Security

AI Deepfakes and Australian Law: What You Need to Know in 2026

Photo of Dale Whitfield Dale Whitfield28 seconds ago
0 0 7 minutes read

Two years ago, a convincing deepfake took hours of source footage, a decent GPU, and someone who knew what they were doing. In 2026, it takes a phone, a free app, and about three seconds of someone’s voice pulled off a TikTok. Our team has spent the last few months pulling apart the tools, the scams, and the Australian laws that are scrambling to keep up — and the short version is that the threat landscape has changed faster than most of us realise.

This piece is the long-form companion to the shorter security explainers we publish each week. Dale has been tracking the legislative side since the 2024 Criminal Code amendments dropped, and Priya on our AI desk has been benchmarking the actual generative tools that scammers are now using off-the-shelf. What follows is what every Australian — and especially anyone with elderly parents or grandparents — needs to know about deepfakes, the law, and what to actually do when one lands in your inbox or on the other end of a phone call.

How deepfakes are actually made in 2026

The barrier to entry has collapsed. Priya ran a quick experiment for us last month: she took a 4-second voice sample from one of our own podcast episodes, fed it into a commercial voice-cloning service, and within ninety seconds had a synthetic version of the speaker reading a completely fabricated script. The result was good enough that two members of our team — people who hear that voice weekly — couldn’t reliably tell the clone from the original on a phone-quality line.

The current generation of tools breaks down into three buckets we think readers should understand:

  • Voice cloning — Models like ElevenLabs, Resemble and an expanding crop of open-source equivalents now need three to ten seconds of clean audio. Source material is harvested from social media videos, voicemail greetings, podcast appearances, and Facebook Lives.
  • Generative video — Text-to-video models can produce 30 to 60 seconds of broadcast-quality footage from a written prompt. Face-swap apps overlay a target’s face onto existing footage in near real-time, which is increasingly being used in video calls.
  • Real-time avatar puppeting — The category Josh on our PC desk has been watching most closely. A scammer can now sit on a Zoom or WhatsApp video call wearing someone else’s face, with lip-sync and head movement that holds up in low-light conditions and on small screens.

None of this requires a workstation rig anymore. Most of it runs in a browser or on a mid-range phone.

The Australian scam pattern we’re seeing most

The single most common deepfake harm landing on Australian victims right now is the voice-clone family emergency scam. The structure is almost always identical: an elderly relative gets a call, hears what sounds exactly like their grandchild or adult child, and is told there’s been a car accident, an arrest overseas, or a medical emergency. Money needs to be sent immediately. Don’t tell mum and dad. Don’t hang up.

Scamwatch logged a sharp climb in these “family impersonation” calls through 2024 and 2025, and the cloned-voice variant has become the dominant flavour. Our team has spoken to two Australian families in the last quarter alone who lost five-figure sums this way. In both cases the source audio for the clone came from a public Instagram reel.

The other patterns we’re tracking are:

  • CEO and CFO fraud — a cloned voice from the boss instructing finance to wire funds urgently.
  • Romance and investment scams with live video that holds up to a brief verification call.
  • Non-consensual intimate imagery — face-swapped pornographic content used for harassment, extortion, and reputational damage, often targeting teenagers.
  • Electoral and political disinformation — fabricated clips of politicians, particularly relevant heading into the next federal cycle.

What Australian law actually covers

This is the part Dale’s been deep in. The legal picture is genuinely better than it was eighteen months ago, but it’s a patchwork, and a lot of Australians don’t realise what’s now an offence.

The Criminal Code Amendment (Deepfake Sexual Material) Act 2024 created a specific Commonwealth offence for transmitting sexually explicit material — including AI-generated and digitally altered content — of a person aged 18 or over without their consent. Penalties run up to six years’ imprisonment, and up to seven years where the offender is also responsible for creating the material. This was a meaningful expansion: previously, prosecutors often had to lean on state-based image-based abuse laws, which varied wildly in scope.

The Online Safety Act 2021 gives the eSafety Commissioner takedown powers that apply to deepfakes as well as genuine images. Platforms can be ordered to remove non-consensual intimate content — synthetic or otherwise — within 24 hours, and the Commissioner can issue civil penalties for non-compliance.

Beyond the sexual-content space, deepfake-enabled conduct is generally prosecuted under existing offences:

  • Fraud and obtaining financial advantage by deception — the standard charge for voice-clone scam money transfers.
  • Identity theft and dealing in identification information — Commonwealth and state offences both apply.
  • Using a carriage service to menace, harass or cause offence — section 474.17 of the Criminal Code, which catches a lot of harassment-grade deepfake distribution.
  • Defamation — civil rather than criminal, but a real avenue where a deepfake damages someone’s reputation.

