A phone call from your bank’s fraud department. Your mother’s voice asking for emergency help. Your boss requesting an urgent wire transfer. All three can now be convincingly faked by AI in real time — and 1 in 4 Americans reported being fooled by a deepfake scam call in early 2026, according to research published by Unbox Future.
Voice phishing attacks — phone calls using AI-cloned voices — jumped 442% in the second half of 2024, per Group-IB’s threat intelligence report. AI-generated phishing emails achieve click-through rates more than four times higher than human-written equivalents. And 77% of people who engaged with an AI-enabled scam call lost money, per Vectra AI’s 2026 scam analysis.
The tools to protect yourself exist. Most are free, none require technical expertise, and the highest-return protections take under ten minutes to set up.
Buying and safety note: Pricing, plan limits, privacy terms, and security features change often. Verify the official product page before subscribing, and treat this guide as general information rather than financial, legal, or security advice.
Key Takeaways
- Voice phishing jumped 442% in late 2024 and continues rising in 2026 — AI-cloned voices are now indistinguishable from real ones to the human ear in most calls (Group-IB threat intelligence report).
- The single highest-return protection is a family code word: a pre-agreed phrase your family uses to verify identity before acting on any urgent request — takes two minutes to set up, defeats voice cloning entirely.
- Google launched AI-powered fake call detection for Android 12+ devices in June 2026, flagging likely deepfake voices in real time during a call (TechCrunch, June 2026).
Why AI Scams Are Different in 2026
Traditional scams were detectable: obvious grammar errors, implausible scenarios, generic messages that did not know your name. AI scams in 2026 have eliminated most of those tells:
Voice cloning: With 3–30 seconds of a person’s publicly available audio (from a social media video, a podcast appearance, a YouTube clip), an attacker can generate a real-time voice clone that sounds identical to the original. The FBI issued a specific warning on this in 2025, noting that government officials’ voice recordings were being cloned to impersonate agency heads.
AI-generated phishing emails: LLMs generate contextually aware, grammatically perfect phishing emails in any language, personalised with your name, company, recent news, and plausible scenarios. Detection by eye alone is no longer reliable.
Deepfake video calls: Real-time face-swapping on video calls is now accessible without specialist hardware. In February 2025, a finance employee in Hong Kong was deceived into transferring $25 million after a deepfake video call appeared to show their CFO authorising it — multiple people on the call were faked simultaneously.
AI-generated fake profiles: Romance scams, job offer scams, and investment fraud now use AI-generated profile photos, AI-written backstories, and AI chat agents capable of sustaining weeks of convincing correspondence.
The 10 Protections That Actually Work
1. Set a Family Code Word — Highest Return, Zero Cost
A code word defeats voice cloning entirely. Before any urgent action — money transfers, picking up a family member, sharing account details — anyone who calls you must say the code word. A deepfake voice can sound like your spouse; it cannot know a pre-agreed word that exists only in your family’s memory.
How to set it up: In person (not via text or email), agree on a word or short phrase with family members most likely to be impersonated in an emergency — partners, parents, adult children. Test it once. Keep it simple enough to remember under stress.
This protection costs nothing, takes two minutes, and is recommended by the FBI, AARP, and every major consumer cybersecurity organisation in 2026.
Citation capsule: A pre-agreed family code word is the most effective individual protection against AI voice cloning scams. When a caller (however convincing the voice) cannot provide the code word, the call is immediately suspect. The FBI and consumer protection agencies have recommended this approach specifically in response to the 442% rise in voice phishing in 2024 (FBI alert on AI voice phishing; Group-IB, “The Anatomy of a Deepfake Voice Phishing Attack,” 2026).
2. Slow Down on Urgency — The Scammer’s Core Tool
Every AI scam — phone calls, emails, text messages — relies on manufactured urgency. “Your account is being closed.” “Someone is withdrawing your money right now.” “Mum is in hospital, send money immediately.” The urgency is designed to prevent you from stopping to verify.
The rule: the more urgent the request, the slower you should move. A real bank fraud team will hold your account while you verify. A real emergency can be confirmed with a direct call back. A real employer will not fire you for taking two minutes to confirm an unusual request through a separate channel.
Hang up. Call back the known number — not the one that called you, and not a number provided in the call or message. If the urgency was genuine, you will reach the right person. If the call was a scam, the callback goes nowhere.
