Real-Time Voice Clones Defeating Helpdesk and Voice MFA: A 2026 Defence Guide
The Problem
Voice as an authentication factor has been used by financial institutions, healthcare providers, and corporate helpdesks for decades. The logic: voice is biometric, hard to forge, and easy to verify without additional hardware. In 2025, that logic collapsed — not gradually, but at the speed of a model release.
The technology timeline:
- 2023: ElevenLabs launched voice cloning from 1-minute samples. Quality was detectable with effort; artifacts were audible to trained listeners, particularly on sustained vowels and sibilants.
- Early 2024: Retrieval-based Voice Conversion (RVC) matured into a practical real-time attack tool. A caller’s live voice could be transformed in flight to match a target’s vocal characteristics, with ~150ms end-to-end latency — below the threshold where telephone call quality variations mask the conversion delay.
- Late 2024: ElevenLabs Eleven v2 Turbo, Resemble AI’s streaming API, and several open-weights implementations (OpenVoice v2, F5-TTS) reduced sample requirements to under 5 seconds of reference audio. Output quality became indistinguishable from the genuine speaker to untrained listeners, and often to trained ones, over telephone-quality audio.
- 2025: Verified, publicly documented incidents:
- A UK engineering firm lost £25 million when a finance employee was convinced by a voice clone of the CFO to authorise a wire transfer — confirmed by multiple UK press investigations and cited in Parliamentary testimony on AI fraud.
- Multiple US healthcare providers reported voice authentication bypass in their IVR systems; Nuance and Verint both published internal research in late 2024 acknowledging >90% bypass rates against their own biometric engines for high-quality clones.
- Several US financial institutions quietly deprecated or disabled voice biometric authentication after internal red-team tests; the Federal Reserve issued informal guidance in Q1 2025 recommending against voice-only authentication for account access.
These are the confirmed incidents. The actual number is larger — most voice authentication bypasses in IVR systems either go undetected or are reported as credential stuffing rather than deepfake attacks.
Why voice authentication fails against real-time clones — the technical mechanism:
Retrieval-based Voice Conversion works differently from text-to-speech synthesis. TTS generates audio from text. RVC takes an input speech signal and converts it to match a different speaker’s voice in near real time, preserving the original’s prosody, rhythm, and content while replacing the vocal characteristics.
The technical pipeline: the attacker’s live voice is captured → split into overlapping 200ms frames → each frame is encoded into a content representation using a self-supervised encoder (typically HuBERT or Whisper features) that separates linguistic content from speaker identity → the content representation is passed through a retrieval module that finds the nearest matching phoneme segments in a database built from the target’s voice samples → a neural vocoder (HiFi-GAN or EnCodec variants) reconstructs the waveform with the target’s vocal characteristics.
This is why it defeats speaker verification systems: the output shares the target’s fundamental frequency contour (F0), formant structure (F1/F2/F3 resonances that characterise vowels), speaking rate, and spectral envelope — the exact features that voiceprint matching systems use. Voiceprint vendors including Nuance, Verint, and NICE build templates from these acoustic features. A well-tuned RVC model running against even 5 seconds of target audio will produce output that matches those templates, because it is literally reconstructing the target’s vocal tract characteristics from retrieved reference frames.
The second important property: telephone codecs (G.711, G.729, AMR-NB) sample at 8kHz and apply aggressive compression. This removes high-frequency content and introduces compression artifacts. These artifacts are identical whether the audio is the genuine speaker or an RVC clone of them. The codec distortion that used to help human operators notice “something sounds off” now equalises legitimate callers and clones — both sound slightly degraded in exactly the same way.
Helpdesk operators face a separate problem: human voice recognition is unreliable over telephone audio, particularly for people who speak with the target infrequently. A helpdesk operator who has spoken to a particular executive twice in the past year has no reliable memory of their voice to compare against. And for callers they have never met (new employees requesting account recovery, external customers calling a banking IVR), there is no reference at all.
