Experiment 003: We impersonated a CEO using only free AI tools
We cloned a CEO's voice in 47 minutes using a 90-second clip from a public earnings call. Then we sent the audio to three employees with an urgent wire transfer request. Two acted on it. One almost completed the transfer. This is the exact methodology — and what stops it.
The setup
No exotic tools. No dark web access. No technical expertise beyond knowing how to copy a YouTube URL. The entire attack used services any teenager with a browser can access today: ElevenLabs for voice cloning (free tier), GPT-4 for the email body, and a throwaway domain registered for £8. Total cost: £8. Time from zero to operational: 47 minutes.
The attack surface
Most executives have significant public audio online. Earnings calls, conference talks, podcast appearances, investor briefings. We pulled 90 seconds from a publicly available investor presentation on YouTube — clear diction, minimal background noise, ideal cloning conditions. This is entirely standard. You do not need more. The voice model requires under two minutes of clean audio to produce a clone that passes casual listening.
Test result
The clone passed a blind listening test
4 out of 5 people who heard the cloned audio could not identify it as synthetic. The fifth wasn't sure. None of the three test participants in the impersonation exercise flagged the voicemail as suspicious before acting on it.
The campaign
We wrote the email with GPT-4. Prompt: 'Write a brief, urgent email from a CEO to their CFO requesting a same-day bank transfer for a confidential acquisition. Formal but direct. Do not specify an amount.' We added company-specific context from LinkedIn — the CFO's name, the company's current initiative, the CEO's known communication style. The email landed in the inbox, not spam. The attached 23-second voicemail instructed the CFO to 'sort the paperwork and confirm receipt.'
What happened
Three consenting employees across three organisations, as part of agreed security awareness assessments. Two initiated the transfer process and reached the payment authorisation screen before stopping per protocol. One replied by email asking for clarification. None flagged the message as suspicious before responding. These were not inexperienced employees — one was a senior finance manager with 12 years in the role.
Why it worked
Plausibility is the attack vector
The attack succeeded because it was contextually accurate, urgent, and matched the communication style of the apparent sender. The human brain is not built to be suspicious of a familiar voice giving a plausible instruction. The employee's job is to act on instructions from the CEO. That is exactly what they did. The failure mode is structural, not individual.
What stops it
The answer is not primarily technical. AI voice detection software exists but is expensive, fragile, and consistently lags the attack tools. What actually stops this attack: call-back verification. Any financial instruction received by digital channel must be confirmed by calling the sender back on a pre-registered number — not the number in the message. One additional step. Every time. No exceptions.
Implement now
The two-channel verification rule
Any financial instruction received digitally must be confirmed by calling back on a pre-registered number. Cost: zero. Implementation time: one policy document and a 30-minute team briefing. Effectiveness: near-total against this attack class. If you implement one thing from this article, make it this.
The takeaway
This attack is already running against businesses at scale — not by sophisticated state actors but by opportunists with a browser and an afternoon. The tools are free. The intelligence is public. The attack surface is any executive with a public voice recording. If you haven't implemented call-back verification for financial instructions, you haven't defended against this. That is not a criticism. It is a to-do item. Check it off this week.