The CEO on the phone is not identity proof any more
Vericode · 22 August 2025
The voice on the phone used to be the proof. You knew your boss’s voice, your mum’s voice, the tone your CFO used when something had gone wrong. That was the verification layer underneath every “transfer this by close of play” instruction. Three years of cheap public AI voice models later, the proof is gone. The instruction sounds right, the voice sounds right and the money still leaves.
The reported loss figures are now large enough that this cannot be treated as an edge case. Deepfake CEO scams have been tied to more than US$200 million in global business email compromise losses in the first quarter of the year. That number should keep its qualifier. It is global, not Australian. It is business email compromise, not every voice scam. But the direction is hard to miss.
Business email compromise has grown up and learned to talk.
The old defence relied on friction. A suspicious payment request might come from an email address that looked wrong, a style that felt off, or a supplier story that had too many moving parts. Staff could slow down because something in the channel felt false. Voice cloning removes one of the easiest reasons to slow down. The person on the other end sounds like the person with authority.
Australia’s surface area is already showing the same pattern. Large retailers have warned about AI worker-impersonation videos. ASIC has been calling out fake celebrity finance endorsements and takedowns. CommBank has launched new scam-checking tools. NAB is pushing biometric onboarding. ACMA has named mobile-number fraud as a compliance priority.
All of that is useful. None of it removes the question in the middle of the phone call.
Bank-side controls can see payment behaviour, known scams and account signals. They can slow money, warn customers, and compare devices, payees and transaction patterns. But if an employee receives a call that sounds like the CEO and the caller says the matter is urgent, the bank has not yet seen the moment that matters. The persuasion has already started.
The same is true inside smaller businesses. A finance manager does not need to be careless to be pressured. A receptionist does not need to be naive to keep talking. A founder does not need to be reckless to believe a familiar voice during a noisy week. The attack is designed to arrive wearing context.
That is why the phrase “deepfake scam” can be misleading. The fake is not the whole scam. The fake is the last layer on top of a pretext that may already include names, invoices, roles, payment timings and internal language. The voice is the part that makes the assembled story feel human.
Awareness training has a role here, but it cannot carry the full weight. A staff member cannot be expected to run a forensic audio test in the middle of a pressured call. “Does it sound like them?” used to be a reasonable question. It is now one of the weaker checks in the room.
The next phase of fraud prevention will have to separate recognition from verification. Recognition is the gut saying the voice is familiar. Verification is a controlled way to prove the person behind the voice is allowed to make the request. The two used to blur together. AI has made the blur dangerous.
That does not mean every call becomes suspicious. It means the risky ones need a stronger step than tone, memory and confidence. A payment instruction, account change, password recovery, customer disclosure, supplier request, or executive escalation should not rest on a voice alone.
Voice is no longer evidence of identity. We just have not said it out loud often enough.