Threat Model
Attack 1: Helpdesk credential reset via voice impersonation. Attacker collects 5–30 seconds of voice sample from publicly available source — LinkedIn video introduction, company earnings call recording, conference presentation, podcast appearance. Runs target audio through RVC fine-tuning (15–30 minutes on a consumer GPU). Calls corporate helpdesk impersonating the target employee. Convinces helpdesk to reset MFA, issue recovery codes, or grant temporary account access. Achieves account takeover without ever touching the target’s device.
Attack 2: Automated vishing at scale. Voice clone combined with an LLM-powered conversation agent produces a fully automated helpdesk impersonation system. The LLM handles the social engineering conversation; the RVC engine converts the LLM’s TTS output to the target’s voice in real time. This removes the human attacker from the loop and allows simultaneous calls to multiple targets or multiple calls to the same target across time zones. The attacker sees success/failure metrics in a dashboard, not transcripts.
Attack 3: Executive wire transfer fraud. Voice clone of CFO or CEO placed to the finance team. Instructs a wire transfer to a new beneficiary. The call is combined with a spoofed caller ID showing the executive’s known mobile number and optionally a forwarded “approval” email from a lookalike domain. Wire transfers are often irreversible. The £25M UK engineering firm incident followed this exact pattern.
Attack 4: IVR voice biometric bypass. Banking, telecom, and government IVR systems that use passive voice biometrics — where the customer’s voiceprint is matched against enrollment without requiring a specific challenge phrase — are entirely bypassed by feeding the clone’s audio through a virtual audio device into the phone call. The IVR system receives what its feature extraction models measure as the legitimate customer’s voiceprint. Full account access is granted.
Assets at risk: MFA enrollment state; account recovery codes; wire transfer authorisation; account access in voice-biometric-protected IVR systems; any privileged action the impersonated identity can request by phone.
Attacker capability required: A 5-second voice sample (obtainable from public sources for almost any named employee at a company with a web presence), a consumer GPU or $2/hour of cloud compute, and off-the-shelf open-weights tools. This is not a nation-state capability.
Hardening Configuration
1. Remove Voice as a Sole Authentication Factor
The most important change is policy, not technology. Voice is now an unreliable signal. Treating it as authentication rather than context is the root cause of every attack in the threat model above.
# authentication_policy.yaml — store in version control, enforce via IdP policy engine
authentication_policy:
voice_as_sole_factor: PROHIBITED
voice_as_supporting_factor:
allowed_when:
- combined_with: hardware_token # FIDO2/WebAuthn
- combined_with: TOTP # time-based OTP from enrolled device
- combined_with: push_notification # push to enrolled device with nonce
not_allowed_for:
- password_reset
- account_recovery
- mfa_bypass
- mfa_reenrollment
- wire_transfer_authorisation
- access_escalation
helpdesk_verification_required:
two_factors_minimum: true
acceptable_factors:
- hardware_security_key: "FIDO2/WebAuthn — possession of enrolled key"
- manager_approval_ticket: "pre-raised in ticketing system via authenticated session"
- out_of_band_video_call: "with liveness challenge, on a channel not controlled by caller"
voice_alone: PROHIBITED
This is the only control that fully closes the attack surface. Everything else in this article is defence-in-depth against the cases where this policy has not yet been implemented.
2. Out-of-Band Verification for High-Value Requests
For any helpdesk request involving account recovery, MFA reset, or access escalation, verification must occur on a different channel from the request. If the request arrives by phone, verification must occur via the authenticated app on the enrolled device — a channel the voice clone attacker does not control.
from enum import Enum
from dataclasses import dataclass
import asyncio
HIGH_VALUE_REQUESTS = {
"mfa_reset", "account_recovery", "password_reset",
"access_escalation", "mfa_reenrollment", "wire_transfer"
}
@dataclass
class VerificationResult:
approved: bool
channel_used: str
ticket_verified: bool
push_confirmed: bool
async def verify_high_value_request(
requester_id: str,
request_type: str,
inbound_channel: str, # "phone", "teams", "email"
) -> VerificationResult:
"""
Requires out-of-band confirmation on a channel different from the request channel.
