I no longer treat a familiar face, recognisable voice or polished video call as proof of identity. The 2025 FBI Internet Crime Complaint Center report recorded 22,364 complaints containing AI-related information and adjusted losses of $893.3 million, including more than $30 million connected to AI-involved business email compromise. This deepfake detection guide explains how to examine suspicious video, audio and images, how to verify the surrounding claim, which tools are useful, what their pricing and limits look like, and how a business should respond when money or access is at stake.
The central lesson is practical: detection begins with context, not with hunting for strange blinking. Modern synthetic media can preserve faces, hands and lighting well enough to defeat casual inspection, while genuine footage can look artificial after compression, stabilisation, translation or aggressive editing. A reliable decision therefore combines source tracing, frame and audio analysis, provenance signals, reverse search, behavioural red flags and independent verification through a trusted channel.
This article contains exactly seven core checks. The sections after Check 7 do not add more checks; they show how to apply the same method to business fraud, political or viral video, technical detector design and incident response. Vendor claims are treated as product claims rather than universal accuracy guarantees. Pricing and technical limits were checked against public pages available on 20 June 2026, and unpublished limits are identified rather than estimated.
What Deepfake Detection Can and Cannot Prove
Deepfake detection is an evidence-ranking task, not a magic authenticity test. A detector can identify patterns associated with synthetic generation or manipulation, but it usually cannot prove who made the file, why it was made, whether a quoted statement is true, or whether an authentic recording has been placed in a false context. The strongest conclusion is often probabilistic: the media is likely manipulated, likely authentic, inconclusive, or authentic-looking but contextually unverified.
That distinction matters because the word deepfake now covers several different problems. Face swaps replace or alter a person’s appearance. Lip-sync systems make a real face appear to speak new words. Fully generated video creates an entire scene. Voice conversion changes one speaker into another, while text-to-speech creates speech from a script. Image editing can add or remove objects without changing a face. A detector trained for one manipulation may miss another, so a clean result is not a universal clearance.
The practical framework has four evidence layers. Context asks who published the claim and whether independent sources corroborate it. Forensics examines pixels, frames, audio and compression behaviour. Provenance checks whether signed origin and edit records exist. Behavioural verification tests the human request by switching channels, calling a known number or enforcing an approval process. A robust decision uses more than one layer.
This is why visual literacy must keep pace with the rapidly improving systems described in our coverage of AI video generation risks. Better generators reduce obvious artefacts, but they do not remove the need for source analysis, transaction controls or chain-of-custody. In high-stakes settings, the right question is not merely ‘Is this fake?’ It is ‘What evidence is strong enough for the decision I am about to make?’
A useful confidence scale
Use four labels in internal workflows: verified, probably authentic, suspicious, and inconclusive. Reserve verified for media supported by a trusted original source, corroborating evidence and, where available, valid provenance. A detector score by itself should normally remain suspicious or inconclusive until another layer agrees.
The seven checks at a glance
This article uses exactly seven checks. The later business, journalism and technical sections apply the same method; they do not add extra checks.
Work from context to behaviour. One warning should slow the decision, while several independent warnings should trigger escalation. For payments, access, journalism, legal evidence or reputational risk, complete all seven checks and record the result.
A detector score is never the final verdict. The strongest conclusion comes from independent signals that agree: source history, scene physics, audio, provenance and verification through a trusted channel.
