If Meta is missing in action, move defence to the call
Vericode · 23 April 2026
A bank just publicly accused Meta of being missing in action on deepfake scam ads, including ads that featured an AI-generated version of the bank’s own CEO. The bank is not a hot-take outlet or a privacy NGO. The bank is Westpac. When the institution that wears the reimbursement pressure says the platform is not pulling its weight, the conclusion is awkward and obvious: the defence has to move somewhere the platform cannot shrug off.
That does not mean Meta is the whole story. It does not mean every platform team is idle, or that banks can outsource every hard problem to a social network and call the job done. Westpac’s choice to name the platform in public is important for a different reason. Banks do not do that lightly.
Public naming usually means private routes have not produced enough change.
Deepfake scam ads are an ugly fit for platform defence. They are cheap to generate, fast to vary and easy to point at the credibility of somebody else’s brand. A fake executive, fake celebrity, fake investment page, fake bank endorsement or fake news layout can be spun up and tested faster than any manual review process wants to admit.
The economics are difficult for the defender. The attacker can create variants at software speed. The platform has to detect them across enormous surface area, languages, formats, accounts and payment methods. Better models will help. Better enforcement will help. But the platform remains a long way from the customer at the moment the scam turns into a decision.
That distance is the lesson.
The scam chain has several links before money moves. A person sees an ad. They click. They share details. They receive a message. They take a call. They are moved into a fake service flow, a fake investment process, or a real bank transfer under false instructions. The platform matters at the first link. It is not always present at the last one.
Any defence closer to the customer has more leverage in the later stage. The bank’s own channel. The telco layer. The inbound call. The payment screen. The account-recovery step. The place where the person is being asked to trust a name, voice, number or instruction. Those are the points where the institution can be staffed, accountable and specific.
That is why the Westpac signal is bigger than a dispute with Meta. It says a major bank is no longer comfortable treating platform cleanup as the centre of the answer. The platform may still need to do more. The regulator may still push. But the control architecture has to assume some bad material gets through.
Once you assume that, the question changes. It becomes less “why did the ad exist?” and more “how many chances did the system have to stop belief becoming action?”
That is not a kinder question. It spreads responsibility. It asks platforms to remove bad ads, banks to harden money movement, telcos to reduce bad traffic and businesses to verify high-risk conversations before sensitive decisions are made. It does not let any one layer declare victory because another layer failed first.
Westpac has just told you, in public, that it has stopped waiting. Reading that as anything else is wishful.