detectai.media

Voice-clone scam detector: can you catch a cloned voice?

A detector is a useful first-pass screen against a cloned voice, not proof, and on the short compressed phone clip a scam gives you it is at its least reliable.

By The detectai.media team
4 min read
Contents

A detector can help, but it is a first-pass screen, not proof. It can catch known clone systems, and it is least reliable on exactly the kind of audio a scam gives you: a short, compressed, real-world phone clip. Understanding why is the difference between using a detector well and trusting it when you should not.

Can a detector catch a scam voice clone?

Sometimes, and the threat is real. Modern cloning needs only seconds of reference audio to imitate a specific person, and voice-clone fraud against families and companies is already documented. Commercial detectors exist for this, including Resemble Detect, Pindrop Pulse, and the ElevenLabs classifier. The problem is that their architectures are opaque and narrow, so a clean result from one of them is not the reassurance it appears to be. A screen tuned to yesterday’s clone system can miss tomorrow’s, because a detector reads the production fingerprint of the generators it was trained on and little else.

Why do phone codecs make it harder?

Because compression strips the very detail a detector reads, and a scam call has already passed through phone-grade compression by the time you hear it. Negroni, Cuccovillo, Bestagini and colleagues (ICASSP 2026) measured how far a detector’s equal-error rate rises under different codecs:

CodecDetector EER
M4A21.8%
EnCodec29.2%
MP340.9%

MP3, the most common web and phone codec, is the worst, pushing error above 40 percent. A number near that is close to a coin toss, which means a “human” verdict on a compressed clip is weak evidence that the voice is real.

How reliable are the commercial clone detectors?

They are model-specific and easily moved. The ElevenLabs classifier documentation limits it to the first one minute of audio and states it “does not reliably classify ElevenV3,” and it is built to flag ElevenLabs-made speech rather than clones from other systems. In our internal testing, one deployed detector returned a low AI score on a clip we had modified, and a separate music-oriented detector was easy to move as well. Those findings are ours to report; the method behind them stays in-house. The takeaway for a consumer is simple: a single clean score is not safety.

What actually protects you on a suspicious call?

Procedure, not a score. Do not treat a “human” reading as an all-clear, and do not treat a flag as a conviction. Verify through a second channel the caller does not control: hang up and call back a number you already trust, rather than a number the caller gives you. Agree a family or company code word in advance and ask for it, and do not use a secret whose answer is public or guessable, since a scammer may know birthdays, pet names, or workplace details. Above all, slow the money down. Voice-clone fraud runs on time pressure, so if the request is a wire, gift card, crypto transfer, or urgent payment, the correct action is to pause and verify. A detector belongs after the call, in the record, not as the thing you lean on during it.

What about replayed audio, and when is real attribution possible?

A scam does not have to be generated. It can be a replayed real recording, and recognizing the speaker is not the same as knowing the speaker is live: Villalba and Lleida (2011) found that speaker verification alone accepted 68 percent of replayed recordings at its error-balancing threshold, while a dedicated replay check reached 0 to 9 percent equal-error rate depending on the channel. That live-versus-recorded question is covered in how does live deepfake detection work. Genuine attribution is possible only in a forensic setting: source-tracing can attribute audio to the system that made it, reaching 93.3 percent F1 across the 52 generators of the MLAAD benchmark (Klein, Chen, Tak et al., 2024). But that is an examiner’s tool run on clean audio, and the same work shows the fingerprint is disrupted by ordinary post-processing, so a laundered or re-recorded clip returns an unknown rather than a confident answer.

The way to hold all of this together is to picture the detector as a smoke alarm rather than a lock. It is worth having, it can warn you, and it goes off late or not at all on precisely the degraded, unfamiliar audio a real attack delivers. The reliable defense against a cloned voice is not a better score on one clip; it is verifying the person through a channel the cloner does not control. For what a confidence number on such a clip does and does not mean, see is this voice AI-generated.

Sources

  • Negroni, Cuccovillo, Bestagini et al. (2026). Multi-Task Transformer for Explainable Speech Deepfake Detection via Formant Modeling. ICASSP 2026.
  • Klein, Chen, Tak et al. (2024). Source Tracing of Audio Deepfake Systems.
  • Villalba, Lleida (2011). Detecting Replay Attacks from Far-Field Recordings on Speaker Verification Systems. BioID 2011.
  • Jung, Heo, Tak et al. (2022). AASIST: Audio Anti-Spoofing Using Integrated Spectro-Temporal Graph Attention Networks. ICASSP 2022.
  • Yi, Wang, Tao et al. (2023). Audio Deepfake Detection: A Survey.
  • ElevenLabs (2026). AI Speech Classifier.
#audio#voice#scam
Last updated
16 June 2026
Category
Reliability