There’s a phone call doing the rounds that small business owners in the UK need to know about. It sounds exactly like your MD, your accountant, or a trusted supplier. The voice, the cadence, even the slight regional accent — all spot on. But here’s the thing: it’s not them. It’s an AI, built from a 30-second clip scraped off a LinkedIn video or a podcast appearance, and it’s calling to ask you to move money somewhere fast.

AI voice cloning fraud, sometimes called vishing (voice phishing), has surged by over 90% in the UK in the past year. And while you might assume this is a problem for big banks and multinationals, the reality is that small businesses are often the easier target. You don’t have a dedicated fraud team. You probably don’t have a written protocol for verifying unexpected payment requests. And you trust the people you work with — which is exactly what attackers are counting on.

How the scam actually works

The 2026 playbook is pretty consistent. Criminals use cheap, consumer-grade AI tools (some subscriptions cost less than £30 a month) to clone someone’s voice from publicly available audio. Your company website’s intro video, a YouTube interview, an awards ceremony clip — any of it will do. With as little as 30 seconds of clean audio, attackers can generate a synthetic voice that will fool most people on a phone call.

Then comes what’s being called the “triad of urgency”: authority, urgency, and secrecy. The call impersonates someone you trust (your boss, your finance director, your IT supplier), presents a crisis that needs to be handled right now, and asks you not to discuss it through normal channels. By the time the real person is back at their desk, the money has moved — often through cryptocurrency or international transfers that are nearly impossible to claw back.

One engineering firm in Birmingham reportedly lost £340,000 this way after a single call replicated the managing director’s voice. The person who answered had no reason to doubt it. That’s the brutal part.

Why your business is an attractive target

Large corporations have layers of financial controls, dual-authorisation requirements, and dedicated fraud teams. If you’re running a small business in the UK, you almost certainly rely on something far simpler: the fact that you recognise the voices of the people you work with.

In a busy office, if someone who sounds like your director calls and says “I need you to sort a BACS transfer before end of day — don’t run it through the usual process, this is sensitive”, a surprising number of people will just do it. That gap between “I know this voice” and “I’ve actually verified who I’m speaking to” is where millions of pounds are being lost right now.

Action Fraud received thousands of reports of AI-assisted fraud in the first quarter of 2026 alone, and the NCSC has flagged AI-enhanced social engineering as one of the fastest-growing threat categories facing UK organisations.

The red flags to look for

To be honest, the traditional red flags for phone scams — poor grammar, suspicious accents, odd phrasing — don’t apply anymore. The AI is fluent and sounds local. So you need a different set of signals.

Watch out for any call that combines a payment or data request with “don’t tell anyone about this yet” or “skip the usual process just this once”. Legitimate urgent requests don’t come with instructions to bypass your normal approvals. If someone’s asking you to do something unusual and also asking you to keep it quiet, stop and verify before acting.

Also watch for calls from unexpected numbers, calls timed right before a holiday or at end of day when managers are hard to reach, and any request involving new bank accounts or last-minute changes to payment details.

What you can actually do about it

The good news is you don’t need an expensive solution. You need a simple, agreed process — and everyone in your team to know about it.

Start with a callback rule for any out-of-the-ordinary payment or data request. If someone calls asking you to transfer money, hang up and call them back on a number you already have on record — not one they’ve given you on the call. This one step alone would stop the majority of voice cloning attacks dead.

Consider a codeword system with your directors and close colleagues. It sounds spy-novel, but plenty of businesses use one now. If a caller claiming to be your finance director can’t produce the word, you verify before acting.

The NCSC’s free Cyber Action Toolkit is well worth a look — it covers social engineering defences in plain language and can be worked through in an afternoon. A 20-minute team meeting walking through a realistic example is often enough to shift behaviour; you don’t need an external training company.

For businesses handling significant transactions, check whether your bank offers confirmation of payee and dual-authorisation for large BACS payments. Most UK high street banks provide this at no extra cost.

Report it if it happens to you

If you or someone in your team falls for one of these calls, report it to Action Fraud (actionfraud.police.uk) straight away. Speed matters — banks have a narrow window to attempt a recall. Also report to the NCSC, particularly if the attack seemed targeted, as this helps them track emerging patterns.

Fair enough, no security measure is foolproof. But the businesses getting hit by AI voice fraud in 2026 aren’t failing at complex technical challenges — they’re missing a simple process: pause, verify, then act. Build that habit into your team now, before someone on the other end of the phone tests whether you have it.