Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.
SMS Sender ID Register becomes mandatory from 1 July
From 1 July, Australian businesses must register the branded sender IDs they use in SMS under the ACMA's new register, or their texts will be labelled "Unverified" on customers' phones.
The scheme, part of the government's Fighting Scams initiative, aims to stop criminals spoofing trusted brand names, with registration closing on 30 June. It's a real step against impersonation, but as we explain in Australia is closing the scam gap, but the payment gap remains, securing the message doesn't answer the harder question for finance teams: whether the account receiving a payment truly belongs to the intended vendor.
AFP charges insider over alleged $5m disability scheme fraud
The Australian Federal Police have charged a former National Disability Insurance Agency employee over an alleged scheme to defraud the NDIS of more than A$5 million.
Police allege the Adelaide woman accessed more than 40 participant records without authorisation and lodged fraudulent claims, including for supports that were never provided. She was charged on 10 June and is due to appear in court in August. The case highlights how insider access, not just external attackers, can drive large payment losses, and why segregation of duties and independent review of changes to payment and claim details still matter.
Digital forensics leader warns deepfakes are becoming impossible to spot
A leading digital forensics expert has warned that AI-generated video and audio have become so convincing that even specialists can no longer reliably identify them.
Hany Farid, a UC Berkeley professor whose work helps governments, courts and news organisations verify digital content, told The New York Times that he is increasingly unable to distinguish real media from deepfakes. For finance teams, that erodes a long-trusted control: if a face or voice on a call no longer confirms identity, verification has to rest on independently held details.
Our breakdown of why finance teams need to rethink verification explores what that means for leaders, their people, and their controls.
Inside the Chinese real-time deepfake software powering scams
In a 404 Media investigation, journalist Joseph Cox tested Chinese software sold openly to scammers and watched his own face mapped onto another person's body, live, on a Microsoft Teams call.
The fake held up through the gestures that once exposed deepfakes: a pinched cheek, a hand over the nose. It ran across Zoom and WhatsApp on consumer hardware, not specialist kit. It's another sign teams need to rethink verification: a study from security firm Outtake found impersonation attacks hit 53% of organisations this year, yet three-quarters only monitor lightly or react after the fact.
Fake-invoice phishing kit caught while still being built
Malwarebytes researchers uncovered a fake invoice campaign while it was still being assembled, finding near-identical templates impersonating Amazon and PayPal with placeholder fields like "#PRICE#" and "#TFN#" (shorthand for the toll-free callback number).
The invoices route victims to a phone line where a fake "support agent" extracts payment details or device access, a tactic known as callback phishing. For AP teams, it's a reminder that an unexpected invoice carrying an urgent "call this number" instruction is a prompt to verify through known contacts, not the details printed on the document.
NZ launches new anti-scam measures as fraud losses hit NZ$265 million
The New Zealand Government has announced a new package of anti-scam initiatives through the Anti-Scam Alliance, bringing together banks, telecommunications providers, digital platforms and government agencies to improve scam prevention and information sharing.
The programme includes a national scam reporting service, stronger cross-sector collaboration and public awareness efforts. The announcement comes as New Zealanders lost more than NZ$265 million to scams in a 12-month period, with authorised payment scams accounting for a significant share of reported losses.
BCG warns finance teams need guardrails as 'vibe coding' arrives
BCG's Center for CFO Excellence predicts "vibe coding," where staff build software by describing what they want in plain language, will spread across finance, but warns it brings new control and compliance risks.
Tools like Claude Code and OpenAI Codex let analysts spin up apps for forecasting, anomaly detection, or document review without writing code. Without governance, BCG cautions, CFOs risk trading "shadow Excel" for "shadow code": undocumented scripts that sit outside official systems and are hard to spot until something breaks. The report urges clear oversight, careful use-case selection, and human judgment, a reminder that finance automation still needs auditable controls around it.
