Skip to main content
,

Pension scams in 2026: how AI deepfakes are changing the threat to public sector pension members

By

James Heppe-Smith

·

·

12 min read

·

Fact-checked 21 May 2026

Educational, not advice. This guide explains how the rules work. It doesn’t tell you what to do with your pension. For decisions that depend on your circumstances, talk to a regulated adviser or MoneyHelper.

Hand holding a smartphone on a wooden desk showing an incoming call from an unknown caller, with a laptop displaying audio waveform graphics in the background — illustrating the article's theme of AI voice-cloning pension scams.
On this page

What this article covers

  • Does: Explain the current pension fraud threat picture across the UK public service pension schemes, with a specific focus on the new role of AI-generated voice and video deepfakes; set out what scheme administrators are doing about it; and give practical, member-facing steps to protect your pension.
  • Doesn’t: Cover general cyber security or scam prevention. For broader scam guidance, see Action Fraud. For the basics of how each scheme works, see the relevant Pension Plain explainer (links at the end).
  • If you suspect a scam: Stop, do not transfer money, do not share further information, and call your scheme administrator directly using the number on their official website (not a number provided to you by the suspect contact). Then report to Action Fraud on 0300 123 2040.

The pension fraud threat to UK savers has shifted in the last twelve months. The traditional pattern (a cold call offering a “free pension review”, a glossy investment in something exotic, a transfer to a scheme that turns out to be a shell) is still active and still the most common method by which scammers extract money from pension savers. What is new in 2026 is the use of AI-generated voice and video deepfakes to impersonate scheme members when contacting administrators, and to impersonate scheme administrators when contacting members. The Pensions Regulator (TPR) has reviewed more than 1,000 suspicious websites connected to pension fraud since 2021, with stolen losses of around £500,000 reported and a further £2.5 million estimated at risk. The arrival of consumer-grade AI voice cloning has changed the operational picture in two specific ways that public service scheme members should be aware of.

In short

  • UK public sector pension members are attractive targets because defined benefit pensions carry significant transfer values (often six-figure sums) and the schemes hold valuable personal data.
  • The new attack vector in 2026 is AI voice deepfakes. Scammers use 30 seconds of voice from a social media video or voicemail greeting to clone a member’s voice, then call the scheme administrator to request a bank-details change or transfer.
  • TPR has reviewed over 1,000 suspicious websites since 2021 in connection with pension fraud, with reported losses of around £500,000 and further sums of around £2.5 million assessed as at risk.
  • Public service scheme administrators (NHSBSA, MyCSP/Capita, Teachers’ Pensions, LGPS administering authorities, Veterans UK, police and firefighter pension administrators) will never call you and ask for your personal details. If you receive such a call, hang up and call the scheme back on the published number.
  • The single most useful protective step is to have a scheme verification procedure in mind before you receive any unexpected pension contact: know how your scheme administrator normally communicates, know what they would and would not ask for, and have the official phone number saved separately from any contact details that arrive in an inbound message.

Why public service pension members are targets

Members of the seven main UK public service pension schemes (NHS, Teachers, Civil Service, Armed Forces, Police, Firefighters, LGPS) are particularly attractive to scammers for three reasons.

  • The transfer values are large. A defined benefit pension built up over a public service career typically carries a cash equivalent transfer value (CETV) in the six-figure range. Even partial transfers can move substantial sums. A scammer who can engineer a transfer out of a public service scheme into a fraudulent receiving arrangement has access to the entire CETV in one transaction.
  • The data is rich. Public service scheme administrators hold detailed records: full name, date of birth, National Insurance number, addresses going back decades, employment history, bank details, beneficiary nominations. A scammer who can extract a complete record from a scheme administrator has the raw material for identity theft well beyond the pension transaction itself.
  • The administrative complexity creates cover. Public service schemes have ongoing administrative correspondence with members about McCloud, pension dashboards, contribution changes, scheme rule updates, and (for many schemes in 2026) recovery plan updates following administration crises. A fraudulent contact dressed as administrative communication is easier to disguise as legitimate than a cold investment pitch.

The AI deepfake angle: what’s new in 2026

AI voice cloning has been a research-grade technology for several years. The change in 2026 is that the tooling has become consumer-grade. Open-weight voice cloning models, hosted commercial services, and mobile-app implementations all now produce convincing voice clones from as little as 30 seconds of sample audio. Sample audio is readily available: a public LinkedIn video, a podcast appearance, a voicemail greeting, a recorded webinar from a professional development context. Members who have any online voice presence are exposed.

Two attack patterns have emerged that specifically affect pension members:

Pattern 1: Member impersonation to the scheme

The scammer obtains a voice sample of the member, clones the voice, and calls the scheme administrator’s helpline. Using personal details obtained from a previous data breach, social engineering, or public records, the scammer passes the standard caller verification and requests a change of bank details (so future pension payments go to the scammer’s account), a transfer quote, or a copy of recent correspondence (to refine further attacks). Some attempts request a one-off lump sum to a “new” account, framed as part of a McCloud arrears payment or a CETV.

