Why Insurance Is Underestimating Its Voice Fraud Exposure
When people think about fraud in insurance, they think about false claims — a staged accident, an inflated repair estimate, a fraudulent medical billing. What the industry is less prepared for is the fraud that targets the agency itself: a criminal using AI voice cloning to impersonate an agent, an adjuster, or a carrier representative to divert money directly out of the business or away from the policyholder who is owed it.
KnowBe4's analysis of 67 million simulated phishing tests found that the insurance industry has a 39.2% baseline phishing vulnerability rate — meaning nearly four in ten insurance employees clicked on a simulated phishing link before any security training. That figure places insurance second only to healthcare (41.9%) as the most socially-engineered-vulnerable industry in the private sector. Voice-based attacks operate on the same psychological vulnerabilities as phishing, and the insurance industry has almost no specific defenses against them.
The reason insurance is so exposed is structural: agents handle sensitive financial transactions by phone as a matter of routine. Policyholders call to make premium payments. Claims adjusters call claimants to discuss settlement details. Carrier representatives call agencies to handle administrative matters. Phone-based financial communication is not a red flag in insurance — it is the normal operating model. Voice clone fraud simply exploits that normality.
The Reconnaissance Advantage: Public Regulatory Data
Before a criminal makes a single call, they research the target. In insurance, that research is remarkably easy. State insurance departments publish agent licensing databases that are publicly searchable. These databases typically include the agent's full name, license number, lines of authority, agency affiliation, and business address. National Producer Numbers (NPNs) are federally tracked and searchable through NIPR.
This regulatory transparency — designed to protect consumers — functions as a detailed reconnaissance map for attackers. A criminal who wants to impersonate a specific agent from a specific agency in a specific state can identify that agent in minutes, find their agency website, locate any recorded presentations or video testimonials, and build a voice clone using audio sourced from the agency's public materials. The entire attack preparation can happen before a single call is made.
Voice clone fraud grew more than 400% in 2025, and vishing attacks surged 442% in the second half of 2024 alone (Security Magazine). The insurance industry's public regulatory infrastructure means criminals can identify and target specific agents and agencies with minimal effort.
Attack Patterns Specific to Insurance
Agent Impersonation Calling Policyholders
A criminal identifies an insurance agent using public licensing databases and sources their voice from agency marketing materials — a testimonial video, a recorded webinar, an agency-produced podcast. They then call that agent's policyholders posing as the agent. The script is simple: "I'm calling to update your payment information ahead of your renewal" or "we're migrating to a new billing system and need to collect your updated banking details."
The policyholder, hearing a voice that sounds exactly like their agent and seeing a spoofed caller ID that matches their agent's number, provides the requested information. Premium payments are redirected to a fraudulent account. In some cases, criminals collect ACH information directly, enabling ongoing withdrawals rather than a single wire.
Claims Adjuster Impersonation
After a policyholder files a claim, a criminal posing as the assigned adjuster calls the claimant. The timing is deliberate — criminals monitor public claim filings, social media posts about accidents or property damage, or simply cold-call claimants knowing that many have active claims at any given time. The fraudulent adjuster requests that the claimant provide "updated direct deposit information" to receive their settlement payment. The claimant, eager to receive funds they are legitimately owed, provides the redirect details. The settlement wire goes to a fraudulent account.
Agency Executive Impersonation
A criminal poses as the agency principal or owner and calls the agency's operations or accounting team. The cloned voice requests an urgent wire — a carrier premium payment, a reinsurance deposit, a vendor invoice that "needs to clear today." Operations staff, receiving what sounds like a direct call from ownership, initiates the wire without triggering additional verification. This attack mirrors the CEO voice fraud pattern seen in other industries, adapted to the insurance agency context.
Carrier Representative Impersonation
A criminal poses as a representative from the insurance carrier — the company whose policies the agency sells. They call the agency principal or accounting team claiming to address a "payment discrepancy," an "audit requirement," or a "commission reconciliation." The conversation extracts banking information, financial account credentials, or authorizes a payment redirection. Because agents interact with carrier representatives regularly, the call pattern does not immediately trigger suspicion.
Regulatory Exposure After a Fraud Incident
Insurance agencies operate under state regulatory oversight, and a voice fraud incident that affects policyholders or results in material financial loss may trigger reporting obligations. Requirements vary by state, but most state departments of insurance expect agencies to report incidents that affect the financial interest of policyholders or that constitute insurance fraud under state statutes.
Agencies that fail to report material fraud incidents — or that are found to have inadequate controls that contributed to the fraud — may face additional regulatory scrutiny. Errors and omissions (E&O) carriers should be notified immediately after any incident, regardless of whether a claim is anticipated. Most E&O policies have prompt notification requirements that can affect coverage if not met.
State insurance regulators are increasingly focused on cybersecurity controls. Several states have adopted the NAIC Insurance Data Security Model Law, which includes requirements for written information security programs and incident response plans. Voice fraud that involves the compromise of nonpublic information about policyholders — banking details, policy information, personal data — may trigger obligations under these cybersecurity regulations.
Prevention Protocol for Insurance Agencies
Pre-agreed passphrase for internal authorization
Agency principals and operations or accounting staff who handle premium payments and agency wires should establish a pre-agreed passphrase — a random, nonsensical phrase established face-to-face and never shared digitally. Any phone instruction for a wire or payment change that cannot supply the passphrase is not acted on, regardless of voice recognition. The FBI recommends this control explicitly for voice fraud prevention.