A voice clone controls the inbound phone channel; it does not control
the enrolled mobile device or the authenticated ticketing session.
"""
if request_type not in HIGH_VALUE_REQUESTS:
return VerificationResult(
approved=True, channel_used=inbound_channel,
ticket_verified=False, push_confirmed=False
)
# Step 1: confirm a ticket exists, pre-raised before this call
# A voice clone cannot have raised an authenticated ticket before calling
ticket_ok = await check_open_ticket(
user_id=requester_id,
request_type=request_type,
raised_before_minutes_ago=5, # ticket must predate the call
)
# Step 2: send push notification to enrolled device — different channel
push_ok = await send_push_confirmation(
user_id=requester_id,
message=(
f"Helpdesk is requesting: {request_type}. "
f"If you did NOT call helpdesk, tap DENY immediately."
),
timeout_seconds=120,
)
approved = ticket_ok and push_ok
return VerificationResult(
approved=approved,
channel_used="push_notification",
ticket_verified=ticket_ok,
push_confirmed=push_ok,
)
The critical property: the voice clone controls the phone call. It does not control the target’s enrolled mobile device. Even if the attacker is also running a vishing attack simultaneously to intercept the push notification (possible, but requires coordination), the pre-raised ticket requirement remains — a ticket raised in an SSO-authenticated session that the attacker does not have access to.
3. Pre-Raised Ticket Requirement for MFA Bypass
Any MFA reset or account recovery request requires a ticket raised before the call, through the authenticated ticketing system. This single control defeats automated vishing attacks: the LLM/voice-clone attacker cannot raise an authenticated ticket in ServiceNow or Jira because it does not have the target’s credentials — the exact credentials it is calling to obtain.
# ServiceNow webhook validation — fires when helpdesk opens a ticket for processing
# Validate:
# - Ticket was created by authenticated user (SSO session, not over phone)
# - Ticket was created before the call timestamp
# - Ticket type matches the request being processed
# - Ticket is in OPEN state and not already actioned
validate_ticket() {
local ticket_id="$1"
local request_type="$2"
local call_start_epoch="$3"
ticket_json=$(servicenow-cli get-ticket "$ticket_id")
created_by=$(echo "$ticket_json" | jq -r '.opened_by.name')
created_at=$(echo "$ticket_json" | jq -r '.sys_created_on' | date -f - +%s)
ticket_type=$(echo "$ticket_json" | jq -r '.category')
ticket_state=$(echo "$ticket_json" | jq -r '.state')
auth_method=$(echo "$ticket_json" | jq -r '.u_auth_method') # custom field: SSO or phone
if [[ "$auth_method" == "phone" ]]; then
echo "REJECT: ticket was created over phone, not via authenticated session"
return 1
fi
if [[ "$created_at" -ge "$call_start_epoch" ]]; then
echo "REJECT: ticket was not pre-raised before this call"
return 1
fi
if [[ "$ticket_state" != "1" ]]; then # 1 = Open in ServiceNow
echo "REJECT: ticket is not in Open state"
return 1
fi
echo "OK: ticket $ticket_id verified for $request_type"
return 0
}
# Helpdesk script addition:
# "Before I can process this request, I need your ServiceNow ticket number.
# Can you provide the number you raised through the portal?
# I cannot process MFA resets without a pre-raised ticket — this is
# required for all account recovery requests."
# A voice clone caller cannot have pre-raised an authenticated ticket.
4. Liveness Detection for Voice Authentication
Where voice authentication must remain (regulatory requirements, legacy IVR systems during transition), challenge-response liveness adds a barrier against pre-recorded clones and raises the cost against real-time clones.
