TL;DR

Deepfake-powered social engineering attacks have exploded — cases surged 1,740% between 2022 and 2023, and deepfake-enabled fraud drove over $200 million in losses in Q1 2025 alone. Attackers can clone a voice from 20 seconds of audio and spin up a convincing deepfake video in under an hour. If your organization doesn't have verification protocols for high-value transactions and executive communications, you're a target waiting to be hit.​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

The $25 Million Video Call That Wasn't Real

In January 2024, a finance worker at multinational engineering firm Arup received a message purporting to be from the company's UK-based CFO requesting an urgent wire transfer. The employee was suspicious — until he joined a video conference call and saw the CFO and several colleagues on screen, looking and sounding exactly as expected. He authorised transfers totalling HK$200 million (approximately $25.6 million AUD). Every person on that call was a deepfake. Fraudsters had trained AI models on publicly available video and audio from online conferences and virtual meetings.

This wasn't an anomaly. It's the new normal. Deepfake fraud cases surged 1,740% between 2022 and 2023, and 2025 saw an 83% increase in deepfake-based CEO fr

aud attempts, according to CrowdStrike's 2025 Threat Hunting Report. Over half of businesses in the US and UK have been targeted by a deepfake-powered scam, and 43% have actually fallen victim. The Australian Signals Directorate's Essential Eight and similar frameworks were not designed for a world where your CFO's face and voice can be replicated from a LinkedIn video.​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌‌​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

What makes this different from traditional social engineering:

  • Attackers clone voices with just 20–30 seconds of audio — a snippet from any podcast, webinar, or voicemail.
  • Deepfake video can be produced in roughly 45 minutes using consumer-grade tools.
  • AI-generated phishing emails achieve 72% open rates, double the 36% rate of traditional phishing.
  • 82.6% of detected phishing emails now contain some form of AI-generated content.

Beyond Deepfakes: The Broader AI Threat Landscape

Deepfakes are the headline-grabber, but they're one vector in a rapidly expanding AI-powered attack surface.

AI-Augmented Business Email Compromise (BEC). BEC remains the costliest cybercrime category — $2.77 billion in US losses in 2024 alone, from just 21,442 complaints. AI now lets attackers craft perfectly personalised, grammatically flawless emails at scale. A 1,265% surge in phishing attacks has been linked to generative AI tools. Vishing (voice phishing) surged 442%, smishing grew 40%, and QR phishing increased 400% as attackers exploit multiple channels simultaneously.

Prompt Injection and AI Agent Security. As businesses deploy AI agents for customer service, internal operations, and decision support, prompt injection attacks are emerging as a critical vulnerability. Maliciously crafted inputs can manipulate AI agents into leaking sensitive data, executing unauthorised actions, or bypassing safety guardrails. This is a supply-chain risk: if your AI agent has access to internal systems, a prompt injection is effectively an authentication bypass.

Model Theft and Intellectual Property. Custom-trained models represent significant investment. Model extraction attacks — where adversaries systematically query an AI API to reconstruct a functional copy of the model — pose a real risk to organisations deploying proprietary AI. Stolen models can be used to craft more targeted attacks or sold to competitors.

Polymorphic Malware. AI enables malware that rewrites its own code to evade signature-based detection, making traditional antivirus increasingly ineffective against sophisticated threats.

How to Detect Deepfake Attacks

Detection is an arms race, but there are practical steps that work today.

Voice Authentication Red Flags:

  • Unusual pauses or robotic cadence in speech patterns.
  • Requests for urgent, unusual financial transactions.
  • Callers refusing to use established verification channels.
  • Background noise that sounds artificial or looped.
  • Slight lip-sync drift in video calls — watch for uncanny valley cues around mouth and eye movements.

Technical Detection Tools:

  • Pindrop and Nuance offer real-time voice authentication and deepfake detection for call centres.
  • ZeroFox and Reality Defender provide deepfake detection across social media and video channels.
  • FIDO2 hardware keys (YubiKey) defeat phishing and credential theft even when deepfakes succeed at the human layer — the attacker still can't produce the physical token.
  • AI-based email security platforms (Mimecast, Proofpoint, StrongestLayer) analyse email intent and context rather than just signatures, catching AI-generated phishing that bypasses legacy filters.

