In early 2024, a finance worker at the engineering firm Arup joined a video call with the company's CFO and several colleagues. He'd been suspicious — an email from the UK office had asked for a "secret transaction", which smelled like phishing. But on the call, everyone looked right and sounded right, so he put the doubt aside and made fifteen transfers to five Hong Kong bank accounts. HK$200 million — about US$25 million. Every other person on that call was a deepfake.
That was two years ago, with two-year-old tools. It hasn't got harder since.
The raw material is your voice
A detailed piece at Smarter Articles, "The Three-Second Theft", lays out the current state of it: roughly three seconds of recorded audio is enough to clone a voice convincingly. In 2025 the FBI logged more than 22,000 AI-linked fraud complaints totalling US$893 million, and INTERPOL puts global fraud losses at US$442 billion — with AI-enhanced scams running about 4.5 times more profitable than the traditional kind. One security founder quoted in the piece puts the economics plainly: "One guy in a room with a keyboard can make an infinite number of attackers."
The part that should change your behaviour is what the forensics people say. Hany Farid, one of the world's leading deepfake-detection researchers, describes trying to distinguish synthetic audio from real as feeling like he's "going blind". If the experts can't reliably spot a fake, "listen carefully and you'll catch it" is not a defence. Detection has lost the arms race.
So what actually works
The squad's read: stop trying to spot fakes and start starving them. A clone is only as good as the source material and only as effective as your verification habits are weak.
- Verify out-of-band. Any request to move money or credentials gets confirmed on a channel you already had — a number you dialled yourself, in person, never the channel the request arrived on. The Arup fraud died the moment someone rang head office; it just happened after the money left.
- Agree a code word. Family, founders, finance team. A cloned voice knows what you sound like, not what you agreed at dinner.
- Treat urgency plus secrecy as the tell. "Confidential, and it has to happen today" is the signature of the scam, not of real business.
- Starve the harvesters. Your calls are the training data. Audio and video crossing hotel Wi-Fi, airport networks and conference infrastructure can be captured at the network layer — you don't have to be targeted, just recorded.
Built for exactly this.
That last point is why we built SilentRabbit — a VPN purpose-built for calls. It wraps your call apps in an encrypted WireGuard tunnel the moment a call starts and steps aside when it ends, so your voice and video never cross a hostile network in the clear. No harvest, no training data, no clone. Australian jurisdiction, no traffic logs.
None of this requires new technology on your side. It requires deciding, before the phone rings, that no voice — however familiar — is proof of anything. Transmission ends.