| Check | What to inspect | Warning sign | Stronger verification |
| 1. Context | Account, claim, timing and corroboration | Unknown source or extreme unsupported claim | Official source and independent reporting |
| 2. Face and body | Expressions, lip sync, identity boundaries | Flicker, inconsistent features or motion | Neighbouring-frame comparison |
| 3. Scene physics | Light, reflections, shadows and perspective | Regions obey different geometry or lighting | Cross-region frame analysis |
| 4. Audio | Breath, cadence, room tone and movement | Clean voice in noisy scene or warped transitions | Known-number callback and safe phrase |
| 5. Source tracing | Keyframes, reverse search and metadata | Older original or changed caption | Earliest credible upload and original file |
| 6. Provenance and tools | Content Credentials and detector output | Invalid manifest or high synthetic score | Conforming provenance plus second method |
| 7. Behaviour | Urgency, secrecy and requested action | Payment, OTP or channel refusal | Dual approval and independent contact |
Check 1: Verify the Source and Claim
Before pausing a frame, inspect the social and informational context. Deepfake scams succeed because the recipient accepts the identity claim before evaluating the request. Start by recording the exact account name, platform, posting time, caption, claimed location and original link. Screenshots are useful for preservation, but they are poor substitutes for the source because they remove metadata, upload history and surrounding conversation.
Check whether the account is established, verified in a meaningful way and consistent with the person or organisation it claims to represent. Look for recent username changes, sudden subject changes, thin posting histories, recycled profile photographs and replies that direct users to private messaging. Search the central claim in neutral language, then look for confirmation from an official website, reputable newsroom, regulator, police force or direct corporate account. The absence of confirmation does not prove fabrication, but it should lower confidence when the claim is dramatic or urgent.
Language provides a second context signal. Scam content is often engineered to trigger action before reflection: an emergency hospital bill, secret acquisition, political outrage, investment window, account lockout or urgent transfer. The more perfectly a clip supports a high-arousal narrative, the more important it is to slow down. This is especially true when the sender rejects ordinary verification, insists on secrecy or frames any delay as disloyalty.
For businesses, build a ‘claim card’ before technical analysis: claimant, requested action, deadline, financial exposure, systems involved, known contact route and independent corroboration. This simple step separates media authenticity from business authority. A real chief executive can still send an unsafe request, and a fake chief executive can exploit a genuine project. The fraud patterns overlap with the social-engineering mechanics in our analysis of remote-support scam patterns, where urgency and channel control matter more than the software itself.
The thirty-second pause
Do not forward, download repeatedly or confront the sender immediately. Preserve the source, note the request, and move to an independent channel. That pause blocks many attacks before any specialist tool is needed.
Check 2: Inspect Faces, Bodies and Motion
Visual artefacts remain useful, but they must be treated as warning signs rather than proof. Play the clip at normal speed first, then at half speed. Pause on motion transitions rather than choosing only the cleanest frame. Deepfakes often fail when the head turns quickly, a hand crosses the face, hair moves across the forehead, glasses catch changing reflections, or the subject moves in and out of focus.
Inspect expression timing. In synthetic footage, the mouth may smile before the eyes respond, the cheeks may move without corresponding folds, or the face may remain unnaturally stable while the head and neck move. Lip synchronisation errors can appear as consonants without the expected mouth closure, delayed jaw movement, or teeth that change shape between adjacent frames. Blinking is no longer a dependable single clue, but asymmetric eyelid motion, inconsistent moisture highlights or eyes that fail to track a nearby object can still support a broader finding.
Skin and identity consistency matter more than smoothness alone. Video compression can make genuine skin look plastic. Instead, compare the face with the ears, neck and hands. Ask whether age, colour temperature, sharpness, grain and motion blur match across those regions. Watch for earrings that merge into skin, hairlines that pulse, teeth that become uniform blocks, or facial features that subtly resize when the subject turns.
Hands are less useful than they once were because current generators can render plausible fingers. In an April 2026 interview with The Verge, Pindrop chief product officer Nicholas Holland said the old three-finger challenge ‘doesn’t work at all now’. A better live-call challenge changes lighting and geometry together: ask the person to turn sideways, move closer to a window, rotate an object in front of the face and repeat an unpredictable phrase. Even then, treat the response as one signal, not identity proof. Our review of AI portrait provenance explains why increasingly realistic still images also require provenance and account-level checks.
