Deepfakes and Fraud-as-a-Service: The New Fraud Economy

When the regulator that supervises South Africa's banks describes something as a "significant escalation", it is worth reading the fine print. In its 2025/26 annual report, the Prudential Authority (PA) used exactly those words about digital fraud, noting growth in both scale and sophistication across the institutions it oversees.
The detail behind that phrase should concern every business, not just the banks.
What the regulator is seeing
The PA's report lists the fraud techniques driving the escalation:
- Social engineering: manipulating people into approving payments or handing over access.
- Account takeover: criminals getting control of legitimate email, banking or system accounts.
- Synthetic identity fraud: fake identities stitched together from real and invented details.
- Payment and insider-enabled fraud: abuse of payment processes, sometimes with help from inside.
- AI-enabled techniques: deepfake audio and video used to impersonate real people.
Two forces are accelerating all of this. The first is generative AI, which makes convincing fake voices, videos and messages cheap to produce. The second is what the report calls fraud-as-a-service: ready-made fraud kits sold to anyone, which lowers the barrier to entry and speeds up the arrival of new fraud types.
Put plainly, criminals no longer need technical skill. They can rent it.
Why this lands on ordinary businesses
Banks are responding hard. The PA notes they are strengthening AI-enabled fraud detection and prevention. But there is a predictable consequence when the most defended targets get harder to hit: attackers move to softer ones.
For most companies, the exposure looks like this. A finance clerk gets a voice note that sounds exactly like the managing director, asking for an urgent payment. A supplier emails new banking details, except the supplier's mailbox was taken over weeks ago. A "new customer" passes every surface-level check because the identity was synthetic from the start.
None of these require the attacker to breach your firewall. They target trust, and trust is the one system every business runs on.
Defences that actually hold up
The encouraging news is that the most effective countermeasures are procedural and affordable.
Verify out-of-band, every time
Any request to change banking details or make an unusual payment gets confirmed on a known phone number, from your own records, before money moves. Not the number in the email signature. This single habit defeats most deepfake and invoice fraud, because the fake only works inside the channel the attacker controls.
Protect the accounts fraud is built on
Account takeover is the foundation for much of the rest. Multi-factor authentication on email and financial systems, strong unique passwords, and conditional access on Microsoft 365 close the easiest routes in. Email security that flags external senders and lookalike domains catches the impersonation attempts that slip past busy eyes.
Train people for the new fakes
Staff awareness training has moved on from spotting bad spelling. Teams now need to know that a familiar voice on a call is no longer proof of identity, and that urgency plus secrecy is the signature of fraud, however convincing the medium. Regular, short training with simulated phishing keeps that instinct fresh.
Watch for your credentials in the wild
Stolen and leaked credentials feed the fraud-as-a-service economy. Dark web monitoring shows you when your staff logins are circulating, so you can reset them before they are used against you. Around-the-clock managed detection and response (MDR) then covers the cases where someone does get in, because takeovers are rarely noticed by the victim first.
Fighting AI with AI, at your scale
The banks' answer to AI-enabled fraud is AI-enabled detection. Smaller organisations get the same capability through managed security tooling: modern endpoint protection and MDR services already use machine learning to spot the behaviour patterns humans miss. You do not need to build what the banks built. You need access to it.
The takeaway
The PA's report describes a fraud economy that is industrialising: tools for hire, identities on demand, and voices that cannot be trusted at face value. That environment rewards businesses that assume impersonation is possible and verify accordingly.
Tighten your payment verification, lock down your accounts, train your people and put someone on watch. The fakes are getting better, but the fundamentals still beat them.
Want this handled for you?
Talk to the F1 team about managed IT, cybersecurity and cloud for your business.

