Voice cloning is no longer a lab curiosity. With AI tools able to imitate a tone, pace, or intonation in minutes, a fraudulent call can sound far more credible than a traditional spam call. The right response is not panic. In 2026, the most useful approach is to rely on a series of simple checks to verify that the caller is really human and really who they claim to be.
France's CNIL notes that deepfakes are becoming increasingly realistic, while the CNIL's LINC and the PEReN are working specifically on practical countermeasures that ordinary users can apply when facing a deceptive exchange. The same logic applies to voice-only calls: look for signals, slow down the decision, and take control of the conversation again. For the wider context, you can revisit our article on generative AI and voice cloning in phone spam.
Why voice-cloned calls are easier to trust
A classic scam call often sounds scripted, rushed, or mechanically aggressive. A voice-cloned call can instead reuse a familiar voice, a first name, a family or work context, and a reassuring tone. That mix is what makes it dangerous: trust is created before the content is verified.
The risk increases even more when the call creates artificial urgency: a transfer to approve, a relative in trouble, a password to share, a one-time code to read out, or an IBAN change to validate immediately. In those scenarios, your best ally is a method. The eight checks below are designed to break the pace imposed by the fraudster.
1. Ask for a non-public detail
Your first test is to ask for information the real person knows but a fraudster or cloned-voice system is unlikely to recover easily from social media or public databases. That may be a recent context detail, an internal reference, a precise memory, or a fact agreed in advance inside the family or company.
The goal is not to trap someone for sport. It is to move the exchange onto ground the attacker does not control well. A convincing voice does not imply genuine knowledge of the situation.
2. Break the urgency and call back through a known channel
A legitimate caller will almost always tolerate you hanging up and calling back through a saved number, a switchboard, or an official channel. This one habit eliminates a large share of opportunistic fraud. If the caller refuses, accelerates, or tries to make you feel guilty, treat that as a strong warning sign.
For businesses, this point is crucial: no employee should validate a sensitive action based only on a live voice. The safer practice is to anchor the request in a known workflow, such as an internal directory, CRM, or team messaging system.
3. Request an unexpected action during the call
The LINC explains that human countermeasures matter because they introduce checks or gestures that disrupt a deceptive exchange. On a phone call, that can mean asking the caller to rephrase without reading, to restate the exact purpose of the latest exchange, or to confirm something that was not part of the original script.
A synthetic system or a well-briefed fraudster may handle the first seconds of a call convincingly. They often become less fluid when forced into an unexpected branch, especially when that branch requires real context rather than a credible tone.
4. Never share codes, passwords, or banking validations on the spot
This is the most important rule. A reassuring or familiar voice should never be enough to obtain a one-time code, MFA approval, password, bank details, or payment instruction. Many scams work because the victim feels they are helping someone they know quickly.
If the request touches money, access, or sensitive data, the verification must become multi-channel and traceable. In a business setting, that ties directly to the authenticity issues discussed in our article on AI voice and the authenticity challenge.
5. Listen for coherence more than resemblance
Many victims say afterward: “yes, it sounded like their voice.” That is understandable, but not enough. A better test is to assess the overall coherence: the vocabulary used, the logic of the request, the level of detail, the hesitations in the right places, and whether the call matches the person's actual habits.
A very similar voice can still carry an incoherent message. Conversely, a slightly degraded voice on a bad line can still belong to the real person. Judge the call on the full set of signals, not on tone alone.
6. Ask one closed question and then one open question
A practical technique is to chain two types of questions. First, ask a closed question to test a simple immediate answer. Then ask an open question that forces the caller to develop the answer in their own words. That rhythm change often reveals whether the conversation remains natural.
Example: “Which file are you calling about?” then “Explain exactly what happened since this morning.” A vocal imitation may survive the first answer and collapse on the second.
7. Keep a record if the call feels fraudulent
If you suspect a scam attempt, note the time, the displayed number, the stated reason, and what was requested. If the doubt is serious, these traces will help you report the incident or warn the people concerned. Official platforms can then point you to the right reporting route.
On that topic, our guide J'alerte l'ARCEP, 33700, Bloctel: which reporting route for which type of spam? helps identify the right channel. You can also review our resources to structure internal procedures.
8. Prepare a protocol before you need it
The most effective reflex often starts before the call. Families, executives, assistants, finance teams, and support teams can define a simple rule in advance: never approve a sensitive action without a callback, never share a code orally, always require cross-verification for urgent requests. That protocol drastically reduces the fraudster's power of surprise.
In other words, the best defence against voice cloning is not only technical. It depends on routines. That is also what separates durable vigilance from improvised reaction after an incident.
Quick checklist to keep in mind
- Ask for a non-public detail.
- Hang up and call back through a known channel.
- Refuse any urgent decision without a second verification.
- Never share a code, password, or banking validation orally.
- Assess the coherence of the request, not just the voice.
- Record useful details if the call looks suspicious.
Quick FAQ
Is a familiar voice enough to authenticate a call?
No. A voice can be imitated or stripped from its context. You still need to verify the request, the channel, and the concrete details.
What is the best reflex when the caller creates urgency?
Break the urgency, hang up, and call back through a number or official channel you already trust.
Where should I report a suspicious attempt?
That depends on the case: operator reporting, spam-SMS channels, or official public support services. The verified sources below help guide the next step.
Verified external sources: CNIL - Deepfake (hypertrucage): how to protect yourself and report unlawful content, LINC / PEReN - practical checks to detect deepfakes, 17Cyber - official cyber-assistance platform.
