info@mobifon.co.uk | 01530 569599
>Customer Login

Deepfake phone calls are targeting UK businesses

Deepfake phone calls are no longer a novelty. They are being used to make scam calls sound convincingly human and dangerously familiar. Which? reports that a Hiya survey found a significant share of UK consumers said they received a deepfake voice call in the past year, with many victims going on to lose money or share personal information.

For employers, the risk is bigger than a single employee being tricked. One call can trigger a payment, expose a one-time passcode, or open the door to account takeover. The goal is simple: get someone in your business to do something they would never normally do.

What are deepfake phone calls?

Deepfake phone calls use AI to imitate a real person’s voice. In a deepfake call scam, the caller may sound like a colleague, a director, your IT team, your bank, HMRC, or a mobile provider. The best versions are good enough to bypass instinct, especially when the scammer adds urgency and plausible details.

You will also hear these described as deepfake voice calls, AI scam calls, or AI voice-cloning scams. In the UK, searches like voice cloning scam UK and vishing reflect the same problem: voice-based phishing designed to get credentials, payments, or approvals.

Why deepfake calls are a business risk? (not just a personal one)

Deepfake phone calls create business impact because they target processes, not people.

Common outcomes include:

  • Payment authorisation scam call attempts, often framed as urgent supplier payments or “today only” approvals.
  • CEO fraud phone calls and executive impersonation scam requests, using authority and time pressure to bypass normal checks.
  • One-time passcode scam tactics, where the caller asks you to read out a code “to verify your identity”.
  • Account takeover via phone call, where the scammer uses information gained on the call to reset email, banking, payroll, or CRM access.
  • SIM swap fraud business and porting fraud business follow-on actions, where criminals try to gain control of a number to intercept texts and verification codes.

This is why strong fraud prevention is not just about spotting a fake voice. It is about having a clear, repeatable process to verify who is calling.

The red flags employees should listen for

Deepfake calls usually sound calm and professional. Pay attention to what is being asked, rather than the caller’s accent or tone.

Red flags include:

  • The caller asks for a one-time passcode, verification code, or password reset code.
  • They ask you to bypass policy “just this once”.
  • They create urgency and secrecy: “do not tell anyone”, “I need this in five minutes”.
  • They refuse a call back or give a new number to call.
  • They ask for changes to bank details, payment destinations, or supplier onboarding steps.
  • They push you to install an app, click a link, or approve a login you did not initiate.
  • They claim to be a mobile provider and request account security answers or authorise SIM activity.

If you notice two or more warning signs, assume it is an impersonation scam call until you can confirm otherwise.

What to do during a suspected deepfake call?

Deepfake phone calls are designed to make you act fast and skip checks. Your best defence is a calm, repeatable process that any employee can follow. This approach aligns with Mobifon’s tone of voice: clear, factual, and practical.

1) During the call: stop the scam in under 30 seconds

Use a short script and then end the call.

Say

  • “I can’t action this on an inbound call.”
  • “I will call you back using our trusted contact details.”

Do

  • Hang up. Do not stay on the line to be convinced.
  • Do not share any one-time passcode, verification code, password reset code, PAC, or security answer. If the request is for a code, treat it as a scam. (ncsc.gov.uk)

Call back safely

  • Use a number from your internal directory, your supplier list, your contract pack, or the organisation’s official website.
  • If the caller claims to be your bank, stop, hang up, and call 159 to reach participating banks safely (Stop Scams UK) or dial the number from the back of your card.
  • If you are calling back on the same phone, wait 10 to 15 minutes first. This is a practical step highlighted in UK consumer guidance because some scammers try to keep a line open. (Which?)

2) Immediately after the call: contain the risk

If you did not share details or take any action, still report it internally so patterns can be spotted early.

If you did share information or approve something, act quickly:

If you shared a code or clicked a link

  • Change the affected password immediately.
  • Sign out of all sessions where possible.
  • Tell IT to review recent sign-ins, MFA changes, and mailbox rules.