Deepfake detection guide for frame review
Extract frames at regular intervals and around sudden motion. Compare neighbouring frames, not isolated screenshots. Genuine compression noise usually evolves with motion; generated artefacts often attach to identity boundaries such as the jaw, hairline, teeth or glasses.
Check 3: Test Lighting, Shadows and Scene Geometry
Light is governed by physical relationships that a generator must reproduce across every frame. Start with the largest light source: a window, lamp, screen, sun or overhead fixture. Compare the direction and softness of shadows on the face, clothing, furniture and background. A suspicious scene may place a sharp nose shadow under diffuse room lighting, change the catchlight in the eyes without moving the camera, or illuminate the face from a direction that does not affect nearby objects.
Reflections provide another cross-check. Glasses should reflect bright sources in a way that changes predictably with head movement. Windows, polished surfaces and pupils should not show mutually incompatible scenes. Do not overinterpret missing reflections in compressed footage, but note when a reflection appears to slide independently of the object or disappears at a boundary.
Geometry is particularly valuable in generated scenes. Identify straight lines such as desk edges, ceiling panels, shelves, screens and door frames. In a real perspective projection, parallel lines converge coherently toward vanishing points. In a June 2026 San Francisco Chronicle demonstration, digital forensics researcher Hany Farid demonstrated this method on viral strike footage and summarised the result: ‘This shows an anomaly. A physical inconsistency.’ The clue was not a distorted face; it was a scene whose lines did not share plausible spatial geometry.
Background ‘breathing’ is another warning sign. Watch small text, cables, jewellery, patterned fabric, signs and objects near the subject. They may flex, vanish or change detail as the model regenerates the scene. Camera motion should also affect the whole frame consistently. If the head stays unnaturally locked while the room shifts, or the face boundary flickers only during movement, capture the relevant timestamps.
The information-gain insight is to compare physics across regions, not to search for one spectacular glitch. A deepfake can perfect the face while failing at the relationship between the face and the scene. This is also why safeguards discussed in our overview of AI image generator safeguards must be assessed alongside forensic review rather than assumed to make every output traceable.
A repeatable scene test
Choose three reference regions: the face, one nearby object and the background. Track light direction, sharpness, motion blur and perspective across ten to twenty frames. A consistent mismatch across regions is stronger than a single odd pixel.
Check 4: Listen for Audio Manipulation
Audio deepfakes are often more dangerous than video because the listener fills in missing visual information. A familiar rhythm or emotional phrase can override caution, especially during a supposed emergency. Begin by listening once without reading the caption. Then replay through headphones and focus on breath, room tone, consonants, pauses and the relationship between speech and movement.
Synthetic speech may sound too clean for the environment, hold a stable volume while the speaker turns away, or produce breaths that do not match sentence length. Listen for clipped word endings, metallic warbles, repeated background texture, sudden changes in reverberation and pauses that feel linguistically correct but physiologically wrong. Accent drift and unusual vocabulary can be useful when you know the speaker, although sophisticated models can imitate both.
Human intuition is not enough. A 2026 controlled vishing study involving 22 participants reported mean classification accuracy of 37.5%, below chance, with many AI clips labelled human and many human clips labelled AI. The small sample limits generalisation, but the result captures an important problem: confidence can remain high even when discrimination is poor. A larger 2026 study of 35,532 judgments from 1,768 participants found that distrust of genuine speech had also increased, showing the ‘liar’s dividend’ in audio form.
In the same April 2026 Verge report, Reality Defender CTO Alex Lisle described the new trust problem plainly: ‘We’ve gone the last 40,000-odd years believing our ears and eyesight, but now we can’t.’ The operational answer is not better listening alone. For money, credentials or sensitive data, call the person on a known number, use a family or team safe word, verify through a second employee, and never accept caller ID as proof.
Voice cloning also intersects with broader enterprise AI fraud risks. Attackers can combine a cloned voice with accurate organisational details, compromised email and a genuine meeting invite. Detection must therefore connect audio analysis to access controls and payment governance.