Callback on verified directory numbers only
Never call back the number that initiated a suspicious request. Before acting on any payment change instruction received by phone, call the agent, adjuster, or carrier representative back on a number from your verified contact directory — not the number that called you. Number spoofing makes the inbound number unreliable. A callback to an independently verified number bypasses the spoofed line.
Out-of-band verification for claim settlement redirects
Any request to change banking information for a claims settlement payment must be verified through a completely separate channel from the one that initiated the request. If the request came by phone, confirmation must be provided in writing through the carrier's verified claims portal or a signed, notarized form — not by email alone. Settlement redirect fraud is one of the highest-value attack patterns in the insurance sector.
Dual authorization for all agency wire transfers
Require two separate people, contacted through independent channels, to authorize any agency wire transfer above a defined threshold. Neither authorizer should rely solely on verbal phone instruction. This control cannot be bypassed for urgency — the urgency itself is a red flag that the request may be fraudulent.
Real-time AI voice detection
Vicall's on-device synthetic voice detection surfaces a REAL VOICE or SYNTHETIC DETECTED verdict in under one second. For agents handling calls from carriers or other agencies, and for operations staff receiving executive instructions, Vicall provides a real-time fraud signal before any payment action is taken. A SYNTHETIC DETECTED verdict ends the call immediately.
Training for Insurance Staff: The Phone Is the Attack Surface
Only 18% of organizations train employees specifically on phone-based social engineering recognition. For insurance agencies — where phone-based financial communication is the norm — this gap is particularly dangerous. KnowBe4's data from 67 million simulations shows that security awareness training reduces phishing click rates by 86% over 12 months. The same training principles apply to voice-based attacks.
Insurance staff training should cover three specific scenarios: unsolicited payment change requests, urgency-based wire instructions, and "verification" calls that request sensitive information. For each scenario, staff should be trained to recognize urgency as a red flag, to never act on a payment change during the call that requested it, and to verify through an independent channel before proceeding. Simulated vishing exercises — where a trainer calls staff posing as a carrier representative or agency principal — are effective at building these reflexes.
Pretexting now accounts for more than 50% of all social engineering incidents in 2024 and 2025 — the first time it has exceeded phishing as a social engineering vector. Insurance agencies that train only for phishing are leaving their most active attack surface unaddressed.
What to Do If a Fraudulent Wire Is Executed
- Call the sending bank immediately — request a wire recall before funds are withdrawn from the receiving account. Speed is the critical variable in recovery.
- Call the receiving bank — provide full account details and request a fraud hold on the account.
- File an FBI IC3 report at ic3.gov — if the loss is $50,000 or more and reported within 72 hours, this activates the FBI's Financial Fraud Kill Chain, which froze $561.6 million in 2024.
- Contact the nearest FBI field office — especially for large losses or if the attack appears coordinated across multiple agencies.
- File an FTC report at reportfraud.ftc.gov — contributes to federal fraud tracking and may assist other insurance businesses being targeted by the same actors.
- Notify your E&O carrier and state insurance regulator — per your E&O policy's notification requirements and any applicable state cybersecurity law obligations.
- Preserve all evidence — call logs, voicemails, any recordings, bank records, and a full written account of what was said during the fraudulent call.
Frequently Asked Questions
According to KnowBe4's analysis of 67 million simulated phishing tests, insurance has a 39.2% baseline phishing vulnerability rate — second only to healthcare at 41.9%. Insurance employees handle large financial transactions by phone routinely, policyholders trust their agent's voice implicitly, and the industry's regulatory filings are publicly searchable, giving attackers a detailed reconnaissance map.
A criminal clones a known insurance agent's voice — often sourced from agency website videos, testimonial recordings, or conference appearances — and calls a policyholder posing as that agent. They claim the policyholder needs to "update payment information" for their policy renewal or provide banking details for a refund. The policyholder, hearing a familiar voice, complies before verifying.
After a policyholder files a claim, a criminal posing as the claims adjuster calls and asks the claimant to provide updated banking information for the settlement payment. The claimant, eager to receive their settlement and recognizing the "adjuster's" voice or number, provides the redirect details. The settlement is then wired to a fraudulent account rather than the claimant's actual account.
Requirements vary by state, but most insurance regulators expect agencies to report material fraud incidents that affect policyholders or result in financial loss. Many state departments of insurance have specific fraud reporting obligations. Agencies should consult their state regulator's guidelines and their E&O carrier immediately after any fraud incident. FBI IC3 and FTC reports are also required steps.
Call the sending bank immediately to request a wire recall. Contact the receiving bank with account details. File an FBI IC3 report at ic3.gov — if the loss is $50,000 or more and filed within 72 hours, this activates the FBI Financial Fraud Kill Chain, which froze $561.6 million in 2024. Contact the nearest FBI field office. File an FTC report at reportfraud.ftc.gov. Notify your E&O carrier and state insurance regulator. Preserve all evidence.
Protect Your Organization From
Voice Clone Fraud.
Vicall detects synthetic voices in under one second — on-device, no cloud, any phone. Deploy for your team through the MSP portal.
Get StartedRelated Resources
Learn more about phone-based social engineering, voice fraud, and how to protect your organization.