If you made or approved a payment

  • Tell Finance straight away.
  • Use your bank’s fraud route. If the call claimed to be from your bank, call 159 and ask to be put through to your bank’s fraud team. (Stop Scams UK)

If the call involved mobiles, SIMs, or account access

  • Contact your mobile provider using the account contacts you know.
  • Ask them to check for any SIM swap or porting activity and lock down account changes where possible.

3) Report it externally: make it harder for scammers to reach others

Report suspicious numbers to your network

  • Report scam texts and scam mobile calls by forwarding details to 7726. This alerts your mobile provider, which can investigate and potentially block the sender. (www.ofcom.org.uk)

Use trusted guidance for business communications

  • Build your internal scripts and customer-facing comms around NCSC best practice so staff and customers have a clear way to verify messages and calls. (ncsc.gov.uk)

4) Record it internally: one process, one voice

Log the incident in a simple template:

  • Date and time
  • Number displayed and channel (mobile, WhatsApp, Teams, landline)
  • Who they claimed to be (CEO, IT, bank, HMRC, mobile provider)
  • What they asked for (payment, code, SIM change, credentials)
  • What action was taken (hung up, call back, reported to 7726, notified IT/Finance)

This keeps your response consistent and helps you tighten controls without adding friction for staff.

A simple company policy that blocks most deepfake fraud

Deepfake defence works best when it is written down, trained, and enforced.

Adopt these rules as a short fraud prevention policy for employees:

Rule 1 – No action on inbound calls for sensitive requests
No payments, bank detail changes, password resets, MFA changes, SIM swaps, porting requests, or supplier changes are actioned from an inbound call or message.

Rule 2 – Two-person approval for money movement
Any payment or bank detail change requires two authorised people and a documented check.

Rule 3 – Call back on trusted numbers only
Employees must use known contact details. Never use a number provided during the call.

Rule 4 – A standard verify caller identity procedure
For internal urgent requests, require:

  • Call back to a known number, and
  • A second channel confirmation (for example, a Teams message to the known account), and
  • A ticket or reference number, if applicable

Rule 5 Lock down telecom account changes
Maintain a list of named approvers for mobile account actions, enforce strong account credentials, and require written approval for porting or SIM replacements.

For organisations that send or rely on telephone and SMS communications, NCSC guidance recommends designing communications to be consistent, trustworthy, and harder for criminals to exploit. (ncsc.gov.uk)

FAQs

Can a deepfake call sound exactly like my working colleague?
Sometimes it can be close enough to trigger trust. That is why your defence must be process-based, not recognition-based.

What should I do if the caller knows internal details?
Treat that as a warning sign, not proof. Scammers gather information from public sources and previous breaches. Hang up and verify through trusted channels.

Is caller ID reliable?
No. Numbers can be spoofed. Always call back using a known number.

What should I never share on a call?
One-time passcodes, password reset codes, MDM enrolment details, bank security information, or anything that allows access or approvals.

How do deepfake calls link to SIM swap fraud business risks?
A convincing call can be used to obtain the information needed to request a SIM replacement or port out, which can then allow interception of verification texts.

Conclusion

Deepfake phone calls will keep improving, but your controls do not need to be complicated. The businesses that avoid losses treat every urgent call as untrusted until verified, enforce a clear procedure for verifying caller identity, and remove the ability for one person to authorise high-risk actions on the spot.

If you want to reduce exposure across your mobile estate and employee processes, Mobifon can help you review your risks and implement practical controls through a business consultation and audit.

If you want to reduce risk properly, Mobifon can help you implement mobile security the right way from the start. We can set up and configure your MDM and ensure Apple Business Manager and Android Enterprise work correctly, so devices are enrolled securely, policies are applied consistently, and leavers and lost phones are handled quickly. Book a Free Business Consultation and Audit, and we will review your current setup and provide clear next steps your team can action.