3. Enable Google’s Fake Call Detection (Android 12+)
In June 2026, Google launched AI-powered fake call detection in Phone by Google on Android 12+ devices, per TechCrunch’s June 2026 report. The feature analyses audio in real time during a call, flags likely synthetic or AI-generated voice patterns, and alerts you without interrupting the call.
To enable: Open the Phone app → Settings → Caller ID & spam → enable “See caller and spam ID” and the scam call detection option if available in your region. The feature rolls out progressively from Pixel devices first.
For iPhone users, Apple has not released an equivalent as of mid-2026, but the Truecaller app provides caller ID and scam detection across both platforms.
4. Use a Password Manager — Eliminates Credential Reuse
The majority of account takeover attacks use credentials stolen from one breach to access accounts on other services where the same password is reused. A password manager (1Password at $36/year, Bitwarden for free) generates and stores unique, strong passwords for every account — making credential stuffing attacks impossible regardless of how many breaches occur.
Enable two-factor authentication (2FA) on every account that supports it — especially email, banking, and social media. Use an authenticator app (Google Authenticator, Authy) rather than SMS-based 2FA where possible, as SIM-swapping attacks can intercept SMS codes.
Related: best password managers
5. Verify Financial Requests Through a Separate Channel
Never authorise a payment, transfer, or account change based solely on an email, phone call, or text — regardless of how convincing it seems. This applies to:
- Boss asking you to buy gift cards or make an urgent transfer
- Bank calling to confirm your details before stopping fraud
- Family member asking for emergency funds
- IT team requesting your password to fix an issue
The verification protocol: end the current communication, then contact the requester directly through a channel you independently know is authentic — the phone number you have saved, the official company website, or a face-to-face conversation.
6. Use an AI-Enhanced Browser with Scam Detection
Brave Browser (free) blocks known phishing sites, malicious redirects, and trackers before the page loads, using AI-powered pattern recognition built into its Shields system. Microsoft Edge’s SmartScreen and Google Chrome’s Safe Browsing both flag known phishing URLs in real time.
For email, most major providers (Gmail, Outlook) now integrate AI-based phishing detection that flags suspicious emails before they reach your inbox. Enable all security filters in your email settings. Do not disable spam filters — they catch a significant portion of AI-generated phishing campaigns automatically.
7. Monitor Your Identity with Have I Been Pwned
Have I Been Pwned (haveibeenpwned.com) is a free service that checks whether your email addresses have appeared in any of the 13 billion+ records exposed in known data breaches. Set up email notifications — you will receive an alert within hours of a new breach that includes your email, giving you time to change passwords before attackers exploit them.
For more comprehensive monitoring (credit bureau alerts, dark web monitoring, identity theft insurance), paid services like Aura ($12/month) provide broader coverage including financial account anomaly detection.
8. Know the Warning Signs of a Deepfake Voice Call
Even with AI voice cloning reaching near-perfect quality, several tell-tale signs remain in 2026:
Audio quality artifacts: Slight compression artifacts, digital silence between words, or an unusually clean audio quality without ambient background noise. Real calls have some environmental noise; studio-clean calls from a “mobile phone” are suspicious.
Absent natural breathing: AI voices often flow without the micro-pauses and breath sounds of natural speech. Listen for sentences without air gaps.
Instant responses to complex questions: Real people pause to think. AI-generated voices sometimes respond with unnatural immediacy to complex or unexpected questions.
Deflection from verification: When you say “Let me call you back on the number I have for you,” a scammer will usually try to keep the call going rather than readily agreeing to a callback.
9. Use McAfee Deepfake Detector for Suspicious Media
McAfee’s Deepfake Detector (updated for 2026) claims a 96% accuracy rate in flagging AI-generated audio, running locally on compatible devices and processing audio within 3 seconds without sending content to external servers. It is built into select McAfee+ plans.
This is most useful for verifying suspicious video content you have received — not for real-time call protection (the Google Phone feature covers that on Android). Before sharing or acting on a video that seems off, run it through a deepfake detection tool.
10. Enable Login Alerts on All Financial Accounts
Most banks, investment platforms, and major financial services offer instant login alerts — a notification whenever your account is accessed from a new device, at an unusual time, or from a new location. Enable these on every financial account you hold.
Pair this with account freeze features: most South African banks (Capitec, Standard Bank, FNB, Nedbank, Absa) allow you to freeze and unfreeze your card via the banking app in seconds. Freeze your card when you suspect compromise; unfreeze it when ready to transact. This limits damage from credential theft that you have not yet detected.
