Deepfake-enabled fraud is now generating real losses for businesses worldwide. According to Phoenix Guy, cited in SecurityBrief Australia in December 2025, over $25 million in known deepfake-related fraud was recorded in Australia in the past 12 months. That figure covers reported incidents only, so the actual cost to Australian businesses is almost certainly higher.
For years, deepfakes were treated as a technology curiosity or a problem for celebrities and politicians. That window has closed. The tools to generate convincing audio and video impersonations are now readily accessible, inexpensive, and improving faster than most organisations are responding to them.
Many banks have moved to voice biometrics as a phone authentication method, recognising your voice pattern rather than asking for a PIN or password as it is a more seamless experience for customers, but it also means the authentication factor itself is a sound recording of your voice. That is worth sitting with for a moment.
If your business relies on voice or video for financial authorisation, supplier verification, or executive communication, the way you currently operate those processes carries risk you may not have formally assessed.
What a Deepfake Actually Is, and Why It Works
A deepfake is synthetic media, usually video or audio, generated by artificial intelligence to convincingly replicate a real person’s appearance or voice. Early versions were easy to spot. Current versions, particularly for short, task-specific clips or voice calls, are far harder to detect in real time.
The reason they work on businesses is not technical sophistication on the victim’s end. It is social and operational. When a business owner hears their accountant’s voice, or a finance team member sees their MD on a video call, the instinct is to trust it. Verification steps that exist for email, such as callback numbers, authorisation codes, and dual approval, are rarely applied to voice and video communication.
Attackers know this. They target the gap between what feels familiar and what is actually verified.
The Three Business Processes Most at Risk
Not all business functions face equal exposure. Based on how deepfake fraud has been deployed in recorded cases, three areas carry the highest risk for Australian SMEs.
Financial authorisation. The most common attack vector. A voice or video impersonating a senior figure instructs a staff member to transfer funds, change account details, or approve an invoice. The urgency is manufactured. The verification step is skipped.
Supplier and vendor verification. Businesses receiving calls or video messages that appear to come from known suppliers confirming account changes, new payment instructions, or contract variations. This is a known fraud pattern that deepfakes make significantly more convincing.
Executive impersonation for internal decisions. Less common but emerging: impersonation of executives to instruct HR, legal, or operations staff to take actions outside normal approval chains. Sensitive data requests, contract approvals, or personnel decisions.
Each of these depends on a communication channel, voice or video, that most organisations have not built verification processes around.
What Financial Authorisation Controls Need to Look Like Now
The core principle is simple: the method of instruction cannot also be the method of verification. If someone calls to request a payment, the verification cannot happen on that same call.
Practical controls to implement:
- Establish a secondary verification step for any payment or account change above a defined threshold. This means calling back on a number already stored in your systems, not a number provided in the request itself.
- Remove single-person authorisation for any transfer above a set amount. Dual approval creates a checkpoint that slows an attacker down and gives the organisation a second pair of eyes.
- Brief your finance and accounts team explicitly on this risk. The social engineering that makes deepfakes effective depends on staff feeling that asking for verification is awkward or disrespectful of a senior person’s time. That culture needs to change.
- Document what is and is not a valid instruction channel for financial transactions. If your policy says payments over a certain amount require written confirmation via a known internal system, a phone call, however convincing, is not sufficient.
Supplier Verification in a World Where the Voice Can Be Faked
Business Email Compromise (BEC) fraud has conditioned many organisations to scrutinise emails from suppliers about payment changes. The same scrutiny has not yet been applied to calls and video.
The standard advice for BEC, verify through a separate channel using contact details you already hold, applies directly to deepfake scenarios. If a supplier calls to confirm a new account number, do not act on that call alone. Hang up and call them back using the number in your own records.
Where your business relies on regular supplier relationships with high transaction values, it is worth establishing a shared verification word or confirmation protocol with key contacts. This is not elaborate. It is a brief agreed-upon step that both parties know is part of doing business with each other.
What Staff Training Needs to Cover
The technical controls only work if the people operating them understand why they exist. Staff training on this issue should be direct and specific, not a generic cybersecurity module.
Cover three things:
First, show them what deepfakes look like. There are publicly available examples of both video and audio deepfakes at varying quality levels. Seeing them makes the risk real in a way that a policy document does not.
Second, give them permission to pause and verify without it feeling like an accusation. Staff who hesitate to verify a call from a senior executive need to know explicitly that the policy supports them doing so. “I just need to run this through our verification process” is not a challenge. It is the right answer.
Third, establish a reporting path. If a staff member receives something that feels off, even if they cannot articulate why, there should be a clear and fast process for flagging it internally. Suspicious calls that are reported quickly can sometimes allow action before funds are moved.
The Broader Picture for Australian Businesses
The $25 million figure from SecurityBrief Australia reflects known, recorded incidents. Fraud researchers consistently note that business fraud is underreported, partly due to reputational concern and partly because many incidents are discovered only after funds are difficult or impossible to recover.
The financial cost is the obvious risk. The operational disruption and the reputational damage of a serious fraud event are often harder to quantify and longer to recover from.
This is not a problem that requires a large technology investment to begin addressing. The most effective first steps, verification protocols, dual approval requirements, and staff briefings, are process changes. They cost time to implement, not significant budget.
The businesses most at risk are those treating deepfake fraud as a future problem. It is a present one.
Where to Start This Week
If you are not sure where your biggest exposure sits, start with one question: what is the single highest-value action a staff member could take based solely on a phone call or video instruction from someone they believe to be a known contact?
The answer to that question tells you where to focus first.
From there, draft the verification protocol, set the approval threshold, brief the relevant staff, and document it. It does not need to be complex.