Live-call checks that still help
Ask an unpredictable question based on shared knowledge, then end the call and reconnect through a trusted contact. Do not ask for personal facts available on social media. The channel switch is more important than the challenge phrase.
Check 5: Trace the Source, Metadata and Provenance
Reverse search is often the fastest way to defeat a misleading clip. Extract several keyframes rather than searching only the thumbnail. Choose a clear face frame, a background landmark, a title card and a frame before or after the alleged event. Search each independently. The goal is to find an earlier upload, a different caption, a stock source, an original speech, or a higher-quality version with more context.
InVID-WeVerify is useful because it fragments online video into keyframes and connects verification tasks in one browser extension. Its feature set includes contextual analysis, reverse-search engines, metadata extraction, magnification, OCR and forensic aids. Some external services used through the interface are not open source, which is an important constraint for evidentiary work. TinEye is valuable for exact and modified image matching, but reverse image search does not decide whether an image is synthetic; it helps trace reuse and chronology.
Metadata can show timestamps, device details, codecs, edit software or GPS information, but social platforms commonly strip it. Missing metadata is not evidence of manipulation. Present metadata can also be forged. Preserve the original file when possible and calculate a cryptographic hash before analysis so investigators can show that the working copy has not changed.
Content Credentials, based on C2PA, add signed provenance records describing origin and edits. Adobe’s Inspect tool and the public Content Credentials verifier can display those records. The current C2PA specification provides a standard for creating and validating manifests, while the conformance programme checks whether products implement the standard correctly. Our report on AI watermarking standards covers the growing relationship between metadata and durable watermarking.
Provenance is powerful but not equivalent to truth. A valid credential can show that a file came through a declared workflow; it cannot prove that the depicted event was honest, that the camera clock was correct or that a caption is accurate. Conversely, absent credentials do not prove a fake. Signed provenance can also be stripped during ordinary platform processing, so it should be used as a positive signal inside a layered decision rather than as a universal authenticity badge.
Reverse-search order
Search the oldest-looking frame first, then the most distinctive background, then the face. Sort results by date where the service permits it. Record the earliest credible appearance and compare captions across uploads.
Check 6: Use Detection Tools Carefully
The consumer tool market splits into verification utilities and forensic detectors. Verification utilities trace sources, extract frames and inspect provenance. Forensic detectors score media for synthetic or manipulated patterns. The first category is often free and should be used first. The second can add evidence, but it introduces cost, privacy, model drift and false-positive risk.
For this 2026 comparison, we reviewed public product pages, documentation and published limits rather than treating marketing accuracy claims as laboratory benchmarks. Reality Defender currently offers the clearest public commercial matrix among the dedicated multimodal providers reviewed. Its RealAPI free tier lists 50 scans a month, up to three seats, image and audio analysis, API keys and a dashboard. The Business tier displays $399 under annual billing, 1,000 monthly scans, one seat, image, audio and video analysis, explainability, unlimited API keys and chat support. The accessible page does not state whether $399 is a monthly rate billed annually or the annual total, so procurement teams should confirm the billing cadence before purchase.
Reality Defender SDKs support TypeScript or JavaScript, Python, Go, Rust and Java, plus direct REST access. The SDK quickstart lists limits of 10 MB for images, 20 MB for audio, 250 MB for video and 5 MB for documents, while the presigned-upload endpoint lists a 50 MB image limit. That documentation difference should be tested against the exact integration path. The free tier excludes video. Enterprise deployment options include on-premises, private cloud, containers and secure air-gapped laptops, with Zoom, Teams, Webex and contact-centre integrations.
TinEye’s official API page lists prepaid bundles from 5,000 to one million searches. Each API search call counts once regardless of result count. Deepware offers a free beta scanner and a developer API using an X-Deepware-Authentication token, but publishes only that test keys have limited scan requests and that higher limits require contact. Its scanner is face-centred, so clips without a usable human face are outside its stated design. InVID-WeVerify and Adobe Inspect remain free for normal verification use, with no public commercial plan required for the core browser workflow.
