The Most Dangerous AI Hack Doesn’t Use Code: How Voice Cloning and Social Engineering are Reshaping Cyber Resilience

For years, when we pictured a “cyberattack,” we imagined complex code, digital viruses, and firewalls being breached by technical wizardry. But what if the most insidious threat doesn’t involve a single line of malicious code? What if it’s far more human, leveraging our trust and instincts against us? Recent discussions among corporate affairs and communications leaders shed light on this unsettling shift: cybercrime is increasingly becoming an orchestrated confidence trick. 

Human Error: The Unseen Vulnerability 

It turns out that the vast majority of breaches aren’t born from sophisticated exploits, but from simple human mistakes. Whether it’s clicking on a dodgy link, reusing old passwords, or being subtly manipulated into bypassing standard procedures, human behaviour often serves as the easiest entry point for attackers. This isn’t a new concept, but the methods are certainly evolving. 

Ethical hacker Rob Shapland highlighted a chilling example: a simulated attack on a professional services firm. The attackers identified a senior partner’s email from public sources, then matched it to a password exposed in a past data breach. Crucially, they then cloned an internal IT team member’s voice using just publicly available audio. (Cyber Breaches, Communications & Consequences white paper, July 2025) 

Armed with this cloned voice and a spoofed number, they called the target, impersonating IT support, and secured a one-time security code. That single interaction granted them full access to the partner’s Microsoft account, bypassing all alarms and detection systems. It’s a stark reminder that even the most robust technical defences can be undone by human vulnerability. 

The Rise of ‘Legitimate’ Cybercrime 

Perhaps the most disturbing trend is the evolution of cybercrime itself. Today’s ransomware groups often operate like disturbingly legitimate businesses. They run affiliate schemes, employ English-speaking support teams, offer helplines for victims, and even conduct follow-up surveys to rate the “experience.” It’s corporate theatre with catastrophic consequences. 

Voice cloning tools, such as ElevenLabs and Resemble.ai, are central to this. They can replicate a person’s voice from as little as 10-30 seconds of publicly available audio. Think about it: a podcast, a LinkedIn video, an internal webinar, or even a voicemail could provide enough raw material to convincingly impersonate a colleague or executive. 

With a convincing voice and a spoofed number, attackers can request IT credential resets, secure one-time passcodes, authorise large financial transactions, or simply talk their way into highly secure systems. These attacks bypass traditional defences because there’s no malware, no foreign IP login attempt, and no firewall to trip over. The attacker simply persuades someone to do their bidding. 

Shifting Mindsets: Cyber as a Comms Issue 

Historically, cybersecurity has been firmly within the IT department’s remit. However, with the rise of impersonation and social engineering, the frontline has expanded to include customers, media, regulators, and employees. This means communications teams now sit at the heart of breach preparedness, response, and recovery. 

The technical team might detect and respond to a breach, but it’s the communications team that must explain what happened, manage internal trust, reassure stakeholders, and coordinate messaging across legal, IT, customer service, and HR. Reputation is an integral part of the breach itself and companies can lose more trust in how they explain an incident than in the fact that it happened. 

The white paper, by The Remarkables, emphasises that communications must be part of the cyber strategy from day one. This means comms leaders need to be involved in simulation exercises, holding statements should be prepared in advance, and crisis playbooks must include a unified media and internal response plan. The consensus is clear: cybersecurity is now a comms problem wearing a tech disguise. 

The Illusion of Preparedness and Failing Training 

Many organisations think they’re ready for a cyber crisis, but often their plans are outdated, hard to find, or based on unrealistic assumptions. If your crisis plan is just a PDF gathering digital dust, it’s not really a plan. Common gaps include a lack of clear decision-making hierarchies for cyber scenarios and simulations that stop at the IT response, ignoring public or employee messaging. Crucially, crisis documents are often stored on the very systems likely to be compromised. 

Moreover, current cyber training often falls short. Relying on annual e-learning modules is seen as a box-ticking exercise with limited real-world relevance. As one participant in the white paper put it: “If your training doesn’t scare you, it isn’t working.” Modern threats demand behavioural defences, focusing on why an attack happens, not just what to watch out for. Tailored training for high-risk roles, realistic multi-channel phishing simulations (including voice), and regular, bite-sized reminders are vital. 

Proactive Resilience: Actions to Take Now 

The reality is that cyberattacks are frequent, fast-moving, and carry high reputational risks. Organisations must shift from reactive clean-up to proactive resilience. The white paper outlines ten critical actions: 

1. Assess AI-driven threats and opportunities. Understand how emerging AI capabilities, like voice cloning, can be weaponised by attackers and how AI can also bolster your defensive capabilities. 
2. Review and test your crisis plan. It needs to be a living document, regularly rehearsed. 
3. Store key documents offline. Your cyber insurance, crisis contacts, and escalation protocols should be accessible even if systems are locked down. 
4. Run cross-functional simulations. Include everyone: legal, HR, comms, and senior leaders – so every team understands their role. 
5. Revisit your insurance coverage. Understand its scope, exclusions, and the process for ransom demands. 
6. Audit early communications. Prepare holding statements and avoid premature absolutes. Focus on care, investigation, and maintaining a human tone. 
7. Invest in behavioural training. Move beyond generic e-learning to realistic scenarios that highlight social engineering, phishing, and voice cloning. 
8. Decide your stance on ransom now. Don’t wait until the attackers are at your digital doorstep. 
9. Prioritise internal communications. Your employees are your first line of defence and first audience. Communicate fast, frequently, and with empathy. 
10. Map your brand’s elasticity. Understand your reputational capital; don’t assume forgiveness. 
11. Shift your mindset: cyber is a comms issue. Reputational resilience starts in the boardroom, not just in IT. 

The most dangerous AI hack breaks trust. By understanding this, and by treating cyber resilience as a truly cross-functional, human-centric challenge, organisations can build far more robust defences for the digital age.