import secrets
import re
# RVC real-time conversion handles pre-prepared phrases.
# Injecting a random nonce into the conversion pipeline requires the attacker to:
# 1. Hear the challenge (real-time STT of the challenge)
# 2. Feed the nonce to a TTS system to generate spoken audio
# 3. Pass that audio through RVC to match the target voice
# 4. Play it back before the response timeout expires
# This chain adds 2–5 seconds and requires attacker infrastructure to function
# perfectly in real time — not impossible, but meaningfully harder than
# a simple RVC pass-through.
def generate_voice_liveness_challenge() -> tuple[str, str]:
"""
Returns (challenge_text_for_operator, expected_response_nonce).
Use a phonetically unambiguous 6-character alphanumeric nonce.
Avoid ambiguous chars: O/0, I/1, S/5.
"""
charset = "ABCDEFGHJKLMNPQRTUVWXYZ23456789"
nonce = "".join(secrets.choice(charset) for _ in range(6))
challenge = (
f"Please read out the following confirmation code letter by letter: {nonce}"
)
return challenge, nonce
def verify_voice_liveness(
transcription: str,
expected_nonce: str,
max_elapsed_seconds: float,
actual_elapsed_seconds: float,
) -> dict:
"""
Verify liveness challenge response.
Also checks response timing: real-time RVC conversion adds measurable latency.
A pre-prepared recording of the nonce is impossible (nonce is session-unique).
"""
# Normalise transcription: strip punctuation, uppercase
cleaned = re.sub(r"[^A-Z0-9]", "", transcription.upper())
nonce_present = expected_nonce in cleaned
timing_ok = actual_elapsed_seconds <= max_elapsed_seconds
return {
"liveness_pass": nonce_present and timing_ok,
"nonce_matched": nonce_present,
"response_time_seconds": actual_elapsed_seconds,
"timing_ok": timing_ok,
"detail": "pass" if (nonce_present and timing_ok) else (
"timeout" if not timing_ok else "nonce_not_found"
),
}
Liveness detection alone is not sufficient: a sufficiently resourced attacker can automate the challenge-response loop. Treat it as one layer, not a complete control.
5. Deepfake Detection in Call Infrastructure
Commercial and open-source deepfake audio detectors exist. They are imperfect — the best available in 2025–2026 operate at around 75–85% accuracy against high-quality real-time RVC clones — but they are useful as a triage signal to escalate calls for closer review.
import httpx
import asyncio
from typing import AsyncIterator
DETECT_API_KEY = "..." # Pindrop, Resemble Detect, or self-hosted AASIST
async def check_voice_authenticity(audio_chunk: bytes) -> dict:
"""
Send audio chunk to deepfake detection service.
Returns detection result with confidence and identified artifacts.
At 85% accuracy, expect 15% false negatives on high-quality clones
and ~5% false positives on legitimate callers (varies by accent/codec).
Use as escalation signal, not blocking gate.
"""
async with httpx.AsyncClient(timeout=2.0) as client:
response = await client.post(
"https://api.resemble.ai/v2/detect",
files={"audio": ("chunk.wav", audio_chunk, "audio/wav")},
headers={"Authorization": f"Bearer {DETECT_API_KEY}"},
)
response.raise_for_status()
return response.json()
# Returns: {
# "is_synthetic": bool,
# "confidence": float, # 0.0–1.0
# "artifacts": list[str] # e.g. ["vocoder_artifacts", "f0_discontinuity"]
# }
async def process_call_with_detection(audio_stream: AsyncIterator[bytes]):
"""
Non-blocking deepfake detection for a call in progress.
Accumulate 3-second chunks for analysis; flag if >2 consecutive chunks exceed threshold.
