When the voice on the phone isn’t your member

When OpenAI CEO Sam Altman told bankers at a Federal Reserve event last summer that it is now “crazy” to rely on voiceprint authentication, it was not a theoretical warning. At Michigan State University Federal Credit Union, the reality had already arrived. After deploying AI-powered call-screening technology in 2024, the credit union identified $2.57 million in fraud exposure from deepfake calls in a single year—nearly a quarter of a million dollars a month in AI-powered attacks that could have slipped past human ears undetected.

That figure is a preview of a much larger wave. Globally, deepfake-enabled fraud caused more than $200 million in losses in the first quarter of 2025 alone, according to Resemble AI. Fraud cases involving AI-generated deepfakes have risen more than 2,000% in three years, and the Deloitte Center for Financial Services projects that generative-AI fraud losses in the United States could reach $40 billion by 2027.

For credit unions, dependent on personal relationships and member trust, these numbers carry a special urgency. The same closeness that makes a credit union different from a big bank is precisely what AI-driven fraudsters are learning to exploit.

The new anatomy of an AI attack

AI does not invent entirely new types of fraud. It makes the old playbook faster, cheaper, and devastatingly more convincing. A KnowBe4 analysis of 272,000 phishing emails found that 82.6% showed signs of AI involvement, and phishing volumes jumped more than 17% from September 2024 through February 2025. These are not the clumsy scam emails of a decade ago. They are polished, personalized, and capable of slipping past traditional security filters.

Voice cloning has emerged as a particularly potent weapon. Modern AI tools need only a few seconds of audio from a social media video or a voicemail greeting to produce a convincing replica. Criminals are using these clones to impersonate members during account recovery calls, pose as executives requesting wire transfers, and pressure staff into bypassing verification.  

The threat extends beyond voice. The Financial Crimes Enforcement Network issued a formal alert warning financial institutions about rising suspicious activity tied to deepfake media, including fabricated identity documents and synthetic video used to bypass verification during account openings. FinCEN now requires institutions to tag related suspicious activity reports with a specific deepfake identifier, signaling how seriously regulators view the threat.

Why credit unions face distinct exposure

Credit unions are not simply smaller banks facing smaller versions of the same problems. Call centers and branch staff who pride themselves on knowing members by name and voice are exactly the kind of human-judgment touchpoints that deepfake technology is designed to defeat. When a cloned voice says, “This is Linda, I need to authorize a transfer,” the instinct to help can override procedural safeguards.

Leaner security teams compound the challenge. While large banks deploy dedicated AI fraud units, many credit unions rely on smaller groups covering broader responsibilities. The NCUA’s 2026 supervisory priorities emphasize payment system security and fraud risk governance, reflecting the regulator’s awareness that these pressures are intensifying across the system.

A shifting regulatory landscape adds further complexity. The Federal Financial Institutions Examination Council sunset its Cybersecurity Assessment Tool in August 2025, directing institutions toward frameworks such as NIST Cybersecurity Framework 2.0 and CISA performance goals. Credit unions must now re-evaluate how they measure cybersecurity maturity at a time when the threats themselves are evolving month to month.

Fighting AI with AI, and with process

The MSUFCU example illustrates a critical lesson: AI-powered threats demand AI-powered defenses. The credit union’s deepfake detection system scores calls passively in real time without adding friction—and it cut average authentication time by 58 seconds per call while improving member satisfaction scores. That combination of stronger security and better experience challenges the assumption that fraud prevention must come at the cost of convenience.

But technology alone is not sufficient. Leaders should deploy phishing-resistant authentication or passkeys for privileged accounts. Call centers and branches need updated playbooks that treat deepfake impersonation as routine, with mandatory out-of-band verification for wire transfers, profile changes, and credential resets. FinCEN’s deepfake red flag indicators provide a practical starting checklist for training staff.

Member education matters, too. Simple habits such as “pause before you pay,” verifying unexpected requests through a known phone number, and establishing family code words function as speed bumps against scams that rely on urgency and emotional pressure.

The trust imperative

Credit unions have always earned loyalty by putting people first. In an era when a three-second audio clip can be weaponized into a convincing voice clone, protecting that trust requires a culture shift from boards to call-center agents that recognizes AI-driven fraud as a defining operational risk. The institutions that invest in layered defenses, continuous training, and a willingness to rethink verification habits will be best positioned to keep member trust intact. America’s Credit Unions offers resources, including its Cybersecurity eSchool* and the upcoming Cybersecurity Conference in Austin, to help leaders stay ahead of the curve. 

*Note: The original source no longer exists. Link removed on May 12, 2026.