The deepfake confidence gap is wider than it looks
Vericode · 15 December 2025
CommBank ran the numbers last week and published the statistic that everybody in fraud has been suspicious of for two years. Eighty-nine percent of Australians say they can spot an AI scam. Forty-two percent actually can. The gap between confidence and capability is what every romance scam, every fake-CEO transfer and every voice-cloned family call lives in.
You cannot fix that with a poster alone.
That is not a swipe at education. Awareness work matters. People should know that deepfake audio exists, that celebrity investment ads can be fake, that an urgent payment request deserves a second channel and that a caller who sounds familiar can still be false. A better informed public is useful.
The problem is that confidence can rise faster than capability. Once people have heard about a threat, many of them believe they are now equipped to spot it. That is the trapdoor. Knowing that deepfakes exist is not the same as detecting one under pressure.
The loss numbers are large, but the confidence gap is the cleaner signal. Australians are still losing billions to scams across the year. ASIC is still taking down phishing and investment-scam sites at scale. Banks are still investing heavily in fraud prevention and reporting serious reductions in some categories. Those are important facts, but they sit behind a simpler human one: people trust their own judgement at exactly the moment attackers are working to manipulate it.
Voice scams make this especially uncomfortable. The August lesson was that voice is no longer evidence of identity. The December lesson is that even when people know the trick exists, many still believe they will recognise it in the moment. They imagine the fake will sound fake. It often will not.
This is where “just train the users” starts to run out of road. A user is not operating in a clean classroom. They are tired, distracted, embarrassed, rushed, lonely, worried, helpful or under authority pressure. A finance manager hears the CEO. A parent hears a child. A customer hears a bank. A staff member hears somebody who knows enough account detail to sound legitimate.
The attacker is not asking for an abstract judgement about AI. The attacker is asking for an action.
That is why bank-side controls matter so much. Payment warnings, scam intelligence, payee checks, transaction monitoring and customer-support escalation all take pressure off the individual. The best controls do not merely tell people to be smarter. They change the moment in which the decision is made.
But the call itself is still a hard place. The person on the phone may have true facts, a familiar tone and a plausible reason. If the only live check is the listener’s gut, the 89 percent number is dangerous. It says people feel ready. The 42 percent number says many are not.
The answer is not to shame people for being fooled. Shame is useless against a professionalised fraud market. The answer is to stop designing systems that leave ordinary people as the final authentication layer. Education should help people pause. Infrastructure should make the pause meaningful.
That is the distinction. Awareness campaigns close the awareness gap. The confidence gap is something else. It closes when high-risk actions have verification steps that do not depend on a person’s ability to hear the difference between real and synthetic trust.
Verification has to live somewhere that is not the user’s gut.