Pricing and limits matrix
| Tool or service | Public price | Published cap | Formats and key constraints | Best use |
| Reality Defender RealAPI Free | $0 per month | 50 scans monthly; up to 3 seats | Image and audio only; 10 MB images, 20 MB audio | Prototypes and low-volume triage |
| Reality Defender Business | $399 shown with annual billing | 1,000 scans monthly; 1 seat | Image, audio and video; images listed as 10 MB in SDK quickstart and 50 MB in presigned endpoint; video up to 250 MB | Production API or analyst workflow |
| Reality Defender Enterprise | Custom quote | Custom volume; unlimited seats | On-prem, private cloud, container, air-gapped, meetings and contact centre | Regulated or high-volume deployments |
| TinEye API Starter | $200 prepaid | 5,000 searches | JPEG, PNG, WebP, GIF, BMP, AVIF, TIFF; one call counts as one search | Reverse-image tracing |
| TinEye API Basic | $300 prepaid | 10,000 searches | Auto top-up can trigger at 75% usage when enabled | Small commercial teams |
| TinEye API Corporate | $1,000 prepaid | 50,000 searches | Commercial and high-volume reverse search | Publishers and rights teams |
| TinEye API Enterprise | $10,000 prepaid | 1,000,000 searches | Lowest listed per-search rate | Large-scale matching |
| InVID-WeVerify | Free | No numeric public cap for core plugin | External services may have separate behaviour; browser extension | Keyframes, source tracing and OSINT |
| Deepware Scanner | Free beta | Web cap not publicly specified | Human face required; beta result should not be treated as proof | Second-opinion video scan |
| Adobe Content Authenticity Inspect | Free | No public numeric cap found | Checks Content Credentials; absence does not mean fake | Provenance inspection |
Check 7: Test Behaviour and Verify the Request
The most reliable deepfake scam indicators are often behavioural. Fraudsters use synthetic media to strengthen a familiar social-engineering sequence: authority, urgency, secrecy and a requested action. The media creates emotional certainty; the process extracts money, credentials, account changes or access.
Treat any unexpected request to transfer funds, change bank details, buy gift cards, share a one-time code, reset multifactor authentication or install remote-access software as unverified, even when it arrives through a real executive account. Compromised accounts and deepfakes work well together. Require the requester to use an established approval path, and do not let the apparent seniority of the caller override controls.
Channel resistance is a major red flag. A scammer may insist that the discussion remain on WhatsApp, Teams, Zoom or a private call. They may claim their normal phone is unavailable, discourage colleagues from joining, or create a reason that a second approver cannot be contacted. A genuine emergency can survive a two-minute verification delay. A fraudulent narrative often cannot.
Verification must be normal, quick and non-confrontational so staff do not feel they are challenging a senior leader. A finance employee should be able to say, ‘I am following the dual-control procedure,’ rather than deciding whether a familiar voice sounds real. The process should work the same way for an executive, supplier, family member or support technician.
The FBI’s 2025 data shows why this matters. AI-related complaints contained $893.3 million in adjusted losses. Investment complaints with a reported AI nexus exceeded $632 million, while AI-involved employment scams approached $13 million. The numbers are complaint-based and underreporting is likely, but they establish that synthetic media is already part of operational fraud, not a future scenario.
