Imagine your accounts person gets a phone call. It's the director's voice — unmistakable, right down to the way they clear their throat — asking them to urgently push through a payment to a new supplier account before close of business. They do it. The problem is, the director never called. It was AI, and the money is gone.
This isn't a hypothetical for the future. In 2026, deepfake voice and video fraud is one of the fastest-growing threats to Australian businesses, and — contrary to what most owners assume — small and medium businesses are squarely in the firing line. Here's what's actually happening, and the surprisingly simple thing that stops it.
What a deepfake scam is
A deepfake uses artificial intelligence to imitate a real person — cloning their voice, or even putting their face on a live video call. Criminals use it to make a fraudulent request look and sound completely genuine, because it appears to come from someone the victim knows and trusts: a manager, a director, an accountant, or a supplier.
What's changed is how cheap and easy this has become. Cloning a convincing voice used to need studios and expertise. Today, a few seconds of someone's audio — lifted from a voicemail greeting, a webinar recording, a podcast, or a social media clip — is enough to produce a clone good enough to fool a colleague over the phone.
Why small businesses are now targets
There's a persistent myth that cybercriminals only bother with big corporations. Deepfake fraud proves the opposite. Attackers go where the defences are weakest, and smaller businesses typically have fewer financial controls, less security awareness training, and more informal ways of approving payments — exactly the conditions a deepfake scam exploits.
The numbers are sobering. Globally, businesses have lost hundreds of millions of dollars to AI-enabled voice and video fraud — including one engineering firm tricked into transferring roughly US$25 million after a video call with what staff believed were senior executives. The rise of remote and hybrid work makes it worse: when face-to-face contact is rare, a convincing voice on the phone is often all the "proof" anyone gets before acting.
What it looks like in practice
Deepfake fraud usually shows up as an urgent, high-pressure request to move money or change details:
- The fake "CEO" call — a voice that sounds exactly like your boss, asking for an urgent transfer, a gift-card purchase, or a payment to a new account.
- The supplier "bank change" — a voice message or call confirming that a supplier's payment details have changed, redirecting your next invoice to a criminal's account.
- The video-call authorisation — a manager appearing on a call to approve a payment or a sensitive data request.
In every case, the attacker is banking on two things: that the request sounds legitimate, and that urgency will stop the victim pausing to check. This is the same playbook as business email compromise — just with AI making the impersonation far more convincing.
Why "train staff to spot the fake" isn't enough
The instinctive response is to teach people to listen for tell-tale signs. The uncomfortable truth is that good deepfakes are now very hard to detect by ear or eye — and they're getting better every month. Relying on your team to catch a flawless fake, under time pressure, is a losing strategy.
So the defence has to shift from detection to process. You stop assuming that sounding right is proof of being right.
The one habit that defeats it: verify out-of-band
The single most effective control costs nothing and works no matter how convincing the fake is: out-of-band verification.
Any request to move money, change bank details, or reset access must be confirmed through a separate, trusted channel before anyone acts. In practice that means: hang up, and call the person back on the number you already have saved for them — never a number supplied in the message. If the request is genuine, a 30-second call confirms it. If it's a scam, that call is exactly where it collapses, because the real person has no idea what you're talking about.
Wrap a few more controls around that habit:
- Dual authorisation for payments above a set amount, so no one person can approve and send a large transfer alone.
- A written approval process for any change to payment or banking details.
- Short, regular security-awareness training so staff expect these scams and feel safe slowing down to check.
- A no-blame culture, so an employee can question an "urgent" request from the "boss" without fear of getting in trouble.
None of this is expensive or technical. It's a small change to how your business approves money and access — and it neutralises the scam regardless of how real the voice sounds.
The technology layer still matters
Process is the frontline defence, but strong fundamentals shrink the attack surface that makes these scams possible. Phishing-resistant multi-factor authentication and passkeys stop the credential theft that often precedes a targeted deepfake. Good email security filters the messages that set these attacks up. And aligning to the ASD Essential Eight raises your baseline resilience across the board.
The bottom line for Perth businesses
Deepfake fraud has moved the goalposts: the biggest risk is no longer a weak password, but a request that looks and sounds completely legitimate and isn't. You can't out-listen a good fake — but you can make it your firm, boring, non-negotiable policy that voice and video alone never authorise money or data. That one rule protects you no matter how good the AI gets.
If you'd like help putting the right verification processes, training and security controls in place — before a convincing voice costs your business real money — talk to the Computer Mechanics team or call (08) 9325 1196. We've kept Perth businesses secure since 1997, and we're happy to explain it all in plain English. (If you're ever hit by a scam, contact your bank immediately to attempt a recall, and report it via ReportCyber at cyber.gov.au.)



