I got a voicemail that *sounds exactly* like my manager, and it freaked me out a bit.
Context: I’m remote, different time zone, and we do vendor payments sometimes. This message came in late at night, and it had a “don’t Slack me, I’m in a meeting” vibe. The number wasn’t saved, but the voice… the cadence and little throat-clear? Spot on.
What I’m trying to figure out:
- If someone can clone a voice from a few clips, what can a normal person do to verify?
- Are there any **forensics** checks for voice messages that are actually practical (not “run a lab test”)?
- Does **metadata** even survive when a voicemail is delivered through carriers/apps?
- Is **watermarking** a real thing for voice yet, or mostly theory?
Also: what’s a reasonable “company rule” for this? A code word feels silly… but maybe not anymore.
Code words aren’t silly. They’re boring, and boring is good.
At minimum: **no payments from voice alone**. Ever. Even if it sounds perfect.
Have one fallback channel that’s always required (known number call-back, ticketing system, whatever your org uses).
And yeah, voicemail **metadata** is usually a mess. By the time it hits your phone, you’re not getting much provenance.
I’m going to be the annoying person and say this is less an “audio problem” and more a *process* problem.
If a request bypasses normal workflow (“don’t tell anyone”), treat it as hostile until proven otherwise.
Even if it’s real, it’s still bad practice.
For forensics: you can listen for weird breath timing, clipped consonants, or overly-clean background noise… but that’s weak evidence. It’s not a dependable test.
I’ve had family members get hit with the “urgent, don’t hang up” style call. It’s the emotional pressure that does the work.
A tiny trick: ask a question that can’t be answered from public info. Something mundane and private.
Not a “secret,” just a shared-memory thing.
It won’t stop every scam, but it breaks the script fast.
Watermarking is promising *when the audio is generated by systems that choose to embed it*. That’s the catch.
If the attacker is using tools that don’t watermark (or they re-record the audio), you’re back to human + process checks.
So: don’t rely on detection alone.
If you want one actionable rule: “Voice message = request to verify, not request to act.”
One more angle: require the *invoice* or *purchase order* reference in the request, not just “send money now.”
Scammers are often vague because they don’t know your internal details.
If they refuse to provide specifics or push urgency harder, that’s your signal.
Also, keep a short internal checklist. Two minutes of friction saves hours of cleanup.