Process Controls (Often More Effective Than Technology):

  • Enforce a mandatory callback verification for any transaction above a set threshold. Not to the number that called — to a known, stored number.
  • Implement dual-authorisation for wire transfers and financial changes.
  • Establish a pre-agreed code word or phrase for executive communications involving sensitive actions.
  • Train staff specifically on deepfake social engineering — generic phishing awareness is no longer sufficient. KnowBe4 reports that untrained employees have a 33.1% click rate on phishing links; trained employees drop below 5%.

The Governance Framework You Need

Technology alone won't save you. Businesses need governance frameworks that address AI-specific threats.

Map your AI attack surface. Identify every point where AI touches your business — customer-facing chatbots, internal AI agents, third-party AI services, and employee use of public AI tools. Each is a potential vector.

Adopt an AI security standard. Australia's Artificial Intelligence Ethics Framework and the NIST AI Risk Management Framework (AI RMF 1.0) provide structured approaches. Key elements: risk assessment, transparency requirements, human oversight of AI-driven decisions, and incident response plans that specifically cover AI-enabled attacks.

Update your incident response plan. Traditional playbooks don't cover "CFO's face was cloned and authorised a wire transfer." Your IRP needs scenarios for deepfake social engineering, AI-generated phishing campaigns, and AI agent compromise.

Mandate phishing-resistant MFA. FIDO2 passkeys or hardware tokens are the single most effective control. They defeat adversary-in-the-middle attacks and credential harvesting regardless of how convincing the deepfake is.

Budget for AI security. McKinsey reports that 40% of businesses plan increased investment in AI and cybersecurity. If you're not in that group, you're accepting risk you probably haven't quantified.

FAQ

How much does a deepfake attack cost a business? The Arup case cost $25 million. Deepfake-enabled fraud totalled over $200 million in Q1 2025 alone. But the average BEC loss — now increasingly AI-powered — is $4.67 million per incident according to FBI IC3 data. Even small businesses face significant risk; a single convincing deepfake call can drain operating accounts.

Can deepfake detection tools keep up with the technology? It's an arms race. Detection tools are improving — voice analysis can flag synthetic audio with high accuracy, and video analysis tools are getting better at spotting artefacts. But the best defence is layered: detection technology plus process controls (callback verification, dual authorisation) plus phishing-resistant MFA. No single control is sufficient.

What should we do right now, this week? Three immediate actions: (1) Implement mandatory callback verification for any financial transaction or credential change requested via phone or video. (2) Deploy FIDO2 hardware keys for all staff with financial or administrative access. (3) Run a deepfake-specific tabletop exercise with your finance and security teams — walk through the Arup scenario with your company's name on it.

Is Australia specifically at risk? Yes. The ACSC continues to report increasing sophisticated social engineering targeting Australian organisations. Australian businesses face the same threats as global firms but often have less mature cybersecurity programs. The average cost of a data breach in Australia reached $4.26 million in 2024, and AI-powered attacks are accelerating that trend.

Conclusion

The threat landscape has fundamentally changed. Deepfake social engineering isn't a future risk — it's a present-day weapon that has already cost businesses hundreds of millions. The $25 million Arup loss wasn't a sophisticated nation-state attack; it was criminals with consumer-grade AI tools and publicly available video footage.

Your next steps are clear: map your AI attack surface, implement process controls for financial transactions, deploy phishing-resistant MFA, and update your incident response plan for AI-enabled threats. The organisations that act now will weather this shift. Those that don't will learn about it from their finance team after the money is gone.

Visit consult.lil.business for a free cybersecurity assessment — we'll identify your exposure to AI-powered threats and build a practical remediation roadmap.

References

  1. FBI Internet Crime Report 2024 — Business Email Compromise Statistics
  2. NIST AI Risk Management Framework (AI RMF 1.0)
  3. CrowdStrike 2025 Threat Hunting Report — Deepfake and Voice Attack Trends
  4. CNN: Finance Worker Pays Out $25 Million After Deepfake CFO Video Call
  5. ZeroFox: The Deepfake Economy — Q1 2025 Loss Analysis

How AI Helps Your Business Make Smarter Choices (ELI10 Edition)

TL;DR

  • Running a business means making lots of big decisions — and most people make them on gut feeling, which is risky
  • AI can look at all your business data and help you make smarter choices, like a super-powered advisor
  • Businesses using AI to make decisions see up to 3× more revenue per person than businesses that don't [1]
  • You don't need to be a data expert — the tools do the hard work
  • lil.business can help you set up the right AI tools for YOUR business decisions

Every Business Makes Decisions. Most Are Guesses.

