Voice Clone Fraud in Construction

Why Construction Is a Prime Target for Voice Clone Fraud

Construction is a cash-flow-intensive industry with a structural exposure to fraud that most other sectors do not share. A single commercial project involves dozens of vendors, subcontractors, material suppliers, and inspection bodies — each expecting payments on tight timelines. Project managers routinely authorize changes verbally, accounting departments process payments under schedule pressure, and new contact relationships are formed on nearly every project.

This environment is exactly what voice clone criminals look for. Business Email Compromise (BEC) has long targeted construction — the FBI IC3's 2024 Annual Report documented $2.77 billion in BEC losses across all sectors, with construction consistently ranked as a high-exposure vertical due to its large wire volumes and fast payment cadence. Now, criminals have added AI voice cloning to the attack chain. Instead of relying on a spoofed email alone, they follow it up with a live phone call — using a cloned voice of the project manager, GC, or owner — to confirm the fraudulent instruction verbally. Many smaller construction firms also face the same structural weaknesses as other small businesses targeted by voice clone fraud, where a single employee with payment access is the only line of defense.

The effect is devastating. An accounting department that might have paused on a suspicious email will often override their hesitation when they hear their project manager's voice confirming the same instruction. Voice is the trust layer that email lacks — and criminals know it.

$2.77B

Lost to Business Email Compromise in 2024 alone, per the FBI IC3. Construction is one of the highest-exposure sectors due to large wire volumes and verbal authorization culture.

How the Attack Actually Works: A Construction Scenario

Here is how a typical voice clone construction fraud unfolds, based on documented attack patterns reported to the FBI:

Phase 1 — Reconnaissance. The attacker researches the target firm. They identify who the project manager is (LinkedIn, the company website, a project announcement press release), who handles accounting, and what projects are currently active. They find audio of the PM from a community meeting recording, a YouTube project walkthrough, or even a voicemail greeting. Just three seconds of audio is sufficient for modern voice cloning tools to produce a workable clone — and three seconds is a typical voicemail introduction.

Phase 2 — Email setup. The attacker sends a spoofed email — appearing to come from the PM or GC — to the accounting department, noting that a subcontractor has changed their banking details and the next payment should go to a new account. This email creates the "paper trail" the attacker will reference on the voice call.

Phase 3 — The voice call. The attacker calls the accounting department using a spoofed caller ID matching the PM's number. Using real-time voice conversion, they speak in the cloned PM voice, confirming the email: "Hey, just wanted to make sure you got my email about the new banking details for [Subcontractor]. We need that payment to clear before Friday or we lose the crew." The voice is the PM's. The number is the PM's. The accounting team processes the payment.

Phase 4 — Discovery. The real PM contacts the subcontractor about payment. The subcontractor confirms they never received it. By then, the funds have cleared to an account controlled by the attacker.

Humans correctly identify deepfake audio only about 48% of the time — no better than a coin flip. Trained accounting staff are not more accurate than untrained listeners. The voice sounds exactly right because, acoustically, it is an extremely accurate copy.

Change Order Fraud: The Construction-Specific Attack Vector

Change orders are a uniquely vulnerable part of construction workflows. On active job sites, verbal change order approvals happen constantly — a PM calls the foreman, an owner calls the PM, a GC calls the subcontractor. The expectation that significant changes will be verbally discussed before paperwork follows is deeply embedded in construction culture.

Criminals exploit this by using a cloned voice to verbally "approve" a fraudulent change order, then following up with fabricated paperwork. The sequence looks legitimate: the accounting team received a call from the PM approving the change, and now here is the invoice. Without a system to verify that the PM's voice was real — not a synthetic clone — there is no reliable point of detection in the existing workflow.

Vishing (voice phishing) attacks surged 442% between the first and second half of 2024, according to Security Magazine, and deepfake vishing specifically rose 1,633% in Q1 2025 alone, per Keepnet Labs. Change order fraud using voice cloning is not a theoretical risk — it is an active, documented attack pattern.

Supplier Impersonation: The Banking Detail Redirect

The second major attack pattern targeting construction is supplier impersonation. A criminal calls the accounts payable department posing as a known material supplier or subcontractor — using a cloned voice if they have audio, or simply using urgency and social engineering if they do not. The request: "We've changed our banking details. Can you update before you process next week's payment?"

This attack works because accounts payable staff field exactly this type of call legitimately, regularly. Suppliers do change banks. The request is routine. Without a verification protocol requiring callback to a known number from a verified directory (not the number that just called you), the change is made and the next payment is redirected.

When a real-time voice clone is used, the caller sounds exactly like the supplier contact the AP team has spoken with for years. Suspicion is essentially zero.

+1,633%

Increase in deepfake vishing attacks in Q1 2025 alone (Keepnet Labs). Supplier impersonation using cloned voices is one of the fastest-growing attack patterns targeting construction accounts payable.

Prevention Protocol for Construction Firms

Five controls stop the vast majority of voice clone construction fraud. They require no technology beyond what most construction firms already have — except for the last one, which is Vicall.

Pre-agreed passphrase (FBI-recommended)

Establish a random, nonsensical passphrase between the project owner and PM, and between PM and accounting, face-to-face before a project begins. Any verbal authorization for a payment or banking change must include this phrase. If it's absent, treat the call as suspicious and verify out-of-band before acting. Do not share the phrase by email or text.

