Your finance manager receives a call. It sounds exactly like the CEO. The voice is familiar, the tone is right, and the request is urgent. Transfer funds to a supplier account before end of day. The CEO is unavailable to call back. The finance manager complies. The money is gone within hours, and it cannot be recovered.
This is not a hypothetical scenario. AI impersonation attacks using cloned voices and deepfake video are happening to organisations right now, including in Australia. What makes them particularly dangerous is that they do not rely on malware, compromised systems or technical vulnerabilities. They rely entirely on a staff member trusting what they see and hear, which is exactly what attackers are counting on.
For directors, owners and senior leaders, this is a threat that demands attention at a governance level. The question is not whether your IT systems are secure. It is whether your people know what to do when the voice on the phone, or the face on the video call, turns out not to be who they think it is.
Why AI impersonation attacks are different from anything that came before
Impersonation has always been a social engineering tactic. What has changed is the technology behind it and the barrier to entry for attackers. Until recently, cloning someone’s voice or appearance required significant technical skill, specialist software and substantial time. That is no longer true.
Today, a convincing voice clone can be generated from a few seconds of audio that is freely available for almost any senior leader. It might come from a company website video, a podcast interview or a LinkedIn post. Attackers do not need to breach your systems to get it. Similarly, tools that generate realistic synthetic video are now widely accessible. Attackers have used them to conduct live video calls where the face on screen appears to be a known executive and the person receiving the call has no way of knowing otherwise.
The result is that AI impersonation attacks have crossed a threshold. The hard part for organisations is no longer detecting whether something looks real. It is building the processes and awareness that mean staff do not simply trust what they perceive.
What AI impersonation attacks actually look like in practice
Understanding the specific forms these attacks take is important, because each one exploits a different moment of trust and requires a different response from staff.
Voice cloning and phone based fraud
An attacker clones the voice of a known executive or manager and calls a staff member directly, typically someone in finance, HR or a role with access to sensitive systems or accounts. The request is usually urgent and framed in a way that discourages verification, such as asking for a payment to be processed quickly, requesting access credentials for a time sensitive matter, or instructing someone to bypass a normal approval process. Because the voice sounds authentic, many staff comply without question.
Deepfake video calls
A more sophisticated version of the same attack involves a live or pre recorded deepfake video of a known person, delivered through a video conferencing platform. The target sees a face and hears a voice they recognise, often alongside other apparent participants who are also synthetic. This format is particularly effective because it removes the usual hesitation that comes with a voice only call. If you can see the person, the instinct to verify is significantly reduced.
AI generated messages and written impersonation
Not all AI impersonation attacks are audio or video based. Large language models can analyse the writing style of a known person from emails, social media posts or other public communications and generate messages that closely replicate that style. An attacker can use this to send convincing emails or messages that appear to come from a trusted colleague or leader, often requesting sensitive information, approving unusual transactions or asking the recipient to take an action they would not normally take without confirmation.
Synthetic identity fraud in hiring and vendor processes
AI impersonation is also appearing in hiring and vendor onboarding. Organisations have encountered candidates who use deepfake tools to conduct video interviews as a fabricated identity, or vendors who use AI generated communications to establish credibility before requesting payments or access. These attacks exploit trust before any real relationship has been established.
Why AI impersonation attacks succeed even in well run organisations
It would be easy to assume that only careless organisations fall for these attacks. The reality is more uncomfortable. These attacks work because they exploit the way people naturally process trust, and because most organisations have not built explicit processes to counter them. When a voice sounds familiar and the request is urgent, the instinct to comply is strong. Attackers create time pressure, invoke authority and choose moments when the target is most likely to act quickly.
Furthermore, without structured awareness training that specifically addresses AI impersonation, most staff have no mental framework for questioning whether the voice or face they are encountering is real. They have been taught to be sceptical of suspicious emails, but not to be sceptical of a call that sounds exactly like their manager.
What a prepared organisation does differently
Defending against AI impersonation attacks does not require sophisticated technology. It requires a combination of clear process, explicit awareness and a culture where verification is normalised rather than treated as an obstacle.
In practice, a well prepared organisation does the following.
- Ensures all staff, particularly those in finance, HR and leadership support roles, receive AI focused awareness training that explicitly covers voice cloning, deepfake video and AI generated messages, not just traditional phishing.
- Establishes a simple verbal code or out of band verification process for any request involving a financial transaction, credential sharing or system access, regardless of how convincing the request appears or who it seems to come from.
- Sets a clear organisational norm that pausing to verify an unusual request is always acceptable and never an overreaction, so that staff do not feel pressured to comply quickly when something feels off.
- Runs regular phishing simulations that include social engineering scenarios, so that staff build practical experience in recognising and responding to manipulation attempts before a real one occurs.
- Ensures that senior leaders are aware their voice and likeness may be used in attacks targeting their own staff, and that this awareness shapes how the organisation communicates about unusual or urgent requests.
The common thread across all of these is that the defence is human. Technical controls help, but they cannot intercept a phone call in which a staff member is convinced by a cloned voice. Only awareness and process can do that.
Training that covers the AI threats your staff are actually facing
Understanding that these attacks exist is only the first step. Staff need practical, specific training that helps them recognise AI impersonation attempts in the moment, not after the fact. That is precisely what 4walls’ AI focused course suite is designed to deliver.
The LLM data exposure course and LLM hallucinations course help staff understand how AI systems generate convincing but potentially false or manipulative content, which is directly relevant to recognising AI impersonation in written form.
The safe use of AI tools courses, covering ChatGPT, Copilot, Claude and DeepSeek, give staff a working understanding of what these tools can do, which is essential context for recognising when those capabilities are being used against them.
Together, these courses build the kind of informed scepticism that makes AI impersonation attacks significantly harder to execute successfully against your organisation.
A practical starting point for leaders
If you are not sure how your organisation would respond to an AI impersonation attempt today, start with a simple question. If a staff member in your finance team received a call that sounded exactly like you, asking for an urgent payment, what would they do?
If the answer is uncertain, that is your starting point. A cyber security assessment can help surface where your organisation’s human risk sits, including the awareness gaps that AI impersonation attacks are most likely to exploit. Putting explicit training and simple verification processes in place from there is straightforward.
Get started with 4walls
At 4walls, we work with boards, owners, principals and CEOs who want a clear, practical picture of where their human cyber risk actually sits. AI impersonation attacks are one of the fastest growing and least understood threats facing Australian organisations right now, and awareness is the single most effective defence.
If you would like to understand how prepared your team is, our cyber governance principles training and Board cyber check in are designed to help leadership teams build the visibility and structure that makes these questions straightforward to answer.
Our structured cyber dashboard and reporting framework is fully set up and live within 30 days, giving leadership a clear view of overall cyber posture, technical compliance, prioritised actions and user awareness engagement. Within that first 30 days, cyber becomes trackable and reportable, ready for leadership, board or insurer discussions. If you are not sure how your organisation would stand up to that level of scrutiny, our 3 minute cyber starting point check gives you an immediate view of where the gaps are.
AI impersonation attacks rely on people not being ready. The good news is that readiness does not require a technical background. It just requires the right training and a clear process.