"""
synthetic_chunk_count = 0
chunk_buffer = b""
CHUNK_TARGET_BYTES = 48000 * 2 * 3 # 3 seconds at 8kHz 16-bit = 48000 bytes
async for raw_bytes in audio_stream:
chunk_buffer += raw_bytes
if len(chunk_buffer) >= CHUNK_TARGET_BYTES:
result = await check_voice_authenticity(chunk_buffer)
chunk_buffer = b""
if result.get("is_synthetic") and result.get("confidence", 0) > 0.85:
synthetic_chunk_count += 1
else:
synthetic_chunk_count = 0
if synthetic_chunk_count >= 2:
# Two consecutive high-confidence synthetic detections
# Do not block — alert and escalate
await flag_call_for_supervisor_review(
confidence=result["confidence"],
artifacts=result.get("artifacts", []),
)
# Reset counter; continue processing
synthetic_chunk_count = 0
The 0.85 threshold is not a safety gate — it is a cost/false-positive trade-off. At 0.85, you surface the calls most likely to be synthetic while limiting false positives on legitimate callers using VOIP systems with compression artifacts. Do not auto-reject calls based on this signal alone. Do not tell the caller they have been detected; route the call to a senior operator and conduct the standard out-of-band verification regardless.
6. Helpdesk Procedure: The Actual Runbook
Technical controls fail if operators bypass them under social pressure. The runbook must be explicit about what operators are not permitted to do, not just what they should do.
## Helpdesk Identity Verification Checklist (2026)
## MANDATORY for: password reset, MFA bypass, account recovery, access escalation
STEP 1 — Request ticket number
"Before I can process this request, I need your ServiceNow ticket number.
Can you provide the ticket number you raised through the portal?"
- If no ticket: "I'm unable to process this without a pre-raised ticket.
Please log into ServiceNow via SSO and raise a request, then call back."
- DO NOT PROCEED without a valid pre-raised ticket.
- Verify: ticket created >5 min ago, via SSO session (not phone), in Open state.
STEP 2 — Push notification to enrolled device
Send push via Okta/Entra to the requester's enrolled device.
"You should receive a push notification on your registered device now.
Please approve it and tell me the confirmation code displayed."
- If push not approved within 2 minutes: do not proceed.
- If requester says they don't have their device: follow LOST DEVICE procedure
(in-person verification with badge + manager attestation — not phone-based).
STEP 3 — One non-directory knowledge factor
Ask ONE question whose answer is NOT findable on LinkedIn, company directory,
or public sources. Examples: last payslip date, direct manager's employee ID,
most recent expense report amount.
DO NOT use: name, job title, department, office location, manager's name,
start date — all are on LinkedIn.
STEP 4 — Do NOT verify identity by voice alone
Voice can be synthesised. Hearing the person's voice does not confirm their
identity. A convincing-sounding voice is not a factor in this checklist.
FOR WIRE TRANSFER AUTHORISATION:
1. Callback on the known-good number from the internal directory
(NOT a number provided by the caller — callers can give attacker-controlled numbers).
2. Require written approval through corporate email from an SSO-authenticated session.
3. Require secondary approver at the same level or above via separate channel.
4. Phone-only authorisation: NOT PERMITTED at any amount.
IF YOU FEEL PRESSURED TO SKIP STEPS:
"I understand this is urgent, but I am required to follow this procedure for all
account recovery requests. Skipping any step would put your account at risk.
I cannot make exceptions — this is a security requirement, not a preference."
Escalate to supervisor if pressure continues. Document the interaction.
Expected Behaviour
Push notification flow for a helpdesk MFA reset request:
Operator opens the IdP console (Okta, Entra) and initiates a push verification to the requester’s user ID. The enrolled device receives a push with message: “Helpdesk is requesting: MFA reset. Approve?” — along with a 6-digit confirmation code displayed in the authenticator app. The operator asks the caller to read back that code. If the codes match: the device interaction is confirmed. If the caller cannot provide the code, or if the push is denied on the device, the operator stops the interaction and logs it as a suspicious call.
