Technology · AI in everyday life
Deepfakes: Spot Them, Assess Them, Guard Against Them
Cloned voices, faked video calls: deepfakes are now an everyday risk. Why spotting them isn’t enough on its own – and which safeguards actually work.
By Boaz Lichtenstein

The grandparent scam got a technology upgrade: the voice on the phone is the daughter’s, sounds like her, breathes like her – cloned from a few seconds of social media material. Companies transfer millions after video calls with deceptively realistic “executives”, and synthetic audio clips circulate ahead of elections and referendums. Deepfakes aren’t a future worry any more – they’re a real, everyday risk, and dealing with them demands a genuine change in thinking.
Key takeaways
- Classic tells (fingers, blinking, edges) disappear with every model generation – you can no longer rely on a trained eye, even an experienced one.
- Checking provenance beats image forensics: where did the material come from, who is spreading it, is there independent confirmation?
- Voice-cloning fraud now works with just a few seconds of voice material – codewords and callbacks are the most effective defence.
- Businesses need process protection (four-eyes principle, verified channels), not detection tricks for individuals.
- The AI Act requires labelling of AI-generated content – anyone producing synthetic media themselves is now legally obliged to comply.
Why “spotting it” is losing the race
The popular detection tips age badly, because every model generation fixes the flaws of the last one – automatic detectors deliver probabilities at best, never verdicts. Anyone who bases their security on a trained eye is building on sand.
The more robust questions are forensically mundane: Where did the material originally come from? Who benefits from its spread? Is there independent confirmation? For important content, the reverse approach is also gaining ground – provenance credentials instead of the hunt for fakes: standards like C2PA attach cryptographically secured provenance data to recordings from the moment they leave the camera. The ecosystem is still young, but the direction is set: in future, what will matter less is whether something looks real, and more whether it can prove it is.
Automated deepfake detectors that check images or audio for statistical anomalies are no way out of this dilemma either: they’re trained on the very same models used to create the fakes, and so sit permanently a step behind the latest generation in an ongoing arms race. In practice, that means: a tool showing “93 per cent likely genuine” doesn’t replace the question of the source – at best, it complements it.
The three most common scams compared
Not every deepfake scam works the same way – target group, method of attack and defence differ markedly between voice, video and image:
| Scam | Typical target | Most effective defence |
|---|---|---|
| Voice cloning (grandparent scam 2.0) | Private individuals, older people | Family codeword, callback on a known number |
| Video-call fake (“boss” fraud) | Accounting, finance departments | Four-eyes principle, never approve on the strength of a call alone |
| Synthetic images/scandals | Public figures, reputation | Provenance checks, no sharing without a source check |
How to check a suspicious call or video call
- Stay calm – scam attempts almost always work with artificial time pressure (“transfer it now”, “don’t tell anyone”).
- Hang up or end the call, rather than continuing to argue it out over the phone.
- Call the person back on a second, self-chosen channel – the known, saved number, not the one the call came from.
- Ask for the agreed codeword, if one exists (family, team).
- For requests for money or data: never decide based on voice or image alone.
- In business: involve the second approver, even if the call is supposedly “urgent” and “from the boss personally”.
- Report suspected cases internally, so colleagues are warned about the same scam.
The concrete safeguards
At home: agree emergency codewords within the family; verify any unusual request for money or codes through a second, self-chosen channel; treat composure as the default stance. In business: payment and data approvals should always be process-secured (four-eyes principle, confirmation via verified channels), staff explicitly trained on voice and video fakes, and a reporting path defined for genuine incidents. Legally, the framework has tightened: the AI Act requires labelling of AI-generated content, and unauthorised use of someone else’s voice or face breaches personality rights – anyone working with synthetic media themselves should label it clearly and obtain consent. (This is not legal advice.)
For businesses, it’s also worth looking at the technical side of approval processes: payment systems that technically enforce a second, independent confirmation (rather than merely recommending it in a handbook) prevent the most expensive mistake more reliably than training alone ever can. Equally helpful is a short, rehearsed phrase staff can use to check back without losing face – “let me call you back before I approve this” should be treated as standard practice within a business, not as distrust of the person calling.
The most common mistakes
Trusting your own ears: “I would have spotted that” is the most dangerous assumption – good clones sound identical to the original to untrained ears. Only being cautious with video: audio-only fraud (the classic phone call) is technically simpler and so more common than elaborate video fakes. Not agreeing a family or team convention before something happens: a codeword negotiated only in the moment of crisis comes too late. Having no clear responsibility internally for suspected cases: without a named reporting path, even the best training fizzles out – staff who don’t know who to turn to would rather stay quiet than risk a false alarm. Taking callback numbers from the ongoing conversation: letting the caller dictate the “correct” number verifies nothing – the number has to come from an independent, previously saved contact. Anyone familiar with these patterns will quickly spot the parallel to other kinds of fraud – the underlying mechanics closely resemble what we describe in our article on spotting crypto scams: time pressure, an unexpected channel, an unusual request. In documented corporate cases, losses from boss fraud via video call have often run into the high five to six figures – a single convincing call is enough, if nobody insists on the callback.
The bottom line
Between panic (“nothing is real any more”) and naivety (“I’d spot it”) sits the sound position: media scepticism as routine, verification as procedure. Individual content can deceive – processes, codewords and callback channels can’t. The deepfake era doesn’t make truth impossible, it makes truth infrastructure necessary. Build it on a small scale – a codeword, a callback reflex, a company rule – and you’re ahead of the problem before it hits you.
The pragmatic next step fits into a single conversation: agree a codeword with the family, say out loud once in the team that callbacks on money matters are expected and never seen as impolite. That one agreement costs nothing and, in the one moment it’s actually needed, proves more reliable than any after-the-fact image analysis.