Technical question: how are you handling deepfake detection in your identity verification flow?

Scam hunter Jim Browning successfully exposed a real-time deepfake identity attack by employing a simple physical test to force an AI face overlay to fail. During a Zoom call with an individual using synthetic face software, Browning requested the person hold three fingers in front of their face, causing the scammer to stall, deflect, and eventually disconnect from the call.

What happened

The incident highlighted a known limitation in early-generation AI rendering, specifically regarding object occlusion. When a hand passes in front of a face, deepfake software often struggles to composite the image cleanly, resulting in visible glitches. In this instance, the real-time deepfake suffered from lip-sync lag and edge artifacts. While the three-finger test was effective in this specific case, experts warn that it is not a permanent solution. As detection tricks go viral, they enter an adversarial feedback loop, providing scammers with the necessary information to optimize their models and patch these specific technical limitations.

Security professionals emphasize that relying on manual 'tells' can create a false sense of security. Modern deepfake models are rapidly improving, and real-time systems are already addressing occlusion issues. Instead of relying on human-led detection during high-pressure calls, resilient organizations are encouraged to implement structural verification processes. This includes requiring second-channel confirmation for executive requests, utilizing two-person approvals for vendor payments, and verifying wire transfers through known, trusted contact channels. As noted by industry experts, deepfake attacks succeed when human-operated systems are not designed to verify identity under pressure. Building robust, process-driven defenses that do not rely on an individual spotting a technical flaw remains the most reliable strategy for mitigating the risks of synthetic social engineering.