Liveness detection challenge:
Operator reads the generated nonce to the caller: “Please read out the following code letter by letter: KQTM4R.” The caller speaks the individual characters. Operator records elapsed time. Speech-to-text transcribes the response. The verification function checks that KQTM4R appears in the transcript and that the response came within the time window. A voice clone operator receiving this challenge in real time must: run STT on the operator’s audio, synthesise TTS of the nonce, convert it through RVC, and play it back — a chain that adds 2–5 seconds of latency beyond normal response time.
Deepfake detection API response for a flagged call:
{
"is_synthetic": true,
"confidence": 0.91,
"artifacts": [
"vocoder_artifacts",
"f0_discontinuity",
"formant_smoothing"
],
"recommendation": "escalate_for_review"
}
The artifacts list indicates which acoustic features triggered the classifier. vocoder_artifacts indicates spectral irregularities characteristic of neural vocoders (HiFi-GAN, EnCodec). f0_discontinuity indicates abrupt jumps in fundamental frequency between frames, which occurs when RVC retrieval fails to find a close phoneme match. formant_smoothing indicates the formant contours are too smooth relative to natural speech — a known artifact of retrieval-based reconstruction.
Trade-offs
Pre-raised ticket requirement is the most effective control and the highest friction. A legitimate employee with a locked account who needs urgent access cannot resolve it in 5 minutes. The mitigation is a well-designed in-person recovery path and manager-attestation workflow — not relaxing the ticket requirement for “urgent” cases, which is exactly the social engineering pretext attackers use.
Liveness detection via nonces adds approximately 30 seconds to call handling time and can be defeated by a sufficiently automated attacker who instruments the challenge-response loop. It raises the attacker’s infrastructure requirements but is not a reliable blocker against well-resourced adversaries.
Deepfake detection APIs run at 75–85% accuracy against high-quality real-time clones in 2025–2026. Accuracy is lower for callers with non-native accents, VOIP compression, and mobile network degradation — all of which also produce artifacts that pattern-match on the same acoustic features as synthetic audio. False positive rate on legitimate callers using low-quality VOIP ranges from 3–8% depending on threshold. This cannot be a blocking control.
Removing voice as a factor entirely reduces usability for users without enrolled mobile devices, hardware tokens, or access to a ticketing system. The population most affected is typically contractors, external vendors, and employees during onboarding — high-risk segments that warrant the friction. The correct response is to resolve those gaps in enrollment coverage, not to preserve voice authentication as a fallback.
Failure Modes
Updating IVR deepfake detection without updating helpdesk human procedures. Automated IVR voice biometric bypass is real, but humans answering helpdesk calls are the larger attack surface in most organisations. An attacker who cannot bypass the IVR calls the helpdesk instead. Both surfaces require remediation.
Using knowledge-based authentication as the fallback for users without enrolled devices. KBA questions (mother’s maiden name, first pet, first school) are answerable from social media and data broker databases. An attacker who has done basic OSINT on the target can answer them. KBA is not a second factor — it is a single factor the attacker has already prepared for.
Callback verification to caller-provided numbers. “I’ll call you back to confirm” is not out-of-band verification if the callback number was provided by the caller. The attacker provides a number they control. The callback reaches the attacker, who continues the impersonation. Callbacks must use numbers from the internal directory, not from the inbound call or the caller’s stated preference.
Treating deepfake detection accuracy as binary. Security teams that deploy a deepfake detection API and configure it as an automated blocking gate will generate a significant false positive rate against legitimate callers — particularly callers using mobile networks, headsets, or non-native accents — while still admitting the ~15% of synthetic calls that score below the blocking threshold. The failure mode is double: harm to legitimate users and false confidence that synthetic calls are being reliably blocked.
Assuming the attacker’s voice sample quality is limited. For any named employee at an organisation with any public web presence — conference talks, all-hands recordings leaked by former employees, investor calls, media appearances — a 5–30 second voice sample is available. The attack does not require prolonged surveillance.