Scheme administrators have responded by tightening verification procedures (multi-factor authentication, callback on file numbers, two-person sign-off for material account changes), but the success of the attack depends on whether the scheme can detect a cloned voice. Detection is improving but not yet reliable enough to act as a sole defence.

Pattern 2: Scheme impersonation to the member

The scammer impersonates the scheme administrator (or a related official body: TPR, MoneyHelper, HMRC, the Pensions Ombudsman) in a phone call to the member. Voice cloning produces a credible “scheme spokesperson” voice; the call references real recent scheme news (a McCloud RSS, a contribution change, a known administration delay) to establish credibility; the call concludes with a request for the member to confirm their personal details, change their password, transfer their pension to a “secured” arrangement, or “verify” their identity through a link sent by SMS.

This pattern is dangerous because it exploits members’ legitimate concerns about ongoing scheme issues. An NHS pension member worried about their McCloud RSS, a civil servant frustrated by Capita administration delays, an LGPS member tracking the pool transition, are all in a state of heightened attention to scheme communication, which the scammer uses as cover.

What scheme administrators will never do

The single most useful defence is to know what your scheme administrator will and will not do. The following list is true across all the major UK public service schemes:

  • Will not call you out of the blue asking you to confirm your bank details, password, or full National Insurance number. Inbound verification is always initiated by the member, not the scheme.
  • Will not text or email you a link asking you to log in via that link. If you receive a message from your scheme, navigate to the official member portal yourself, separately, from a saved bookmark.
  • Will not ask you to pay a fee to release your pension, to receive an arrears payment, to expedite your McCloud case, or to “unlock” your pension. There are no fees of this kind in any UK public service scheme.
  • Will not ask you to transfer your pension to a “secure” or “approved” alternative scheme in response to administrative issues. Scheme administration problems are not solved by member transfers; they are solved by the scheme fixing its administration.
  • Will not send a courier to collect documents or cards from your home, regardless of how urgent the call sounds.

If a contact asks you to do any of these, it is a scam. The level of conviction in the caller’s voice (which is what the AI deepfake produces) does not change that.

Practical steps to protect your pension

Five steps that work across all the public service schemes:

1. Save your scheme’s official phone number separately

Find your scheme administrator’s main published phone number from the official scheme website (NHSBSA, MyCSP, Teachers’ Pensions, your LGPS administering authority, Veterans UK, the police or firefighter pension administrator). Save it in your phone as a known contact. If you ever receive an inbound call claiming to be from the scheme and you have any reason to doubt it, hang up and call the saved number to verify. Real scheme staff will not be offended.

2. Use the scheme’s verified online portal as your primary channel

Register your account on the scheme’s member portal (NHS Pensions hub, Civil Service Pension Portal, Teachers’ Pensions MyPension, your LGPS portal, Defence Business Services for AFPS members) and verify your identity through the portal’s standard process. Once verified, the portal is the safer channel for receiving statements, making nominations, and tracking your case. It removes the need to confirm personal details by phone or email.

3. Audit your online voice presence

If you have voice recordings publicly available (LinkedIn video posts, podcast appearances, recorded webinars, voicemail greetings using your real voice), be aware that they are usable as voice cloning samples. You do not need to remove all of them, but you can: shorten or remove voicemail greetings that use your real voice; review which audio content is necessary for your professional profile and which is not; and consider whether your professional bio includes the kind of personal information (date of birth area, employer history, address area) that combined with a voice clone gives a scammer the toolkit for impersonation.

4. Set up a family verification phrase

One specific subset of the deepfake threat is impersonation of family members. If a scammer clones the voice of a member’s adult child or spouse and uses it to make an urgent “need money now” call to the member, that is functionally the same scam family scammers have always run, but with a much more convincing voice. A simple defence is a verification phrase: a question or word your family agree in advance that any urgent call must include. If the call does not include the phrase, treat it as fake regardless of how convincing the voice sounds.

5. Know the formal reporting routes

If you suspect you have been targeted by a pension scam, two reporting routes apply. Action Fraud (0300 123 2040 or actionfraud.police.uk) takes all UK fraud reports and feeds them to the National Fraud Intelligence Bureau. The Financial Conduct Authority Warning List (fca.org.uk/scamsmart) lets you check whether a firm contacting you is regulated and whether it has been flagged as a scam vehicle. If money has actually moved, contact your bank immediately to attempt to recall the payment, then report to Action Fraud and to your scheme administrator. If your personal pension data has been accessed, report to the Information Commissioner’s Office and to your scheme administrator.

What scheme administrators and regulators are doing

TPR has used multiple “every touchpoint” warnings to trustees and administrators through 2025 and 2026, instructing schemes to ensure scam warnings appear in all member-facing communications. The Fraud Minister’s April 2026 speech reinforced that schemes have a duty to use every contact with members to warn about scams, not only to advertise scheme services.