Think about the decisions running a business involves:

  • How much stock should you order this month?
  • Should you hire another person?
  • Is your pricing right, or are you leaving money on the table?
  • When will you have a cash flow problem — before it happens?
  • Which customers are about to leave?

Most small business owners answer these questions based on experience and gut feeling. That's not a bad thing — experience matters. But gut feeling can only process so much information. Your brain can't track 500 customers' buying patterns simultaneously, or spot a pricing opportunity hidden in three years of sales data.

AI can. And when businesses use AI to support their decisions, the results are measurable. According to PwC's Global AI Jobs Barometer, businesses using AI show 3× higher revenue growth per worker than those that don't [1].

Think of AI as a Really Smart Business Analyst

Imagine hiring a brilliant analyst who:

  • Read every sales record, invoice, and customer interaction your business has ever had
  • Can spot patterns in all that data in seconds (like "you always run out of X product in September")
  • Never gets tired, never goes home, and updates their analysis every day automatically
  • Gives you a clear recommendation before you need to make an important decision

That's what AI decision support does. It's not replacing your judgment — it's giving you much better information to apply your judgment to.

McKinsey estimates that AI could unlock between US$2.6 trillion and US$4.4 trillion in value for businesses globally [2]. The biggest chunk of that value comes from better decisions — in pricing, in staffing, in what to stock, in who to sell to.

Real Examples of What AI Can Help You Decide

"How much should I order?"

AI inventory forecasting looks at your past sales, factors in seasons (Christmas rush, school holidays, winter) and even the weather if it matters for your business — and tells you exactly how much to order, weeks in advance.

Instead of ordering too much (money stuck in stock you can't sell) or too little (missing sales because you've run out), AI keeps you in the sweet spot.

Businesses using AI for this kind of forecasting have reduced their errors by 30–50% compared to doing it manually [3].

"Are my prices right?"

This is a sneaky one. Most small businesses set prices once and barely change them. AI pricing tools look at what's selling, what's not, when demand is high, and where you have room to charge more — or where you're pricing yourself out of sales.

You don't need to change prices every hour like an airline does. Even using AI to review your pricing once a quarter can catch significant opportunities you'd otherwise miss.

"Am I going to run out of cash?"

Cash flow problems are the number-one reason small businesses close — even profitable ones. The money's owed to you, but it hasn't arrived yet, and your bills are due.

AI cash flow tools plug into your accounting system (like Xero or MYOB) and show you, weeks in advance, when you're going to be short. That gives you time to chase invoices, delay a purchase, or arrange a short-term credit line before it becomes a crisis.

IBM used AI on its own finances and is on track to save US$4.5 billion by the end of 2025 [4]. You won't save billions, but the proportional impact on an SMB can be just as significant.

"Should I hire someone?"

AI HR tools look at your sales patterns, workload data, and team capacity — and tell you when you're genuinely understaffed (not just stressed) and when you can handle more without hiring. They can also help screen job applications by matching candidates to the profile of your best performers.

AI Doesn't Make the Decision. You Do.

This is really important to understand. AI gives you better information. You still make the call.

Think of it like GPS navigation. GPS tells you the fastest route based on traffic data, but you can choose to ignore it because you know a shortcut the GPS doesn't. Your local knowledge and judgment still matter — you just have much better information to work with.

Gartner (a tech research company) predicts that by 2028, only about 15% of day-to-day business decisions will be made fully by AI on its own [5]. The rest still need a human. The goal is making that human (you) as well-informed as possible.

"But I'm Not a Data Person"

You don't need to be. Modern AI business tools are designed for normal business owners, not data scientists.

Most of them connect directly to the tools you're already using — your accounting software, your website analytics, your POS system — and present the insights in plain language, not graphs that require a statistics degree.

