Most cyber attacks don’t start with a sophisticated technical exploit. They start with a well-written email or a convincing phone call. Spear phishing and vishing have been around for years, but what’s changed is the level of personalisation attackers now apply, and the use of AI-generated voice cloning to impersonate senior executives in real time.
UK businesses are increasingly on the receiving end. Finance teams are being called by voices that sound exactly like the CEO and instructed to make urgent bank transfers. Email threads are being hijacked mid-conversation, with the attacker already knowing the names, roles and context of the deal being discussed.
How Spear Phishing Differs from a Bulk Email Campaign
Unlike a bulk phishing blast sent to thousands of inboxes, spear phishing is targeted and highly personalised. The attacker does research first. They’ll scan LinkedIn to map the org chart, study company announcements to find a live project or deal, and craft an email that mirrors the language and tone of real internal communications.
Organisations that want to know whether their staff would actually spot this kind of attack in practice will sometimes commission red teaming services, which include simulated spear phishing campaigns run against real employees without their prior knowledge.
The results are often sobering. Even staff who’ve completed security awareness training will click links in a well-crafted spear phishing email, particularly when it appears to come from a trusted colleague and references a project they’re actively working on.
How AI Voice Cloning Changed Vishing
Vishing (voice phishing) has been a known threat for years. What’s changed is the arrival of affordable AI voice cloning tools, which have made it significantly more dangerous. Modern AI tools can clone a person’s voice from as little as a few seconds of publicly available audio, a clip from a podcast, a conference talk, or a company video is more than enough.
In practice, this means a finance officer can receive a call that sounds exactly like the CFO, asking them to authorise an urgent supplier payment. The caller will often send a spoofed follow-up email to add further legitimacy. The NCSC’s 2025 Annual Review confirmed record incident volumes and warned that AI is already amplifying attacker capability, a threat it has described as increasing pressure on organisations to tighten controls around approvals, payments and supplier changes.
CEO Fraud and the Finance Team as a Target
Business email compromise and CEO fraud have cost UK organisations hundreds of millions of pounds. Total fraud losses reported to Action Fraud reached £2.3 billion in 2024, and impersonation-based fraud accounts for a substantial share of that figure. Action Fraud and the NCSC have both highlighted it as a serious and growing threat to organisations, and individual cases can run to hundreds of thousands of pounds.
These scams work because of the social pressure built into the request itself. The attacker impersonates someone with authority, creates urgency, and often tells the target to keep the transaction confidential. That combination cuts through normal verification habits.
The most common scenario involves a call or email from a fake senior executive about a confidential acquisition or a time-sensitive supplier payment. The target is told to bypass usual approval channels. By the time the fraud is identified, the money has already moved.
Would Your Organisation Actually Catch These Attacks?
Having security awareness training in place is very different from knowing whether your people would make the right call under real pressure. Many organisations run annual training programmes and assume that’s enough. In practice, training tells you what people know. Simulation tells you how they behave.
A red team engagement that includes social engineering scenarios will test your staff against realistic spear phishing emails, pretexting phone calls and executive impersonation attempts. The findings go well beyond pass or fail. They’ll tell you where your verification processes break down, which teams are most exposed, and what specific changes would actually reduce risk.
For organisations that already have technical controls in place, this kind of testing often surfaces vulnerabilities that standard pen tests won’t find, because those tests focus on systems, not on people.
The Bottom Line
Spear phishing, vishing and CEO impersonation all rely on the same thing: trust. The attacker’s goal isn’t to break through your firewall. They want a real person to take a real action, and modern tools make that easier than it’s ever been.
Technical defences matter, but they won’t stop a convincing phone call from a voice that sounds exactly like your CFO. Finding out how your staff respond in practice, before a real attacker does, is the only way to close that gap.
David Prior
David Prior is the editor of Today News, responsible for the overall editorial strategy. He is an NCTJ-qualified journalist with over 20 years’ experience, and is also editor of the award-winning hyperlocal news title Altrincham Today. His LinkedIn profile is here.