Scheme administrators are tightening verification procedures: multi-factor authentication on portal logins, callback procedures for material account changes, two-person sign-off for bank-detail amendments, and (in some schemes) explicit anti-deepfake voice analysis on inbound calls. The technical defences are improving but are not yet uniform across all administrators. The member’s role is to assume defences may fail and to act accordingly: do not rely on the scheme catching the scammer, rely on your own verification before sharing details.

The Financial Conduct Authority continues to publish its ScamSmart Warning List, which is updated as suspected scam firms are identified. Members planning a transfer or considering any unsolicited investment offer should check the list before acting.

Common questions

How can I tell if a voice on a phone call is AI-generated?

Increasingly, you cannot. Consumer-grade voice cloning in 2026 is good enough to pass casual human inspection in most cases, particularly over a phone line where audio quality is already reduced. The defence is not “can I detect the deepfake” but “do I know the caller is who they say they are by some channel other than their voice.” That means using a callback to a saved number, a verification phrase, or a portal-mediated process rather than relying on voice recognition.

I had an unsolicited call about my pension. What should I do?

Take three steps. (1) Hang up. Do not provide any further details, do not confirm or deny any information the caller mentions, do not click any link they offer to send. (2) Call your scheme administrator on the official number you have saved (not any number the caller provided) and ask whether the scheme has made any recent outbound contact about your record. (3) Report the call to Action Fraud on 0300 123 2040 or via actionfraud.police.uk. Include the time of the call, any caller ID information, and what was discussed. Even if no money moved, the report contributes to the pattern data that helps identify the scam operation.

What if I have already given personal details to a scammer?

Contact your scheme administrator immediately on the official number and report what was shared. They will flag your record for additional verification on any future contact. If you shared bank details, contact your bank. If you shared identity details (National Insurance number, address history, date of birth), consider registering with Cifas for fraud protection. Report the incident to Action Fraud and to the Information Commissioner’s Office if your scheme data may have been accessed.

Is my pension safer if I move it to a private arrangement?

No. This is one of the most common framings used by transfer scams. Public service defined benefit schemes are backed by the relevant government department or local authority and are not at risk of insolvency in the way a small commercial scheme could be. Transferring out of a public service scheme almost always reduces your retirement income and exposes you to additional risks (investment risk, scam risk, sequencing risk in retirement). Any contact that suggests your public service pension is “at risk” and should be moved is itself a warning sign.

Does the Pensions Ombudsman handle scam complaints?

The Pensions Ombudsman handles complaints about how a pension scheme or provider has been administered, including cases where the scheme failed to follow proper verification procedures and a transfer was made fraudulently. It does not investigate the criminal scam itself (that is Action Fraud’s role) but it can determine whether the scheme administrator should have prevented the transfer. See our forthcoming guide to using the Pensions Ombudsman as a public service scheme member.

Pension Plain’s take

The arrival of consumer-grade voice cloning does not change the fundamental shape of pension fraud. Scammers still want the money. The transfer remains the high-value exit point. The legitimate scheme administrator never calls out of the blue asking for personal details. What has changed is the quality of the social engineering layer. A voice that sounds exactly like your son, your spouse, your scheme’s helpline officer, or the head of HMRC’s compliance team is now within reach of any actor with a laptop. Whatever conviction you used to take from voice recognition is no longer reliable evidence.

The good news is that the defences have not changed either. The five-step list above (saved official number, portal-mediated communication, audit of voice presence, family verification phrase, formal reporting route) is the same advice that has worked against pre-AI pension scams. It works against AI-enabled ones too. The only adjustment is that members should not rely at all on their ability to recognise a voice. The voice can be cloned. The verification channel cannot be cloned, if you use a separate one.

Scheme administrators will also have to keep moving. The schemes that have invested in robust verification procedures and tight bank-detail-change controls will be harder to attack. The schemes that rely on knowledge-based authentication (“confirm your address and date of birth”) will see a higher fraud rate as the data needed for that authentication becomes increasingly easy to assemble from prior breaches and public records. TPR’s “every touchpoint” framing is the right one for schemes. For members, the equivalent framing is “every verification channel”: never accept a single voice or message as proof of identity for a meaningful pension action.

Information, not advice. This article describes the current pension fraud threat picture and practical member-protection steps. It is not regulated financial advice. If you suspect you have been targeted, contact your scheme administrator on the official number and report to Action Fraud on 0300 123 2040. Pension Plain is not authorised or regulated by the FCA.

Key official sources

Fact-checked: 21 May 2026 · Last reviewed: 21 May 2026

Last updated 12 June 2026

Written by

James Heppe-Smith
James Heppe-Smith is the editor of Pension Plain. He founded The Savvy Investor’s Guide and writes about UK pensions, ISAs, SIPPs and tax-efficient saving. Pension Plain reflects his preference for primary sources and plain English over jargon. He is not an FCA-regulated adviser and Pension Plain does not provide regulated financial advice.