Business red-flag table
| Signal | Why it matters | Mandatory response |
| Urgent payment or bank-detail change | Creates time pressure and bypasses normal review | Pause and verify through the registered contact route |
| Secrecy request | Prevents cross-checking and isolates the target | Add a second authorised approver |
| Refusal to switch channels | Attacker may control only one identity surface | End contact and call a known number |
| OTP or MFA reset request | Can enable account takeover | Never share; contact security |
| New video-call identity | May use face or voice substitution | Verify employment, device and account history |
| Remote-access installation | Can turn persuasion into direct system control | Use approved support channels only |
Protect Your Business With a Deepfake-Resistant Workflow
The seven checks identify risk; this business workflow controls what happens next and is not an eighth detection check. A business should assume that voice, video, email and messaging identities can all be spoofed. The control objective is not perfect media detection. It is preventing a synthetic identity from completing a sensitive action without independent evidence.
Start with transaction design. Bank-detail changes should require confirmation through a pre-registered supplier contact and a cooling-off period for high-risk changes. Payments above a threshold should require two approvers using separate devices or channels. Executive exceptions should be prohibited or logged and reviewed. One-time passwords and recovery codes should never be accepted through voice or video alone.
Next, map exposure. Record which leaders have long public interviews, podcasts, conference talks or social posts that provide training material. Reduce unnecessary public audio where practical, but do not rely on secrecy. Establish a safe phrase for family or small teams, then rotate it if exposed. For larger organisations, use challenge procedures linked to internal records that attackers cannot infer from LinkedIn.
Create an escalation path that works at the speed of fraud. Staff need a single security contact, an incident template and permission to pause a transaction. Preserve the source message, headers, recording, meeting ID, account identifiers and payment instructions. Do not repeatedly recompress the media. Hash the original file and work on a copy.
Detection tools belong at control points. Email gateways can flag unusual executive requests. Contact centres can analyse audio in real time. Meeting security can assess participants. Media teams can scan viral content before publication. The architecture should keep detector scores advisory unless validated for the specific workflow. A false positive during payroll or customer support can create real harm.
Our earlier discussion of AI content detection limits applies here: a model score should trigger review, not punishment or automatic rejection. The same principle protects genuine customers, job applicants and employees from being treated as synthetic because of compression, disability-related speech patterns, translation systems or poor connectivity.
Business response workflow
| Stage | Control | Owner | Evidence retained |
| Triage | Classify the request and financial exposure | Recipient | Original message and timestamp |
| Freeze | Freeze the requested action | Recipient or finance | Case number |
| Verify | Verify through registered contact data | Independent approver | Call log or confirmation record |
| Inspect | Check account and device anomalies | Security | Authentication and meeting logs |
| Analyse | Analyse media where useful | Security or specialist | Detector output and tool version |
| Decide | Approve or reject under dual control | Authorised approvers | Decision record |
| Report | Report and review the incident | Security and legal | Preserved evidence and lessons learned |
Verify Political and Viral News Video
This section applies the same seven checks to public-interest media; it is not a separate checklist. Political deepfakes create two related risks: fabricated media can mislead the public, and the existence of deepfakes allows real media to be dismissed. A newsroom or analyst therefore needs an evidence-based workflow that does not amplify an unverified clip.
Begin with the original uploader. Identify the earliest accessible post, not the account with the largest following. Archive the page, record the exact wording and inspect whether the account has a history of original reporting from the claimed location. Search for other angles, local witnesses, official schedules, weather, landmarks and contemporaneous reporting. A real event of consequence normally leaves multiple independent traces, although censorship or access restrictions can complicate that expectation.
For speeches, compare the clip with full-length footage from official channels, broadcasters or pool feeds. Look for edits at sentence boundaries, changes in room tone, missing audience reactions and captions that alter meaning. For conflict footage, geolocate buildings and terrain, verify sunlight direction and weather, and search for older versions from different countries or events. Avoid publishing the manipulated clip repeatedly; show only what is necessary to explain the verification.
In the June 2026 San Francisco Chronicle profile, Hany Farid captured the broader democratic problem: ‘Our new reality is that we don’t have a shared reality.’ The response cannot be blanket distrust of all evidence. It must be a transparent chain of verification that readers can inspect. State what is known, what remains uncertain, which version was analysed and whether the file was obtained directly or downloaded from a platform.