What Australian law does not currently do is criminalise the mere creation of a deepfake. Parody and satire remain legal, and there’s no general “synthetic media labelling” requirement at the federal level yet, though the conversation is live.

The grey zone: parody, satire, and journalism

We want to be careful here, because not every deepfake is a crime or a harm. Synthetic media has legitimate uses in film, accessibility (voice restoration for people with ALS, for instance), education, and yes, political satire. The Mad as Hell-style fabricated clip of a politician for comedic effect has a long Australian tradition and isn’t going anywhere.

The line, broadly, sits at three places: consent (was the person depicted okay with it?), deception (is it presented as real?), and harm (does it cause loss, distress, or reputational damage?). Most legitimate uses clear all three. Most of the cases we’re worried about fail at least two.

How to verify a suspicious call or video

Em on our gadgets desk put together the practical verification checklist we now use ourselves, and we’d urge readers to share it with anyone in the family who’s likely to be targeted:

  • Hang up and call back on a known number. This single step defeats almost every voice-clone scam in circulation.
  • Agree on a family safe word — a single word or short phrase that only real family members know, used to verify any urgent request involving money or travel.
  • Ask a specific question only the real person would know, ideally about something not on social media.
  • On video calls, ask the person to turn their head fully sideways or hold a hand in front of their face. Many real-time face-swap tools still glitch under these conditions.
  • Be sceptical of urgency, secrecy, and unusual payment methods — gift cards, crypto, third-party “mule” accounts. These are red flags regardless of how convincing the voice sounds.
  • If something looks off about a website you’ve been pushed to, our guide on how to spot a scam website walks through the technical tells.

Worth flagging: if you suspect a scammer has actually compromised your device rather than just impersonated a voice, our writeup on how to tell if your phone has been hacked covers the practical detection steps. And for the broader question of why transport-layer security still matters for everyday accounts, our piece on Yahoo Mail and HTTPS is still one of the clearest primers we’ve published.

How to report a deepfake in Australia

This is where a lot of victims get lost, because the right channel depends on the harm. Our team’s rule of thumb:

  • Non-consensual intimate deepfakes, cyber-bullying of minors, adult cyber-abuse — report to the eSafety Commissioner. They have actual takedown powers and a workable response timeline.
  • Cybercrime, fraud, identity theft, business email compromise — report through the Australian Signals Directorate’s ReportCyber portal. This feeds both police intelligence and the ACSC’s response teams.
  • Scams more broadly, including voice-clone family emergency calls — report to Scamwatch (now run through the National Anti-Scam Centre).
  • Active financial loss or immediate threat — contact your bank’s fraud line first, then police on 131 444 (or 000 if there’s a safety risk), then the channels above.

What to teach the grandparents

If you read one section of this piece aloud to a relative, make it this one. Dale’s take is that the technology has now outrun the instincts most people built up over decades of phone use, and the people most at risk are the ones who learned to trust a familiar voice on the other end of the line.

  • Any urgent call asking for money is suspicious. Always hang up and call back on the number you already have saved.
  • A real grandchild in real trouble can wait two minutes for you to verify. A scammer cannot.
  • Agree on a family safe word now, today, before you need it.
  • Lock down social media. The voice in the scam came from somewhere, and that somewhere is usually a public post.
  • It’s okay to be rude. Hanging up on a scammer who is impersonating your grandchild is not rude. It is correct.

Final thoughts

Australia is in a better legislative position on deepfakes than most comparable countries, but the law is necessarily a step behind the technology, and it can only do so much when the source material for a convincing voice clone is sitting in a public Instagram archive. The practical defences are mostly behavioural: a callback, a safe word, a moment of friction in a process that scammers rely on being frictionless.

Our team will keep tracking the legislative developments — particularly any movement on synthetic-media labelling and electoral deepfake offences — and we’ll update this piece as the picture changes. If a deepfake has affected you or someone in your family, please report it through the channels above. The reporting genuinely matters, both for your own case and for the warning systems that protect everyone else.

Photo of Dale Whitfield Dale Whitfield28 seconds ago
0 0 7 minutes read
Photo of Dale Whitfield

Dale Whitfield

Dale Whitfield is the Founding Editor of Tech Geek. He set the brief the site still runs on — clear, useful technology journalism with no hype — and writes its bigger news analysis pieces. Dale has spent years following how technology companies behave and translating their announcements into what they actually mean for readers.

Related Articles

How To Protect Your Website From Data Breaches

How To Protect Your Website From Data Breaches

November 19, 2025
Australia’s Early Warning Network Breach

Australia’s Early Warning Network Breach

February 11, 2026
A person entering credit card details on a laptop

How to Spot a Scam Website Before It Catches You

4 weeks ago
The Connection of Google Drive and Mac Trojans

The Connection of Google Drive and Mac Trojans

February 12, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button