that just called you. If the caller spoofed the client's real number, your callback reaches the real client, revealing the fraud. This is the simplest and highest-impact procedural control.

Written confirmation required for any wire instruction

A verbal call — even one where the passphrase was used and a callback was completed — is not sufficient authorization to initiate a wire transfer. Require a written instruction from the client's verified email address on file, reviewed by a second firm member, before any wire is processed. The verbal call starts the process; the written confirmation authorizes it.

Dual authorization for all wire transfers

No single staff member should have unilateral authority to process a client wire transfer. Require two authorized firm members to review and confirm any wire instruction before it is submitted to the bank. This eliminates the single-point-of-failure that voice clone attackers rely on and provides documentary evidence that the firm followed its procedures.

Real-time AI voice detection (Vicall)

Vicall detects synthetic voices on live calls in under one second — on-device, no cloud required. Deploy on the phones of client services staff and any team member who receives client calls about financial matters. When a call comes in from a client's number and Vicall shows SYNTHETIC DETECTED, the call ends before any instruction is recorded or acted upon.

Staff Training for CPA Firms

Front desk and client services staff are the most common first contact for voice fraud attempts targeting CPA firms. These roles receive the highest volume of client calls and are trained to be helpful and responsive — exactly the traits attackers exploit. Only 18% of organizations currently train employees specifically on phone scam recognition, despite this being one of the most cost-effective controls available.

Training for accounting firm staff should explicitly cover three scenarios: (1) a client calling with an urgent wire request during tax season, (2) someone claiming to be from the IRS requesting payment information, and (3) a call from a known client requesting a change to their banking or payroll details. Staff must understand that their job in these scenarios is to follow the verification protocol — not to be immediately helpful. Helpfulness that bypasses verification is how fraud succeeds.

KnowBe4's analysis of 67 million simulated phishing attacks found that training reduces susceptibility by 86% over 12 months. The same behavioral improvement applies to voice-based social engineering when training explicitly covers phone scenarios.

What to Do If Client Funds Move Fraudulently

If a fraudulent wire is discovered — either funds moved from a client account or a client wired funds to a fraudulent account at the firm's supposed instruction:

Immediately contact the sending bank — request a wire recall. Provide full transaction details. This is the highest-priority action; every hour reduces recovery probability.
Contact the receiving bank with destination account details and request a hold.
File a report at ic3.gov (FBI IC3) — if the loss was $50,000 or more within 72 hours, this activates the Financial Fraud Kill Chain. The FFKC froze $561.6 million in 2024 and has a 66% success rate at recovering funds when activated promptly.
Contact your nearest FBI field office directly and reference your IC3 report number.
File an FTC report at reportfraud.ftc.gov.
Notify your professional liability insurer immediately — coverage requirements and reporting timelines vary; do not delay.
Preserve all evidence — call logs, voicemails, emails, bank records. Engage legal counsel before communicating with the client about liability.

// FAQ

Frequently Asked Questions

How do criminals impersonate a CPA firm's clients?

Criminals gather audio from public sources: business owners who have appeared on podcasts, local news segments, chamber of commerce events, or YouTube videos. They may also use audio from voicemail greetings or prior call recordings if they have gained any access to communications. Just 3 seconds of clean audio is sufficient for modern voice cloning tools to produce a clone convincing enough to pass a listening check by office staff who interact with that client regularly.

What is the professional liability exposure for a CPA firm in a voice fraud event?

When a CPA firm acts on a fraudulent verbal instruction and client funds are lost, the firm faces potential professional liability claims. Whether the firm is liable depends on whether it followed established engagement procedures, including written authorization requirements and out-of-band verification protocols. Firms without documented verbal authorization procedures are significantly more exposed. Professional liability insurers are increasingly scrutinizing voice fraud controls.

Why is tax season a particularly dangerous window for CPA voice fraud?

Tax season creates natural urgency — deadline pressure is real and familiar to both CPAs and their clients. Criminals exploit this by constructing scenarios that use IRS deadlines as the pretext for an urgent wire: "We need to pay this estimated tax liability today or there will be penalties." Staff are already operating under deadline pressure and less likely to pause for additional verification steps. This is why criminals disproportionately execute CPA-targeting voice fraud between January and April.

Can Vicall protect client calls, or only calls received by the CPA firm?

Vicall detects synthetic voices on any call the device receives. If the CPA firm's staff receive a call from a client's number that uses a cloned voice, Vicall shows SYNTHETIC DETECTED before any financial instruction is acted upon. For clients who also want protection — for example, business owner clients who may themselves receive a call from someone impersonating their CPA — Vicall can be deployed on client devices as well through the MSP partner portal.

What written confirmation protocol should CPA firms implement for wire instructions?

The FBI recommends that any wire transfer instruction received verbally — regardless of whether the voice was verified — be confirmed through a separate written channel before execution. For CPA firms, this means: any client request to move funds must be followed by a written instruction from a verified email address on file, reviewed by a second firm member, before the wire is initiated. The verbal instruction triggers the process; it does not authorize it.

// Vicall

Protect Your Organization From
Voice Clone Fraud.

Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your team through the MSP portal.

Get Started

Related Resources

Learn more about phone-based social engineering, voice fraud, and how to protect your organization.

Voice Fraud Guide → Prevention Protocols → Social Engineering Guide → Voice Fraud Statistics → MSP Partner Program →