The call came from the CEO's number.
The voice on the line was calm, direct, and unmistakably his. Familiar cadence. The way he phrased things. Even the slight impatience when things needed to move fast. The finance team had heard it a hundred times before.
He needed a transfer done quickly. Sensitive deal. Couldn't go through the usual channels right now. You understand.
They understood. They transferred the money.
The CEO, of course, had made no such call.
This happened to a Canadian company. Not a small one. Not a careless one. One with real processes and people who thought they knew what a scam looked like. The attackers had done their homework. They pulled audio of the executive from publicly available sources, a talk, a video, maybe a podcast clip, and fed it to an AI voice cloning tool. Combined with a spoofed phone number that matched the CEO's caller ID, the call was indistinguishable from the real thing.
The finance team did exactly what they'd been trained to do: they responded to a trusted contact making an urgent request.
The problem is that the finance team's training was built for a world where you could still trust a voice. That world is gone.
AI didn't create fraud. It industrialized it.
Scammers have always impersonated executives. The "CEO fraud" wire transfer scam has been around for years. What's changed is the cost and the quality. Getting a believable audio clone of someone used to require resources most criminals didn't have. Now it requires a few seconds of publicly available audio and a tool anyone can access.
The FBI tracked nearly $900 million in losses tied to AI-assisted scams in 2025 alone, as reported by The Independent. That's the first year they measured it as a distinct category. It will not be the last, and the number will not go down.
What's notable about the Canadian case isn't that it happened. It's that nothing about the execution was particularly sophisticated. No malware. No network breach. No zero-day exploit. Just a convincing voice, a spoofed number, and a finance team that had no way to verify what their instincts were telling them was true.
The hole in the process wasn't human error. It was the absence of a verification step that should have existed.
The problem with trusting a voice
Your executive team talks publicly. They're on panels. They do podcasts. They post videos. Every one of those clips is training data for a tool that can reconstruct how they sound. You can't fix that. You can't pull them off the internet. And you probably shouldn't; that's not the right trade.
What you can do is stop treating voice as proof of identity.
A voice confirms familiarity. It does not confirm identity. Those are different things, and the gap between them is exactly where this attack lives.
The same logic applies to phone numbers. Spoofing a caller ID is not difficult. It does not require access to any system. It requires about five minutes and a willingness to commit fraud. Caller ID was designed to display a number, not verify one. It has never been a security control. We've just been treating it like one.
What the fix actually looks like
The answer isn't suspicion. It isn't teaching your finance team to distrust their own CEO. That's not practical, and it creates its own problems.
The answer is a verification step that sits outside the channel being spoofed.
If a call comes in claiming to be from the CEO, the finance team needs a second signal, through a different channel, confirming the request is legitimate before any action is taken. Something that the person on the phone can't fake. A code generated by a system they don't control. A push notification to a registered device. Something real-time and out-of-band.
That's the layer that was missing in the Canadian case. Not smarter people. Not more suspicious people. Just one step that makes the right answer the easy answer.
This is what we're building with Traceless, and not just for how clients verify us when we call them. The same capability can be deployed internally, so your finance team has a way to confirm a request from your CFO or CEO before a wire goes out. So your exec team can verify each other when something urgent comes in through an unfamiliar channel. So "I got a call from the boss" is no longer sufficient authorization for anything that can't be undone.
The attack that hit the Canadian company was not novel. It will happen again, to organizations that look just like yours, with teams that are just as diligent. The difference will be whether there was a verification step in the process or just a voice.
Book a call with us today. We'll show you exactly what that step looks like for your team, and how fast it can be in place. Don't wait for your own version of this story to find out you needed it.