Deepfake Scams: When Your Mother's Voice Isn't Your Mother

The Call That Wasn't

Hyderabad, a Tuesday evening in March. Rajesh's phone rang. His mother's voice came through—unmistakable, familiar, the exact cadence of her worry when she calls. "Rajesh, there's been an accident. Your brother is in the hospital. I need ₹3 lakhs for the surgery. Right now."

He sent the money in twelve minutes.

It was not his mother. It was a machine that had learned to sound like her.

This is not a hypothetical. This is the deepfake scam — and it is no longer the future. It is happening now, across India, and most of us do not yet understand what we are dealing with.

How This Works (The Technical Reality)

A deepfake scam starts with data. Usually your data. A scammer needs perhaps thirty seconds of your voice — a WhatsApp message, a YouTube video, an old audio recording — to feed into an AI tool. These tools are not locked away in some laboratory. They are available online, often for free or for a few hundred rupees.

Within hours, the AI has learned the acoustic signature of your voice: the pauses, the stress patterns, the way you slide from one vowel to another. It does not need to understand language. It needs only to reproduce sound.

Then the scammer calls your family member. The victim hears what sounds like you. The panic is immediate. Money moves. The scammer vanishes.

The video version is more elaborate but follows the same path. A scammer collects photographs — from your Instagram, your Facebook, your WhatsApp profile picture, surveillance footage if they can acquire it. Modern AI tools like DeepFaceLive or Synthesia can now generate video that fools the eye. A few minutes of rendering, and your face is saying things you never said.

I felt naive writing that. I have been in this field for eighteen years. I should have seen this coming. I did not.

The Bangalore Case That Changed Everything

In late 2023, a Bangalore-based IT manager received a video call. It was his boss — or appeared to be. The call lasted three minutes. The boss asked him to process an urgent wire transfer: ₹49 lakhs to a vendor account. The manager hesitated. The boss grew impatient. "I do not have time for this. Just do it."

He did it.

It took him four hours to realize the video was synthetic. By then, the money had moved twice. It was recovered only partially, after an NCLT intervention that took eight months.

What strikes me about this case is not the technical sophistication. It is the social engineering layered on top. The scammer did not just make a good fake. The scammer also did the homework: knew the corporate hierarchy, knew the urgency triggers, knew that the victim would feel awkward questioning his boss on a video call.

The technology was the tool. The psychology was the weapon.

Where This Becomes Terrifying

Right now, a deepfake scam requires effort. The scammer must locate you, gather your data, generate the content, execute the call. It is still a bespoke fraud — custom-made for each victim or small group.

But the tools are improving. The cost is dropping. Within the next two years, I believe — and I say this without drama — we will see scale deepfake attacks. Mass-generated calls to thousands of households simultaneously. The personalization will be minimal: just a name, a voice, a script. The conversion rate may be one per cent. But one per cent of ten thousand calls is one hundred victims. Each losing, on average, ₹2 lakhs.

That is ₹2 crores in a single campaign.

And here is the part that keeps me awake: the victim will have heard proof. Not a text message that could be spoofed. Not an email that could be forged. An actual voice. An actual video. To a human ear and eye, it will be indistinguishable from the real thing.

Where does that leave you when the bank says, "But you authorized the transfer"?

The Preventive Reality (What Actually Works)

I want to be clear about something: there is no technical solution to this problem that works for everyone. Biometric authentication helps, but not all banks offer it, and not all users have access. End-to-end encryption on calls is good practice, but it does not prevent the video deepfake that comes through WhatsApp.

The prevention is behavioural. And it is hard.

When my mother calls with an emergency, I do not want to verify her identity. I want to help her. That is the crack the scammer exploits.

So here is what I have learned works, in practice:

The Out-of-Band Verification. If someone calls you with an urgent financial request — especially someone you trust — hang up. Call them back on a number you know is theirs. Use a different communication channel. "I just got a call claiming to be you. Was that you?" Nine times out of ten, it was not.

The Hesitation Reflex. Train yourself to hesitate. Not paranoia. Just a pause. An extra ten seconds. "Before I send this money, let me confirm one more time." Scammers operate on urgency. They burn through it. If you slow down, they often drop the call and move to the next target.

The Trusted Circle. Identify three to five people in your life — a spouse, a parent, a sibling, a close friend — and establish a code word or secondary verification method with them. "If anyone calls claiming to be me with an emergency, ask them for the code word." It takes five minutes to establish. It could save lakhs.

The Institutional Safeguard. Talk to your bank. Ask about withdrawal limits for emergency transfers. Many banks allow you to set a lower daily limit for large transactions. Yes, this is friction. Friction is what you need.

The Regulatory Failure

I should note what is not happening: the RBI has not issued specific guidelines on deepfake fraud. CERT-In has issued advisories, but they are generic. Your bank does not have a deepfake-specific fraud protocol.

Why? Because this is still considered a niche problem. "It hasn't happened to enough people yet," I was told by a senior official at a major bank last month. I resisted the urge to ask what the threshold was — one thousand victims? Ten thousand? A crore rupees?

The regulatory framework is moving at a different speed than the technology. By the time there is a law, there will be ten thousand victims instead of a hundred.

A Moment of Recognition

Here is what I want you to feel, reading this: not fear. Recognition.

You already know someone who could fall for this. You already know the scenario where you might fall for it yourself. The call at 11 p.m. Your child's name on the screen. Your parent's voice saying they need money. Your boss's face asking you to process a transfer.

The scammer is not a genius. The scammer is simply using tools that have become available, tools that exploit a gap between what we have learned to trust (the voice of a loved one, the face of an authority figure) and what is now possible to fake.

That gap is closing. Your only advantage right now is knowing it is closing.

What You Can Do Right Now

1. Test your out-of-band verification today. Call a family member. Tell them you are testing something. Propose a money transfer. See if they follow the protocol. If they don't, discuss it now — not in a panic.

2. Set up a trusted circle code word. Pick three people. Send them a message: "If anyone calls claiming to be me with an emergency asking for money, ask them for [code word]." Takes two minutes.

3. Check your bank's transaction limits. Log in to your account. See if you can set a daily or transaction-specific limit. If you can, lower it by ten to fifteen per cent. This creates friction that buys you time.

4. Review your social media privacy settings. Reduce public visibility of photographs, videos, and voice recordings. The more data available, the easier the synthesis. Make this hard work.

5. Talk to your parents, grandparents, and anyone vulnerable in your circle about this specific threat. Do not use the word "scam". Use the word "deepfake". Explain it like this: "Someone can now make a video or a recording that looks and sounds exactly like me. If I call you with an emergency, you should verify it by calling me back on a number you know is mine."

6. Save your bank's fraud number in your phone. Not just as a name. Write it down. When you suspect fraud, you may be panicked or disoriented. Having the number written down helps.

7. Report any deepfake attempt to CERT-In. Even if no money was lost, report it. The data helps build the public record that this is real and growing. Visit cert-in.org.in.

The technology will not slow down. But your behaviour can. Start today.