In summary: AI-powered voice cloning has become inexpensive, bringing “CEO fraud” back into the spotlight and putting small and medium-sized businesses in the crosshairs. The good news: a properly implemented verification process can mitigate most of the risk without requiring a significant investment.
What Happened
The threat is no longer just theoretical. On April 27, 2026, the Banque de France and the ACPR issued a warning about fake videos impersonating their own executives—including Governor François Villeroy de Galhau—to promote fraudulent investments. The authorities’ message is clear: no official at the Banque de France recommends financial products.
What has changed is the cost. A voice cloning subscription now costs between 5 and 50 euros per month, and spoofing a phone number costs just a few cents through VoIP services. An SME with 20 to 100 employees has therefore become a profitable target, just like a large corporation. According to a Yousign report published in 2026, a deepfake fraud attempt occurs every five minutes in France. A Regula study, cited by the DGSI in its January 2026 report on economic interference, indicates that 49% of companies worldwide say they have already been the target of a fraud attempt involving an audio or video deepfake.
The most widely discussed case remains that of an employee who was tricked during a completely rigged videoconference: with his executives’ faces and voices cloned, he authorized wire transfers totaling the equivalent of several tens of millions of euros. The case involved a large company, but the same mechanism works on every scale.
Does this apply to me?
The issue isn't the size of your company, but your payment process. Any company that pays invoices via wire transfer can be targeted. The vulnerable link is the person who can initiate a payment: accounting, finance, or executive support.
There are a few red flags that almost always crop up. A sense of urgency (“This has to go out today”). A request for confidentiality (“Don’t tell anyone about this just yet”). A last-minute change to the IBAN. An unusual communication channel, such as a phone call or video call when your manager usually communicates via email. A contact who puts pressure on you and cuts you off when you ask questions.
To see where you stand, test your own process. Ask an employee what they would do if, at 5 p.m. on a Friday, they received a call from the “executive” requesting an urgent and discreet wire transfer. Their answer will tell you whether your procedure holds up, or whether it relies on trust in a voice on the phone.
What to Do Now
1. Require independent double verification. No sensitive transfer is authorized without validation through a second channel specified in advance: a callback to the requester’s registered internal number, or dual signatures. This rule deprives the attack of its main weapon: voice cloning.
2. Implement a process for verifying changes to bank account information. Establish a formal written procedure: any new IBAN or change to a supplier’s account information must be verified by contacting a known representative directly—never based solely on the information provided in the message.
3. Train your teams and set up your Microsoft environment. A short awareness session and an internal “verbal password” are enough to instill the right habits. On the technical side, enable multi-factor authentication on Microsoft 365, monitor automatic email forwarding rules, and keep an eye out for unusual logins. These basic measures also help limit email spoofing, which often accompanies these scams. To learn more about targeted attacks, see our guide on spear-phishing: understanding, detecting, and protecting against it.
Not sure about your exposure?
Get an update from an IT Systems expert
A quick assessment of your exposure and the steps you should take. No obligation.
In a nutshell
The threat is real, but the solution is inexpensive. A double-checking policy and a shared sense of vigilance can thwart most attempts, even when the voice sounds perfectly credible. Well-prepared teams remain your best defense—far more so than any tool.
Frequently asked questions
Can you tell if a voice has been cloned over the phone? It’s getting harder and harder to tell just by listening. It’s best not to rely on the voice alone and to call the person back using a number you know before taking any action.
Do deepfakes target only large corporations? No. Falling costs make small and medium-sized businesses profitable targets, often because their payment procedures are less secure.
— Samir Amara, CEO — IT Systèmes



