The short answer is yes
Can someone deepfake the principal's voice to approve a wire? Yes — and it has already happened at scale. This is the question worth asking before it is asked for you, because the instinct that protects most people, “I would recognize their voice,” is exactly the instinct the attack is built to defeat. This is general information, not legal advice, and not a substitute for retained counsel or a tailored security assessment. The narrow point here is fraud — a fake voice used to move money. A fake video or image used to damage the principal's reputation is a different problem with a different response, covered in deepfake impersonation detection and takedown.
The case that ended the debate
In 2024 the engineering firm Arup disclosed that one of its employees had transferred roughly $25 million after joining a video call in which the other participants — including a figure presented as the company's chief financial officer — were AI-generated deepfakes. The money moved across multiple transactions before anyone realized the meeting had been entirely synthetic. If a deepfake can carry a video call inside a large firm, an audio-only call to a small family-office team is well within reach, and considerably easier to produce.
Why a familiar voice is no longer verification
A few seconds of a person's speech — from a conference panel, a media clip, even a voicemail greeting — is enough to clone their voice convincingly. The FBI has warned that criminals now use generative AI to imitate a loved one's or colleague's voice and has urged families to agree on a secret word or phrase to confirm identity, then to hang up and call back a known number if anything feels wrong. The lesson is structural: recognition is not authentication. How a request sounds tells you nothing reliable about who made it.
The control that still works
Because the weakness is the channel, the defense is to switch channels. A voice or video request to move money is treated as a notification only; the authorization comes from an out-of-band callback to a number already on file, confirmed with the pre-agreed code word. The impersonator can fake the principal's voice, but cannot answer the principal's real phone or supply a word that was never spoken aloud. This sits inside the broader wire-transfer controls checklist, which a family office should adopt as a whole rather than relying on any single step.
What to put in place before the call comes
- A family code word known only to the principal and the people authorized to move money, refreshed periodically and never shared over email.
- A no-exceptions callback rulefor any payment request that arrives by voice, video, or message — including ones that appear to come from the principal in a hurry.
- Permission to slow down. Staff must know they will be thanked, not blamed, for pausing a suspicious instruction. Urgency is the lever the attacker pulls; removing the penalty for caution disarms it.
A calm conclusion
Deepfake fraud sounds futuristic, but the defense is old and dull: verify through a channel the attacker does not control, and never let a convincing performance substitute for it. Most family offices that adopt a code word and a callback rule find the change takes one short conversation to agree and quietly closes the most modern version of an ancient con.
Sources
- Fortune, A finance worker paid out $25 million after a video call with a deepfake 'CFO' (Arup). https://fortune.com/europe/2024/05/17/arup-deepfake-fraud-scam-victim-hong-kong-25-million-cfo/
- Federal Bureau of Investigation, Internet Crime Complaint Center (IC3), Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud (Public Service Announcement I-120324-PSA). https://www.ic3.gov/PSA/2024/PSA241203
- Deloitte Private, The Family Office Cybersecurity Report 2024. https://www.deloitte.com/global/en/services/deloitte-private/research/family-office-cybersecurity-report.html
