Voice Deepfakes Have Broken the Contact Centre’s Oldest Trust Test: Here’s How You Can Safeguard Against Them

Voice Deepfakes Have Broken the Contact Centre's Oldest Trust Test: Here's How You Can Safeguard Against Them

For as long as contact centres have existed, agents have made one sure bet. Namely, that a voice is a fingerprint. Sound right, and you are who you say you are. According to the people who build and test today’s most convincing voice-cloning attacks, that bet no longer pays out. As a result, organisations still pricing risk as though it does are budgeting for a threat that has already moved on.

Ross Lazerowitz is Chief Executive and Co-Founder of Mirage Security, whose platform uses AI to simulate social engineering attacks, including voice phishing, to train employees against them. He is blunt in his assessment of the threat landscape:

“They’re already undetectable, and I say that from operational data rather than speculation.”

Mirage’s own simulated callers, he notes, hold conversations running up to thirty minutes and sustain a believability rate of roughly 98 percent among the employees they target.

Chris Rozum, Founder of contact centre operations consultancy Insite Managed Solutions, is just as candid. Voice clones are “already effectively undetectable to the human ear.” Asking a frontline agent to catch one in a live, high-pressure call is, in his words, “an impossible request.”

How Convincing Has AI Voice Cloning Actually Become?  

The scale behind that assessment is not speculative either. Pindrop’s 2025 Voice Intelligence and Security Report, drawn from 1.2 billion analysed calls, recorded a rise of more than 1,300 percent in deepfake fraud attempts across contact centres in a single year. It rose from roughly one attempt a month to seven a day. Separately, Gartner’s September 2025 survey of nearly 300 organisations found that 62 percent had experienced a deepfake attack in the preceding twelve months.

The two figures, drawn from entirely different methodologies, converge on the same terrifying conclusion. This is now background noise in the call queue, rather than a rare event warranting a company-wide alert.

The technical bar for producing that noise has also collapsed. Multiple independent security researchers now put the audio required to clone a voice convincingly at somewhere between three and ten seconds. It could be a voicemail greeting, a snippet of a podcast appearance, or an outbound call recorded for “quality purposes.”

Rozum describes the change of the past year and a half in similarly stark terms. Contact centres have moved from defending against “static, pre-recorded audio clips” to something categorically harder, what he describes as “real-time, interactive voice clones.” Attackers can sustain a live, responsive conversation using a cloned voice, complete with natural inflection and emotional range.

Lazerowitz’s forecast for where this goes next is also not reassuring. Bidirectional voice models that listen while they speak, interjecting with the small verbal reflexes, such as the “mm-hm,” or the “right”, that make a caller register as human rather than synthetic:

“Agents should assume they cannot ear-test a voice, full stop.”

The financial evidence is not abstract either. When attackers deployed a deepfaked video call to impersonate senior executives at engineering firm Arup in early 2024, the company was defrauded of $25.6 million in a single incident, a case confirmed by both the Financial Times and Arup itself. It remains the reference point the industry reaches for precisely because it shows what happens when the tech works exactly as designed. This is against trained professionals on a live call, not against a careless victim.

Why Voice Was Always a Fragile Password  

The uncomfortable truth in both experts’ accounts is that deepfakes have not so much broken contact centre security as exposed how little of it was ever load-bearing.

“The structural weakness is that most contact centres were never built around identity in the first place,” Lazerowitz argues. “Security questions and voice biometrics are bolt-ons, and deepfakes expose how thin they always were.” A voice, he points out, was never actually secret. Thirty seconds of audio lifted from a podcast, a LinkedIn video, or a voicemail is sufficient raw material to clone one.

Even the model developers themselves have acknowledged the problem. OpenAI, previewing its own voice-cloning technology, urged banks to phase out voice-based authentication altogether. Meanwhile, regulators, including New York’s Department of Financial Services, have warned against relying on voice or video as authentication factors at all.

Rozum frames the same failure as one of psychology rather than infrastructure, noting “the fatal assumption of sensory trust is the biggest flaw.”

The legacy model assumes that a caller who sounds right and can recite a few static account details must be legitimate. When a clone matches a customer’s or an executive’s exact tonal signature, human empathy does the rest, prompting agents to instinctively lower their guard.

That vulnerability compounds when it meets a second, older weakness. The personal data attackers pair with a cloned voice, such as date of birth, account numbers, or security answers, is often sitting in a breached dataset or purchasable outright. Rozum says:

“If your frontline checkpoint relies on a voice check combined with basic, fixed data points, your operational framework is fundamentally exposed. A voice can no longer be used as a password.”

Both diagnoses point in the same direction. The contact centre’s authentication problem was never really about voice at all, but about treating a single, guessable, replicable signal as sufficient proof of anything.

What Contact Centre Leaders Should Actually Fix First  

Here, Rozum and Lazerowitz converge. Their advice is striking as much for what it rules out as for what it recommends.

Rozum’s ninety-day mandate is unambiguous. He suggests you implement out-of-band multi-factor authentication and stop allowing voice to serve as standalone validation for any high-risk transaction. In practice, that means a secure push notification through a mobile app, a dynamic SMS code, or a mandatory callback to a verified number on file. If a caller cannot clear that separate digital check, the transaction halts immediately. No exceptions are made for a convincing story.

Lazerowitz’s version of the same ninety-day test is procedural. Does a documented verification process exist, does it survive contact with a realistic attack, and can an agent flag a suspicious call in seconds rather than by wading through a lengthy ticketing form? “Fix your verification process before you buy anything,” he says.

What both explicitly warn against is instructive. Rozum stresses that you shouldn’t “waste your budget on specialised human ear training programs”. Teaching agents to listen for glitches or flat tone is a losing race against models evolving faster than human biology can adapt. Lazerowitz, similarly, cautions against leading with detection software of any kind:

“Detection is a Band-Aid on a broken identity process; the accuracy claims are shakier than the marketing suggests, and a detector bolted onto weak verification just gives you a confident wrong answer.”

Fix the process first, in other words, or any tool bought to patch it will simply add a false sense of security to an already exposed system.

The cultural fix runs deeper than either checklist. Rozum wants organisations to “shift the organisational incentive from speed to compliance security”. This is because decades of optimising for average handle time have trained agents to be rushed. Naturally, rushed agents are the easiest agents to manipulate. Fraudsters know this and manufacture urgency deliberately. They can pose as a distressed exec or a customer in crisis specifically to make an agent skip a step.

Lazerowitz suggests the attacks his platform simulates rarely resemble the shouting, threatening caller of security-training folklore. “Niceness is the weapon,” he says. The single fastest way to sabotage a defence programme, in his experience, is punishing agents who flag a false alarm or fail a simulation. “If an agent’s metrics take a hit for escalating a suspicious call, they’ll stop escalating.”

The end state both are describing is the same. Workflows engineered so that no agent, however persuaded, ever holds the sole authority to approve a high-risk action on voice alone. As Lazerowitz puts it, “the caller can apply all the pressure they want; the system should make the bad outcome impossible.”