Patrick Gray, host of cybersecurity podcast Risky Business, recently spelled out where a long-touted threat is finally heading for finance teams:
"You need to adjust your understanding of risk accordingly, and your BEC procedures, because it isn't going to be long before you get FaceTimed by someone who looks exactly like your boss and sounds exactly like your boss – who is not, in fact, your boss."
Patrick Gray, Risky Business Episode #838
Two trends are colliding to make that scenario a reality:
- Access. Real-time face-swapping software is now sold openly to fraudsters and runs on an ordinary gaming laptop, with no specialist infrastructure required.
- Realism. The ability to detect a fake is collapsing, even among seasoned experts in digital forensics.
Illustrating the second trend is a New York Times profile from earlier this week: Hany Farid, the UC Berkeley professor who helped found the field of digital forensics, admitted he can no longer reliably tell AI-generated video and audio from the real thing.
To put it bluntly, the expert that governments, courts and newsrooms have relied on to authenticate media has started failing his own tests.
"I feel like I'm going blind," Farid told the Times.
If the person who taught the world to spot fakes can no longer spot them, no amount of staff training will reliably catch a real-time deepfake on a payment approval call. Seeing and hearing someone can no longer be treated as proof of who they are.
For finance teams, though, the bigger story is not the technology itself. The most sophisticated payment fraud already succeeds without deepfake audio or video. Fraudsters build trust through fake documentation, patient social engineering and carefully staged validation. A convincing fake voice or face removes a guardrail that was once entirely trustworthy: the ability to verify a person's identity by speaking to them.
It can mean losing millions. If you thought the Arup deepfake scam was an outlier, keep in mind the more recent scam in Singapore. And that's just what hits the news.
The access problem stopped being hypothetical a while back. In May 2026, 404 Media journalist Joseph Cox tested a piece of Chinese software called Haotian AI, marketed openly to scammers. During a live Microsoft Teams call, Cox watched his own face appear on another person's body in real time.
What stood out was not just the realism. The software maintained the illusion through the kinds of movements that traditionally exposed deepfakes. The operator pinched his cheek, covered his nose and stroked his chin. The fake held up. It also worked across platforms including Zoom and WhatsApp, and ran on consumer-grade hardware rather than expensive infrastructure.
The fraud that already works without a deepfake
None of this requires a deepfake to succeed.
The most damaging attacks Eftsure sees are not the obvious, error-filled phishing emails that security awareness training teaches employees to spot. They are patient, methodical and often unfold over months.
Michelle Cram, VP of Customer Operations at Eftsure, describes a common sequence.
The fraudster impersonates a vendor the organization already pays and makes what appears to be a minor administrative request: update the remittance email address.
At first glance, it looks harmless.
In reality, that change gives the fraudster visibility into payment timing, remittance advice and communication patterns. They learn how the finance team operates. They understand when payments are expected. They begin to mimic legitimate business processes.
The bank account change request comes later, sometimes weeks later. Sometimes months later.
By the time that request arrives, it is usually wrapped in multiple layers of fabricated validation.
"The escalated request usually comes with everything you would ask for and more. Signed letters, bank statements, a phone number you can call to confirm it. From the customer's side, it looks completely legitimate."
Michelle Cram, VP of Customer Operations, Eftsure
That observation aligns with broader concerns among finance professionals. Eftsure's 2026 Australian Payment Fraud Report found that 90% of respondents believe AI-generated scams will be harder to detect.
The tactics above help explain why: the fraud is already designed to survive scrutiny, and depends on trust earned over time. It already includes documents, conversations, validation checks and patient relationship-building.
A cloned voice or realistic video call doesn't create the deception, but it does remove one of the final opportunities to spot it manually.
Why these attacks are so convincing
What makes these attacks effective is the combination of digital validation and human validation. There's the documentation, the email trail, the supporting paperwork.
There might even be a real person answering calls, responding to questions and behaving exactly as a legitimate vendor representative would.
These attacks are rarely rushed. Fraudsters understand that familiarity creates trust. By investing time in building a relationship, they make future requests feel routine rather than suspicious.
And this is where real-time deepfakes could significantly increase risk.
Today, the human validation layer often depends on a fraudster pretending to be a vendor representative over the phone. There might still a chance that something feels wrong. Maybe the voice is unfamiliar or the answers are inconsistent.
A convincing cloned voice changes that, and a realistic video likeness of a known contact changes it further.
The confirmation call that currently reassures finance teams could become one of the most convincing parts of the fraud.
Verify who owns the account, not who is on the call
The lesson for finance teams is not to become suspicious of every phone call or video meeting. It's to stop treating any singular communication channel as proof of identity.
Verification needs to move away from what a person looks or sounds like and toward what can be independently validated.
That means verifying ownership of bank accounts before payment details are changed, as well as using trusted contact information already on file rather than details supplied within the request itself. It also means recognizing patterns that frequently appear in fraud attempts.
Most importantly, it means understanding that fraud prevention is increasingly about process rather than perception.
See how prepared your finance team is for this shift: take Eftsure's deepfake readiness assessment.
For the controls that catch these attacks no matter how convincing the contact appears, read our guide to continuous controls for outgoing payments.
