Deepfake and Voice-Clone Scams Targeting Australian Businesses

Deepfake scams use AI-generated voice clones and video to impersonate a real person — usually your CEO, CFO or a supplier — and trick staff into approving a payment or handing over credentials. They are already hitting Australian businesses, and they work because they exploit trust in a familiar voice or face rather than a dodgy link.

What changed: the technology caught up

For years, the weak link in business fraud was the writing. A scam email asking the accounts team to urgently pay a new supplier account often gave itself away — odd phrasing, a misspelt name, a tone the real boss would never use. Staff learned to spot it.

That tell has gone. Modern voice-cloning tools need only a few seconds of clean audio to produce a convincing copy of someone’s voice, saying anything you type. A LinkedIn video, a conference talk on YouTube, a podcast appearance, a voicemail greeting, even a recorded webinar — that is more than enough source material. The output is good enough to fool a colleague who speaks to that person every day, especially over a phone line or a slightly glitchy Teams call where audio quality is already degraded.

Video deepfakes have followed. The widely reported 2024 case in Hong Kong, where a finance worker paid out roughly AUD $39 million after joining a video call with what he believed were several senior colleagues — every one of them a deepfake — is the example everyone cites because it proves the technique scales to live, multi-person video. You no longer need to be a nation-state to run it. The tools are commodity, cheap, and getting easier to use by the month.

How the attack actually plays out

This is not theoretical, and it is not science fiction. It is a refinement of business email compromise (BEC), the fraud that the Australian Cyber Security Centre (ACSC) and ReportCyber already rank among the most costly facing Australian businesses. We wrote about the email side of this in our guide to business email security and BEC. Voice and video are the new front end on the same con.

The pattern is consistent. The attacker has done their homework — they know the names of your finance staff, who reports to whom, and often that a director is travelling or otherwise hard to reach. Then they apply pressure through a channel that feels personal:

  • A phone call or voicemail from “the managing director”, voice cloned, instructing accounts to release a payment before close of business because a deal is about to fall over.
  • A Teams or WhatsApp voice note from “the CFO” that sounds exactly right, authorising a transfer to a new account and asking the recipient to keep it quiet until it is done.
  • A short video call where the face and voice of a senior leader appear on screen, lending authority to an instruction that would normally need paperwork.
  • A “supplier” calling to confirm that their bank details have changed, following up an email you were already half-expecting.

Every version leans on the same three levers: authority (it is the boss), urgency (it has to happen now) and secrecy (don’t loop anyone else in). Those three together should be a red flag regardless of how convincing the voice is. Genuine executives almost never combine all three.

Why this supercharges BEC

Classic BEC relied on a spoofed or compromised email account and the victim not picking up the phone to check. The standard advice — “if in doubt, call the person directly” — was the defence. Voice cloning attacks that defence head-on. Now the phone call itself can be the fraud. When the verification channel and the attack channel are the same, the old safety net is gone, and you need a new one.

A Melbourne scenario

Picture a construction firm in Box Hill, mid-afternoon on a Friday. The accounts manager gets a voicemail that sounds unmistakably like the director, who everyone knows is on site at a job in Geelong and notoriously hard to reach. He says a subcontractor needs to be paid today to keep a pour on schedule, the bank details are in a follow-up email, and he is heading into a meeting so just get it done — he will sign off properly Monday. The email arrives moments later from what looks like his address. The voice was right. The story was plausible. The pressure was real.

The only thing that saves that firm is a process that does not depend on recognising the voice — because the voice was perfect. A business we work with in the eastern suburbs had a near-miss almost exactly like this. What stopped it was a boring rule: any change to payment details, or any new payee over a set dollar threshold, gets verified by calling the requester back on the number already in the contact system, never a number supplied in the request. The accounts manager rang the director’s real mobile, got no urgent payment story at all, and the fraud collapsed.

Defences that actually work

You cannot reliably train staff to detect a good deepfake by ear or eye any more — that race is lost, and pretending otherwise sets people up to fail. The defences that hold up are about process and verification, not detection. Technology helps at the edges; controls do the heavy lifting.

Out-of-band verification and callback procedures

This is the single most effective control. Any instruction to move money, change bank details or release sensitive data must be confirmed through a different channel than the one it arrived on — and a channel the attacker does not control. If the request came by call or voice note, verify by a different route: call back on the known number stored in your system, message them on an established internal channel, or confirm in person. Never use contact details supplied in the request itself. The whole point is that a cloned voice cannot also intercept the verification.

Payment controls and dual approval

No single person should be able to release a significant payment or change a payee unilaterally. Dual authorisation — a second, independent person who approves transfers over a threshold — means one fooled employee is not enough to lose the money. Set sensible thresholds, enforce them in your accounting and banking platforms, and make exceptions impossible rather than merely discouraged. Most banks support transaction limits and multi-signatory approval; use them.