The setup is where it helps to have an expert. lil.business makes sure you connect the right data sources, configure the tools correctly, and understand how to interpret what you're seeing. After setup, the tools run themselves.

One Important Rule: Keep Humans In Charge of Big Decisions

As AI tools get better, it's tempting to let them make more decisions automatically. For small stuff (reordering common stock, routing routine customer emails) — go for it.

But for decisions that really matter — hiring, pricing strategy, major purchases, entering a new market — always keep a human in the loop. Not because AI is bad, but because AI can only see the data it has access to. It can't see the conversation you had at an industry event, or the new competitor you heard is moving into your area, or the regulatory change you know is coming.

Your judgment, combined with AI's data processing, is more powerful than either alone.

FAQ

Yes, sometimes. AI is as good as the data it's trained on. If your data is incomplete, or if something unusual happens (a new competitor, a pandemic), AI can miss it. That's why you always review AI recommendations before acting on them, especially for big decisions.

No — and this is something lil.business specifically checks. Some AI tools use your business data to train shared models (which means your data helps a competitor's AI). lil.business only recommends tools with strong data privacy policies, and we configure them to protect your information.

You'll start seeing better data visibility from day one. But improved decisions take time to demonstrate — you need to make some decisions, see the outcomes, and compare them to your old approach. Most businesses see clear evidence of improvement within 3–6 months.

Most AI decision-support tools for SMBs cost AU$100–$500 per month. Given that better inventory decisions, pricing, and cash flow management can easily save multiples of that, the ROI is usually straightforward to demonstrate.

This is a real challenge — and one of the most common reasons AI implementations fail. The key is starting with a use case that genuinely helps the person doing the work, not just the business owner. When a team member sees AI saving them two hours of weekly report-building, they become advocates. lil.business helps design AI roll-outs that bring teams along rather than forcing change from the top.

What to Do Next

  1. Pick one decision your business makes regularly that you find stressful or uncertain
  2. Ask yourself what data you'd need to feel confident making that decision
  3. Book a free chat with lil.business — we'll tell you if AI can help and what it would take to set it up

Better decisions compound. One better pricing decision this quarter leads to higher margins next year. One better hiring decision this month leads to a stronger team for years. The sooner you start, the more those improvements add up.

References

[1] PwC, "2024 Global AI Jobs Barometer," PwC Global, May 2024. [Online]. Available: https://www.pwc.com/gx/en/issues/artificial-intelligence/ai-jobs-barometer.html

[2] McKinsey & Company, "The Economic Potential of Generative AI: The Next Productivity Frontier," McKinsey Global Institute, Jun. 2023. [Online]. Available: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier

[3] Deloitte, "AI in Supply Chain: Predictive Analytics and Lead-Time Variability," Deloitte Insights, 2023. [Online]. Available: https://www2.deloitte.com/insights/us/en/industry/retail-distribution/ai-in-supply-chain.html

[4] IBM, "Enterprise Transformation and Extreme Productivity with AI," IBM Think Insights, Jan. 2026. [Online]. Available: https://www.ibm.com/think/insights/enterprise-transformation-extreme-productivity-ai

[5] Gartner, "Top Strategic Technology Trends for 2025: Agentic AI," Gartner, Oct. 2024. [Online]. Available: https://www.gartner.com/en/documents/5850847

[6] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, Nov. 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

[7] Mercer, "2024–2025 Global Talent Trends Report," Mercer, 2024. [Online]. Available: https://www.mercer.com/assets/za/en_za/shared-assets/global/attachments/pdf-mercer-2024-2025-global-talent-trends.pdf

[8] Bain & Company, "Survey: Generative AI Uptake Is Unprecedented Despite Roadblocks," Bain & Company, Oct. 2024. [Online]. Available: https://www.bain.com/insights/survey-generative-ai-uptake-is-unprecedented-despite-roadblocks/

[9] Federal Reserve Bank of St. Louis, "The Impact of Generative AI on Work Productivity," On the Economy Blog, Feb. 2025. [Online]. Available: https://www.stlouisfed.org/on-the-economy/2025/feb/impact-generative-ai-work-productivity

Ready to stop guessing and start deciding with confidence? Book a free consultation with lil.business — we'll help you figure out which AI tools will make the biggest difference to the decisions that matter most in your business.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation