Your exposed data is the raw material for AI scams and deepfakes

Q: How much voice does a scammer need to clone someone?

Less than you'd hope. Open-source voice-cloning models published in 2023-2024 reliably clone a recognizable voice from 3-10 seconds of clean audio. Production voice-cloning services need slightly more (30-60 seconds) for higher fidelity. The threshold has been crossed where any public-facing person who has given a podcast interview, a video conference recording, or even a long voicemail message has provided enough source audio.

In short

Voice cloning is the realistic threat for most people in 2026. Open-source models clone a recognizable voice from 3-10 seconds of clean audio. A podcast appearance, a recorded talk, or a long voicemail is enough source material.
AI-generated phishing has eliminated the obvious tells. No "Dear Sir/Madam," no broken English, no pixelated logos. Modern AI writes fluent, contextually appropriate copy — personalized to your name, employer, and recent activity — at near-zero cost per message.
The defense is cutting the supply chain, not detecting AI. Attackers personalize with data they pull from people-search sites and social profiles. The less of yours is out there, the less convincing their targeting gets.

6 min read Last reviewed May 2026 Free scan available

What changed in 2023-2026

Three technical shifts have reshaped social-engineering threats:

Voice cloning crossed the consumer threshold. Both commercial and open-source voice-cloning tools can now clone a voice from seconds of audio. Quality went from obviously synthetic to recognizable-by-the-person's-mother in two years — and the best tools are widely available.
Large language models eliminated the grammar tell. Phishing emails used to be detectable by clumsy English and weird formatting. Modern AI writes fluent, professional, contextually appropriate copy in any language at near-zero cost per message.
Generative video became cheap enough for targeted use. Deepfake video still costs meaningful compute per minute, so it concentrates on high-value targets — CEO impersonation calls, public-figure disinformation, non-consensual intimate imagery. Not yet a mass-consumer threat, but the trajectory is clear.

The named scam categories worth knowing

Voice-clone "family emergency" scams. The "grandparent scam" was a long-running phone fraud (caller claims to be a grandchild in distress, demands wire-transferred bail money). AI voice-cloning eliminates the luck factor: the scammer plays a cloned recording of the grandchild's actual voice. FTC reported substantial growth in this category since 2023.

CEO-impersonation wire-transfer fraud. Pre-AI, the attacker emailed a fake "urgent" wire-transfer request from a spoofed CEO address. Post-AI, the attacker can place an actual voice call from a cloned CEO voice or a deepfaked video call. Hong Kong reported a $25M wire-transfer fraud in early 2024 attributed to a deepfaked CFO video call.

Romance and "pig-butchering" scams. Long-form fraud where the attacker builds a romantic or friendship relationship with the victim over weeks or months before introducing the "investment opportunity." AI lets one operator run dozens of relationships simultaneously with persuasive personalized messages. FTC's 2024 data showed romance scams as a major loss category.

Spear-phishing at scale. Traditional spear-phishing required manual research per target. AI automates the research (LinkedIn + broker data + recent news) and the writing. The result: spear-quality phishing at mass-mailer scale.

Non-consensual deepfake imagery. Distinct from financial scams. Documented harms include deepfake intimate imagery of public figures and (more disturbingly) ordinary people, often students or coworkers. Several states have passed laws specifically criminalizing non-consensual deepfake imagery; federal legislation is in progress.

AI scams run on the same personalization data social engineers have always used. Your name, employer, family members, and address — all pulled from people-search sites before the first call is placed. A free Delist scan shows exactly what's out there on you.

Run my free exposure scan →

Where Delist helps (and where it doesn't)

To be clear about the limits: Delist doesn't detect scams in flight, doesn't filter your inbox, doesn't validate voice calls. We're not an inline anti-fraud tool.

What we do is remove the data attackers personalize with. The less of your name, employer, recent location, family members, and history is on people-search sites, the less effective auto-generated targeting is. An attacker who can't quickly look up "what's the name of Jane's daughter and where do they live" has to work harder or move to a less-defended target.

The realistic defense stack for AI-era scams:

Cut the personalization fuel. Remove your personal information from people-search sites and data brokers. Our removal hub covers how — Delist handles it on autopilot for subscribers.
Set verification rituals with family. A pre-agreed safe word for genuine emergencies. Doesn't matter how good the voice clone is if the caller can't say the word.
Treat urgency as a red flag. Most legitimate emergencies don't require wire transfers in 10 minutes. The urgency itself is the social-engineering hook.
Verify through a different channel. If you get an urgent call from "your bank," hang up and call the number on your card. If you get an urgent message from your CEO, walk to their desk or call their known number.
For executives and high-profile individuals: assume voice-cloning is feasible against you and instrument your processes accordingly.

The legal landscape (as of 2026)

Several US states have passed laws targeting specific AI-scam harms:

Non-consensual deepfake imagery — criminal statutes in California, Texas, New York, Virginia, and several other states.
Election-related deepfakes — restrictions in CA, MN, MI, TX, and others, with disclosure or outright-prohibition requirements.
Voice cloning for fraud — covered by existing wire-fraud, impersonation, and theft statutes federally and at the state level.

Federal legislation has been proposed multiple times (NO FAKES Act, DEFIANCE Act). None has passed as of 2026. The patchwork continues.

What to do if you've been targeted

For financial fraud (voice-clone, CEO impersonation, romance scam):

Stop sending money or information immediately. Even mid-flight.
If you sent money, contact your bank and any wire-transfer service within minutes. Recovery odds drop rapidly past the first hour.
Report to the FBI's IC3 (ic3.gov) and to the FTC at reportfraud.ftc.gov.
Preserve all communications — emails, voicemails, call logs, text messages. Evidence matters for both recovery and prosecution.

For non-consensual deepfake imagery:

Report to the hosting platform. Most major platforms have specific deepfake-removal policies.
For intimate imagery: the Cyber Civil Rights Initiative (cybercivilrights.org) maintains a crisis helpline and removal resources.
If you're in a state with a specific deepfake law, file a police report citing that statute.
Consider a defamation attorney for civil action against named participants.

Frequently asked questions

How much voice does a scammer need to clone someone?

Less than you'd hope. Open-source voice-cloning models reliably clone a recognizable voice from 3-10 seconds of clean audio. Production voice-cloning services need slightly more (30-60 seconds) for higher fidelity. The threshold has been crossed where any public-facing person who has given a podcast interview, a video conference recording, or even a long voicemail message has provided enough source audio.

Are AI scams actually more effective than human-written scams?

Mixed evidence. AI-written phishing has higher grammar quality, which raises baseline click-through rates. AI-generated personalization (your name, employer, recent topics) raises rates further. But targeted human attackers are still more dangerous to high-value targets — the AI advantage is scaling moderately-targeted attacks to millions of people, not surgically taking down individuals.

What's the "grandparent scam" and how has AI changed it?

The grandparent scam is a long-running phone scam where the caller claims to be a grandchild in distress and demands wire-transferred bail money. The pre-AI version relied on luck. AI voice-cloning eliminates the luck: the scammer clones the grandchild's actual voice from public audio. The FTC has reported substantial growth in this scam category since 2023.

Do I need to worry about deepfake video?

Depends on your threat profile. Most people aren't targeted by individualized deepfake video — the production cost (even with AI tools) is still meaningful per victim. The cases that have appeared: executives targeted with deepfaked CEO video calls, public figures targeted with deepfake porn, political figures targeted with disinformation deepfakes. For most consumers, deepfake voice is the realistic threat.

How does removing my data from brokers help against AI scams?

It removes the personalization material. AI scams scale because the AI can compose convincing personalized messages cheaply — but only if it has data to personalize with. Your name, employer, recent location, family members, and life context come from data brokers and social profiles. The less of that an attacker can pull, the less effective their auto-generated personalization.