A code word for fund transfers

Agree a verbal pass-phrase, known only to the people who authorise payments, that must be stated to confirm any urgent or unusual transfer. A deepfake can clone a voice but it does not know the secret word that was never written down or spoken online. It is low-tech, it costs nothing, and it works precisely because the attacker has no way to obtain it from public footage.

Staff awareness, framed correctly

Train people on the pattern, not the polish. Staff should treat any combination of authority, urgency and secrecy as a trigger to verify, full stop — regardless of how genuine the voice or face seems. Make it explicitly safe, even expected, for a junior staff member to slow down and check an instruction that appears to come from the CEO. The culture has to make verification normal, not insubordinate.

Limit your public voice and video footprint

Cloning needs source audio and video. The more of your executives’ voices and faces sit publicly online, the easier the job. You will never eliminate this — and senior people often need a public profile — but it is worth being deliberate about what gets posted, and aware that anyone with a prominent media presence is a higher-value target who warrants tighter payment controls.

Email security underneath it all

Most of these attacks still pair the voice or video with a supporting email, so the email layer matters. Properly configured SPF, DKIM and DMARC to stop domain spoofing, anti-impersonation rules that flag display-name lookalikes, and conditional access to lock down accounts all reduce the surface. This is core to our cybersecurity services, and we cover the email-specific side in detail in the BEC guide. Strong authentication matters too — if attackers cannot get into the real mailbox, they cannot send the convincing follow-up from the genuine address.

What to do if you have been hit

Speed matters enormously with payment fraud, because the money moves fast and recovery odds fall by the hour. If you suspect a deepfake or voice-clone scam has succeeded, or nearly has:

  1. Call your bank immediately. Ask them to attempt a recall or freeze on the transfer. The first hour or two is when funds are most likely to be recoverable.
  2. Report to ReportCyber (cyber.gov.au) and, for the scam itself, to Scamwatch (run by the National Anti-Scam Centre). These reports feed the national picture and can assist tracing.
  3. Lock down internally. Reset credentials on any account that may have been compromised, check mailbox rules for malicious forwarding, and review what else the attacker may have accessed.
  4. Tell your people. Warn staff that an attack is in progress so a second or third attempt does not land. These campaigns often target several employees.
  5. Check your obligations. If personal information was exposed, the Notifiable Data Breaches scheme under the Office of the Australian Information Commissioner (OAIC) may require notification. Get advice quickly.
  6. Preserve evidence. Keep the voicemail, the call records, the emails and any video. Do not delete anything — it matters for the bank, the police and your insurer.

If you carry cyber insurance, notify your insurer early; social-engineering and fund-transfer fraud cover varies widely between policies and many have strict notification windows.

Frequently asked questions

How little audio is really needed to clone a voice?

A few seconds of clear speech is enough for current consumer tools to produce a usable clone, and a minute or two yields something genuinely convincing. Given that most business leaders have video, podcast or webinar audio publicly available, attackers rarely struggle for source material. Assume any voice with a public footprint can be cloned.

Can we just train staff to spot deepfakes?

No, and relying on that is dangerous. Good deepfakes already fool people who know the real person well, and the quality keeps improving. Train staff to follow verification processes regardless of how authentic something seems. The defence is procedural — callback verification, dual approval, a code word — not human lie-detection.

Is this just a problem for big companies?

No. Small and mid-sized businesses are arguably easier targets because they often lack formal payment controls and have flatter structures where one person can authorise a transfer. Attackers go where the friction is lowest. A 15-person firm with no dual-approval rule is a softer target than a large enterprise with locked-down finance controls.

Does multi-factor authentication stop these scams?

It helps but does not solve it. Strong authentication stops attackers logging into your real accounts to send convincing emails, which is valuable. But a voice-clone scam can work entirely outside your systems — a phone call to your accounts team referencing a legitimate-looking email. You still need the payment-verification controls on top of good authentication.

The short version

Deepfake and voice-clone fraud is BEC with a far more convincing front end, and it is landing on Australian businesses now. You cannot train your way to spotting a perfect clone, so the answer is process: out-of-band callback verification on a known number, dual approval over a threshold, a code word for transfers, and email security underneath. Those controls do not care how good the fake is. As a Melbourne-based MSP founded in 2014, with 13 Australian-employed engineers and a 24/7 NOC in Tecoma, we set these controls up so a convincing voice on the phone is not enough to move your money. If you want a straight assessment of where your payment and email controls stand, get in touch.

Ready to Make IT Your
Competitive Advantage?

Book a free consultation with our team. No pressure, no jargon — just a clear-eyed look at where you stand and what's possible.