A phone call that should have happened
In January 2024 an employee in the Hong Kong office of the engineering firm Arup received a message, apparently from the group’s UK-based CFO, about a confidential transaction. The employee was suspicious, so a video call was arranged. On the call were the CFO and several familiar colleagues. Reassured, the employee made 15 transfers worth about HK$200 million, roughly US$25 million[1]. Every person on that call was a deepfake, generated from publicly available video and audio.
The striking part is not the technology. It is how ordinary the defeating control would have been: one phone call, to a number the employee already had for the CFO, would have ended the scheme. The attack did not beat a firewall. It beat a payment process that had no independent verification step.
This is not a fringe threat in Australia
Australian reported scam losses rose to A$2.18 billion in 2025, up 7.8% and the first annual increase since 2022. Payment redirection, the category that covers business email compromise, climbed 9.3% to $166.8 million and is now the second-largest single type of loss[2]. The Australian Signals Directorate lists business email compromise among the top cybercrimes reported by businesses, and assesses that AI is letting attackers operate at greater scale and speed[5].
The investment-scam side shows the same trend. ASIC removed nearly 12,000 scam websites in 2025, up 90% on the year before, and its commissioner was direct about the cause: AI is making fake ads "more polished, more convincing and harder to spot"[3]. The tools that faked a CFO on a video call are the same ones cloning voices and fabricating endorsements.
Why the deepfake works
These attacks succeed because they target trust, not systems. A familiar face on a screen or a familiar voice on the phone overrides the small doubt that a suspicious email raises. The raw material is cheap: a few minutes of a public presentation or a media interview is enough to build a convincing likeness. And the real target is never the technology. It is your payment authorisation process, and specifically the moment a person is asked to move money or change bank details in a hurry.
The controls that actually stop it
The defences are process, not product, and the ACSC recommends them explicitly[4]. None of them require new software.
- Out-of-band verification: confirm any payment-detail change or large transfer by calling the requester on a number you already hold, never a number from the email or the call itself
- Dual authorisation: no single person can both initiate and approve a payment above a set threshold
- A standing approval process for changes to supplier or payroll bank details, with a mandatory waiting and verification step
- A rule that urgency is a red flag, not a reason to skip steps; "the CEO needs this in the next ten minutes" is the script
- Regular, brief drills so the finance team has actually practised saying no to a convincing request
Make it a board question
Because the fix is process, the oversight belongs at the board, not buried in IT. Three questions surface most of the risk. Who is authorised to change bank details or approve a large transfer? What is the exact call-back procedure, and does it use independently sourced numbers? When was it last tested with a realistic scenario? Treat this as a controls review, the same way you would treat segregation of duties in finance.