When My Voice Wasn't Mine: Lessons from a Cyber Scam

In February 2024, I fell victim to a cyber scam. One of my social media accounts was hacked, and shortly afterwards, my relatives and acquaintances began receiving messages, allegedly from me, asking them to transfer money to a bank account. Although the account did not bear my name, several friends and family members were convinced enough to respond.

One of the key factors that made the scam believable was a series of short voice messages, in which "my voice", or at least a voice that sounded very similar, appeared to confirm the requests. It later became clear that the scammers had used a voice-cloning tool to generate audio clips based on my speech, most likely sourced from previous recordings or messages.

The operation lasted around thirty minutes, during which the perpetrators managed to extract approximately €1,000. I realised what was happening when my wife, who was in the same room with me, started receiving the same messages.

I attempted to regain access to the compromised account several times. Although I briefly succeeded by verifying my mobile number, the scammers kept forcing me out. During that short window when I managed to log in, I saw some of the ongoing conversations and immediately called close friends and those the scammers had already contacted, warning them directly. At the same time, I used other social media platforms to alert my contacts about the hack and impersonation. Eventually, I lost access altogether.

Although the scammer activity stopped soon after, it took about a week to fully recover the account with the help of technical support. I have since enabled two-factor authentication to strengthen my security.

According to the FBI's Internet Crime Complaint Center, online scams resulted in record losses of $16.6 billion in 2024, a 33 % increase year-on-year. Global estimates align, with cybercrime expected to cost economies $10.5 trillion annually by 2025, driven by phishing, romance scams and business email compromise. Meanwhile, the UN Office on Drugs and Crime reports that victims of cryptocurrency-based investment scams alone lost $5.6 billion in 2023. These scams typically rely on social engineering, such as impersonation, and increasingly on artificial intelligence tools, like deepfake voice technology.

A scam is a deceptive scheme designed to trick individuals, often for financial gain. Cyber scams take place online and include methods such as fraudulent emails, fake websites and impersonated social media accounts. Scammers may contact individuals via email, text message, phone call or social media, typically posing as someone trustworthy to obtain money or personal information.

According to Interpol, cybercriminals increasingly rely on social engineering, the manipulation of human psychology, to deceive individuals into handing over sensitive information or money. In its dedicated analysis of online fraud, Interpol identifies some of the most common types of scams under this category:
- Phishing: deceptive emails or messages that trick recipients into revealing personal or financial information.
- Vishing: similar to phishing, but conducted via phone calls.
- SMShing: fraudulent text messages, often appearing to come from trusted sources like banks or delivery companies.
- Telecom fraud: scams involving spoofed calls or fake technical support.
- Business Email Compromise (BEC): attackers impersonate a trusted business contact to manipulate victims into transferring funds.
- Romance scams: fraudsters build emotional relationships online to solicit money.
- Investment scams: victims are lured with fake investment opportunities promising high returns.

Interpol warns that impersonation tactics are becoming more sophisticated, with scammers now using AI-based voice and image generation to mimic individuals convincingly. These technologies enable fraudsters to create highly realistic messages, calls, or videos that appear to come from someone the victim knows.

Moreover, Interpol notes a concerning trend: the rise of non-traditional actors, such as freelance digital operatives or loosely organised criminal groups, who play key roles in executing and scaling these scams across borders. This diversification makes tracing and dismantling such operations increasingly difficult for law enforcement agencies.

In Luxembourg, the Grand Ducal Police provides comprehensive advice on cyber fraud. They warn against revealing personal data or login credentials, even if the caller appears authentic. They recommend verifying suspicious requests directly with the institution in question.

Additionally, the Luxembourg government advises deleting unexpected SMS or email messages, not clicking on unfamiliar links, and reporting attempts to soc@govcert.etat.lu. They emphasise that public authorities never ask for confidential information via email or text.

Popular social media platforms such as Facebook, Instagram, WhatsApp, X (formerly Twitter) and LinkedIn offer several built-in security features that help reduce the risk of unauthorised access and fraud. Two-factor authentication (2FA) is a widely recommended option, requiring an additional verification step beyond the password. Even if a password is compromised, access is blocked without this second confirmation.

Enabling login alerts helps detect suspicious activity early by notifying users of new sign-in attempts. Most platforms also allow users to check active sessions, showing which devices are currently logged in. Any unfamiliar sessions can be ended immediately.

Adjusting privacy settings to limit profile visibility reduces exposure to impersonation and social engineering tactics. Being cautious about public posts, including photos, location tags and family references, can further lower the risk of misuse by scammers.

In addition to personal vigilance and platform-level security tools, there are several practical measures individuals and organisations can adopt to strengthen digital hygiene.

Many companies today organise internal cyber awareness training sessions and simulated phishing campaigns. These simulations are designed to identify users who may be more vulnerable to deceptive tactics and help improve the overall level of caution within the organisation.

In Luxembourg, official sources such as CERT.LU and Securitymadein.lu regularly publish cybersecurity guidance and alerts on ongoing scam activity. Subscribing to such updates can provide early warnings and promote better preparedness among users.

Password managers such as 1Password, Bitwarden or Dashlane offer an added layer of protection by allowing users to generate and store complex, unique passwords for each account. This practice reduces the risk of unauthorised access due to reused or weak credentials, which are frequently exploited in cyberattacks.

The goal is not fear, but resilience. In the digital age, we are all potential targets, but also, potentially better protected.