The Most Common AI Scams in 2026 — Quick Reference
| Scam Type | How It Works | Red Flag | Protection |
|---|---|---|---|
| AI voice call | Clones family/bank voice | Urgent request for money or info | Family code word, call back |
| CEO/boss email | AI writes authoritative message | Unusual urgency, unusual request | Out-of-band verification |
| Deepfake video call | Real-time face swap on Zoom/Meet | Pixel glitching, requests for sensitive info | Verify separately before acting |
| AI phishing email | Perfect grammar, personalised content | Urgency + link to click | Don’t click — go directly to site |
| Romance scam | AI persona sustains weeks of chat | Rapid emotional escalation, never meets | Reverse image search, video call |
| Investment AI fraud | AI promises guaranteed returns | Unrealistic returns, unregulated platform | Verify FSCA registration (SA) |
| Job offer scam | AI creates fake recruiter profile | Requires upfront payment | Never pay to get a job |
Frequently Asked Questions
How can I tell if a voice call is AI-generated?
The most reliable method is not analysing the voice — it is a procedural one. Hang up and call back on a number you independently know (from your bank card, from a saved contact, from the company’s official website). If the call was genuine, you reach the right person. If it was a scam, the callback either goes unanswered or reaches something different. Do not try to detect synthetic voices by ear — the best 2026 models are undetectable without software analysis.
What should I do if I think I have been scammed?
Act immediately in this order: (1) Change passwords for any accounts that may have been compromised, starting with email. (2) Call your bank’s fraud line (on the number on your card, not one you were given by the scammer) and request a card freeze and transaction review. (3) Report to your country’s cybercrime authority — in South Africa, this is the South African Police Service (SAPS) and the South African Banking Risk Information Centre (SABRIC). (4) File a report with the FTC (U.S.) or the relevant consumer protection agency in your jurisdiction. Early reporting improves recovery outcomes.
Are elderly people more vulnerable to AI scams?
Yes, statistically — but not because of technology unfamiliarity. Research consistently finds that older adults are more targeted by urgency-based scams (grandparent scam, family emergency cloning), more likely to comply with authority figures (fake bank representatives, fake police officers), and less likely to report victimisation. The family code word is particularly valuable for older relatives — it requires no technology and works against the most common attack vectors targeting them.
How do AI scammers get my phone number and personal details?
From data breaches (your email or phone number appeared in a leaked database), from data broker websites that aggregate public records, from social media profiles, and from previous phishing attempts that collected your information. Have I Been Pwned shows which breaches include your email. Opt out of major data broker sites (Spokeo, WhitePages, BeenVerified) to reduce your data trail — opt-out requests are tedious but effective over time.
Is South Africa specifically targeted by AI scams?
Yes. South Africa has one of the highest rates of cybercrime victimisation in Africa, per multiple threat intelligence reports. SABRIC (South African Banking Risk Information Centre) has noted significant increases in voice phishing, SIM-swap fraud, and social engineering attacks in South Africa specifically. Nedbank, FNB, Absa, Standard Bank, and Capitec all issue regular AI scam warnings to customers. The protections on this list are universally applicable regardless of country.
AI scams are no longer a niche technical threat — they are a mainstream consumer risk. The protections that work are not technical countermeasures; they are procedural habits: slow down, verify through a separate channel, and never let urgency override a moment’s verification. A family code word, a callback habit, and a password manager cover the majority of the meaningful risk exposure for most individuals in 2026.
Related: best AI cybersecurity tools
Sources: Unbox Future, “The AI Voice Scam Epidemic: 1 in 4 Americans Fooled by Deepfakes,” March 2026 (unboxfuture.com); Group-IB, “The Anatomy of a Deepfake Voice Phishing Attack” (group-ib.com); Vectra AI, “AI Scams in 2026: How They Work and How to Detect Them” (vectra.ai); Keepnet Labs, “Deepfake Statistics & Trends 2026” (keepnetlabs.com); BlackFog, “FBI Warning: AI Voice Phishing” (blackfog.com); TechCrunch, “Google rolls out fake call detection to protect against AI deepfake impersonation scams,” June 2026 (techcrunch.com); Have I Been Pwned (haveibeenpwned.com); SABRIC, South African fraud statistics (sabric.co.za). Retrieved 2026-06-22.