Callback on a verified directory number

Never call back the number that called you — a spoofed number routes to the attacker. Always verify a payment or banking change by calling the PM, GC, or supplier on a number from your internal directory or a previous invoice — a number you have independently verified as correct.

Out-of-band verification for any wire or banking change

Any instruction to change a payment destination or initiate a wire transfer must be verified through a completely separate channel — for example, an email thread already in progress with the real contact, or an in-person confirmation. A voice call alone — even from a number you recognize — is never sufficient authorization for a banking change.

Dual authorization for all wire transfers

No single employee should have unilateral authority to process a wire transfer or change a vendor's banking details. Require two authorized people to confirm any payment above a threshold you set — typically $5,000 or more in a construction context. This eliminates the single-point-of-failure that attackers rely on.

Real-time AI voice detection (Vicall)

Vicall detects synthetic voices on live phone calls in under one second — on-device, with no cloud required. When accounting receives a call from the PM's number and Vicall shows SYNTHETIC DETECTED, the call ends before any instruction is acted upon. Deploy on mobile phones used by accounting and office staff, and use the Mac mini on-premises deployment for analog office lines.

What to Do If Your Firm Is Attacked

Speed is everything. Wire fraud recovery drops dramatically after the first 24 hours. If you discover a fraudulent wire has been sent:

Immediately contact your sending bank — request a wire recall. Give them the full transaction details. Every minute matters.
Contact the receiving bank with the full account details the funds were sent to and request a hold.
File a report at ic3.gov (FBI IC3) — if the wire was $50,000 or more and within 72 hours, this activates the Financial Fraud Kill Chain (FFKC), which has a 66% success rate at freezing funds. The FBI FFKC froze $561.6 million in 2024. Most construction owners have never heard of this process — it is the single most important action after a fraud event.
Contact your nearest FBI field office directly and reference your IC3 report number.
File an FTC report at reportfraud.ftc.gov.
Preserve all evidence — call recordings, email threads, voicemails, bank statements, and any communication related to the fraud. Do not delete anything.

The FBI's Financial Fraud Kill Chain has a 66% success rate when activated within 72 hours for fraud of $50,000 or more. Filing at ic3.gov within that window is the single most impactful action a construction firm can take after a wire fraud event.

How Vicall Works for Construction Companies

Construction firms operate across multiple locations and device types — mobile phones on job sites, desk phones in the main office, and sometimes analog lines in older buildings. Vicall is designed to cover all of these:

Mobile phones (job sites and office staff): Install the Vicall app on the smartphones used by accounting, project management, and anyone with payment authority. Vicall runs entirely on-device — no internet connection required for detection, no audio is sent to the cloud.
Analog office lines: Vicall's on-premises Mac mini deployment connects to your main office phone line and provides the same real-time synthetic-voice detection for calls coming in on traditional phone systems. No new hardware replacement required — Vicall works alongside your existing phones.
Any phone: Because Vicall detects the voice in the audio stream of the call, it works regardless of what phone system or carrier is being used on either end.

When accounting receives a call from the project manager's number and Vicall shows SYNTHETIC DETECTED, the call ends. The wire instruction never gets acted upon. The attack fails.

// FAQ

Frequently Asked Questions

How do criminals get a project manager's voice to clone it?

Criminals gather audio from public sources: company videos, local news coverage, LinkedIn posts, YouTube walkthroughs, and even voicemail greetings. On large projects, PMs often appear in community meetings or public permitting hearings recorded online. Only 3 seconds of audio is now sufficient for many modern voice cloning tools to produce a convincing clone — and 3 seconds is a typical voicemail introduction.

Is change order fraud common in construction?

Change order fraud — using voice cloning to verbally authorize a fraudulent change order or redirect a payment — is an increasingly documented attack vector in construction. The FBI IC3 has flagged construction as a high-risk BEC sector. The combination of voice authorization culture, large transaction sizes, and time pressure makes construction particularly exposed.

What is the Financial Fraud Kill Chain and how does it help construction firms?

The FBI's Financial Fraud Kill Chain (FFKC) is a rapid-response process that, when activated within 72 hours of a fraudulent wire of $50,000 or more, has a 66% success rate at freezing the funds before they can be withdrawn. Construction firms that suffer a fraudulent wire must immediately contact their sending bank AND file a report at ic3.gov to activate this process. Most firms are unaware this option exists.

Can voice cloning happen on a mobile phone used on a job site?

Yes. Voice cloning attacks are executed over regular phone calls — the attacker uses real-time voice conversion software on their end while calling any phone number, including cell phones. Any mobile device used on a job site can receive a voice-cloned call. Vicall's mobile app provides on-device detection on smartphones, and an on-premises Mac mini deployment covers analog office lines.

How do I set up a pre-agreed passphrase for my construction company?

Establish the passphrase face-to-face or via a secure channel — not over the phone or email. Choose a random, nonsensical phrase that would never come up naturally in conversation (e.g., "blue wheelbarrow Tuesday"). Any verbal authorization for a payment change or wire transfer must include this phrase before action is taken. If the phrase is absent, the call must be terminated and the request verified through a separate channel.

// Vicall

Protect Your Organization From
Voice Clone Fraud.

Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your team through the MSP portal.

Get Started

Related Resources

Learn more about phone-based social engineering, voice fraud, and how to protect your organization.

Voice Fraud Guide → Prevention Protocols → Social Engineering Guide → Voice Fraud Statistics → MSP Partner Program →