Virtual Kidnaps, Fake CFOs: Social Engineering Defense in the Age of AI (with Dr. Jessica Barker MBE)

Voice clones, virtual kidnaps, and fake CFOs on Teams - broken down with practical defenses. Dr. Jessica Barker joins Eliot Baker to turn emotions, culture, and verification into controls.

Show Notes

Voice clones and live-meeting deepfakes have collapsed the gap between “that would never happen here” and “finance just sent the wire.” In this episode, host Eliot Baker sits down with ⁠Dr Jessica Barker MBE⁠ to discuss her book , 'Hacked' and to dissect two escalating threats - virtual kidnaps by voice clone and executive impersonation on Teams/Zoom.

‍

Read the full guide to social engineering defense.

‍

What you’ll learn in this episode:

How virtual kidnapping scams use short audio to clone a loved one’s voice and what the attackers really want
Why emotions (panic, urgency, flattery) are the exploit, and how to train the “pause-verify” reflex
A breakdown of the fake-CFO-on-Teams play, and the checks that stop it
How to design culture as a control: empathy, non-judgmental reporting, and faster incident response
Story-first, stats-supported communication that changes behavior (not just awareness)
What to teach employees’ families about clone calls without fearmongering

‍

Timestamps:

(00:00) Introduction and Welcome

(00:24) Dr. Jessica Barker's Background in Cybersecurity

(01:47) Receiving the MBE: An Honor in Cybersecurity

(03:44) The Importance of Storytelling in Cybersecurity

(06:37) Real-Life Cybersecurity Stories

(11:42) The Rise of AI and Deepfake Threats

(21:56) Combating Social Engineering Attacks

(26:53) Effective Communication in Cybersecurity

(33:40) Key Takeaways for Security Awareness Leaders

(36:47) Conclusion and Final Thoughts

‍

Resources:

Our guide to to deepfakes: ⁠https://hoxhunt.com/blog/deepfake-attacks⁠
Hoxhunt's HRM playbook: ⁠⁠https://hoxhunt.com/guide/human-risk-management-playbook⁠⁠
Hacked: The Secrets Behind Cyber Attacks: ⁠https://www.amazon.co.uk/Hacked-Uncovering-Strategies-Secrets-Attacks/dp/1398613703⁠

‍

Host links:

Eliot Baker:⁠⁠⁠⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠⁠⁠⁠

Dr Jessica Barker:⁠ ⁠⁠⁠https://www.linkedin.com/in/jessica-barker/

Full Conversation Breakdown

In this episode of All Things Human Risk Management, host Eliot Baker is joined by Dr. Jessica Barker, MBE to dissect two fast-rising threats - voice-clone “virtual kidnaps” and live-meeting executive impersonation - and the human defenses that actually work when people are stressed.

‍

The new social engineering reality

Attackers don’t need much audio to clone a voice, and deepfaked “CFOs” can now appear credibly on Teams/Zoom. The playbook blends cheap AI with old-school cash pickups and urgency.

“A few seconds of audio is enough to create a convincing clone.”

‍

Emotions are the exploit

Panic, urgency, and flattery drive mistakes. Teach people to detect their own state first, then act.

“Look for communications that make you feel something - then slow down and verify.”

‍

Culture as a control

Empathy isn’t “soft.” It accelerates incident response by increasing early reporting and reducing shame.

“Psychological safety turns near-misses into fast containment.”

‍

Verification beats persuasion

Out-of-band checks stop both clone calls and fake-CFO meetings. Normalize the pause.

Pre-agree money-move protocols (dual control, known-number callbacks).
Ban approval via chat/video alone.
Use code phrases or pre-shared signals for high-risk requests.

“Trust the pause, not the voice.”

‍

Story-first, stats-supported comms

Stories stick; stats validate. Use one story, one ask, one action per touchpoint to avoid overwhelm.

“Simplify without dumbing down - make the next step obvious.”

‍

Extend protection to home

Employees and families are targets. Provide a one-page “clone-call” script and refrigerator checklist.

“If you get a distress call: Hang up → call known number → alert security/police.”
Teach kids/parents the callback rule.

‍

What to train (and measure)

Shift from completion to capability under pressure.

Train: pause-verify reflex, out-of-band habits, reporting without blame.
Measure: time-to-report, verification rate before money/data actions, recovery after near-miss.

“Completion shows who watched; verification shows who’s safer.”

‍

Bringing leadership along

Translate behavior metrics into risk language (fewer incidents, faster containment, smaller losses). Pair dashboards with one memorable story.

“Don’t just show numbers - show how a verification habit prevented a transfer.”

‍

Takeaways you can implement this quarter

Ship a verification playbook (money/data changes require callback to a known number).
Launch a “trust the pause” micro-campaign (one behavior, repeated).
Add a clone-call family guide to your security portal.
Update incident comms to reward early reporting - no blame language.
Replace vanity KPIs with verification rate, time-to-report, and recovery metrics.

See Hoxhunt in action

Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.

Request a demo