Provenance and watermarking can improve this workflow, but adoption remains uneven. Content from open-source generators, screenshots and reposts may contain no durable label. Coverage of no-sign-up image tools shows why low-friction generation can produce media without a dependable identity trail. Absence of a marker is therefore neutral, while a valid, conforming credential can add positive evidence.
Newsroom verdict language
Prefer precise conclusions: ‘The clip was first posted two years earlier’; ‘the audio track was replaced’; ‘the file contains a valid credential from the camera’; or ‘we could not authenticate the source’. Avoid saying ‘debunked’ when only one claim has been disproved.
How Machine-Learning Deepfake Detectors Work
This section is for technical readers and explains how systems implement Check 6. Everyday readers can skip it without losing the core seven-check workflow. A technical detector should begin with a threat model: face swaps, fully generated images, lip-sync manipulation, synthetic speech, partial audio edits or multimodal impersonation. The screening context, such as uploads, calls, meetings or evidence, determines latency, privacy, architecture and acceptable error rates.
A production workflow normally has six stages. First, validate and normalise the file without destroying forensic features. Second, extract modality-specific signals: video frames, facial tracks, optical flow, audio spectrograms, codec metadata and provenance manifests. Third, route samples to specialist models. Fourth, combine scores with an ensemble or calibrated fusion layer. Fifth, generate an explanation and uncertainty measure. Sixth, log the model version, thresholds and input hash so the result can be reproduced.
For API integration, Reality Defender’s recommended workflow requests a signed upload URL, uploads the file, then polls for a result or uses event-based handling. Its SDKs normalise scores to a zero-to-one range and support concurrent processing. The service recommends using ensemble results rather than interpreting individual model outputs. This is sound architecture because single detectors can overfit a particular generator or compression pattern.
Internal systems should add a provenance parser and source-intelligence layer. A C2PA validation result, reverse-search match or trusted account history can materially change the risk score. Do not collapse every signal into one opaque number. Keep separate fields for synthetic-media probability, source confidence, provenance status, account risk and requested action.
In a reference implementation mapped to the published API sequence, the main engineering bottlenecks are unlikely to be the upload call itself. They are queue latency for large video, retry behaviour, threshold calibration, duplicate-file handling, privacy review and analyst presentation. A detector that returns 0.78 without showing the relevant media region, model version and decision policy is difficult to defend operationally.
The technical stack should also account for generation advances discussed in AI video generation risks. Red-team with unseen generators, heavy recompression, screen recordings, dubbed audio and partial edits. Hold out entire generator families during testing so the benchmark measures generalisation rather than memorisation.
Reference architecture
Use an ingestion service, immutable object store, hash registry, media normaliser, modality routers, ensemble scoring service, provenance validator, case-management layer and audit log. Human review should receive the original, transformed copies, timestamps, individual signals and a clear reason for escalation.
How to Benchmark a Deepfake Detector
Deepfake benchmarks can create false confidence when training and test data share the same generators, celebrities, compression settings or collection pipelines. Real-world media differs through screen recording, messaging-app compression, subtitles, crops, translation, background noise and partial manipulation. A model can achieve high area-under-curve scores on a clean benchmark and fail on a new generator released weeks later.
NIST’s forensic evaluation work emphasises realistic testing, reproducibility and clear limits. The core procurement question is cross-domain generalisation: performance can degrade when the generator, language, compression chain or editing method differs from the training data. Report results separately by modality and operating threshold rather than presenting one headline accuracy score (Guan et al., 2025).
These results do not mean detection is futile. They mean procurement should demand methodology. Ask which generators were held out, whether the test included platform recompression, whether results are broken down by demographic and language group, and how thresholds change for fraud screening versus public accusations. Ask for false-positive and false-negative rates at the actual operating threshold, not only a headline accuracy number.
Compression is a major bottleneck. Low bitrates can erase generation artefacts and also introduce artefacts that look synthetic. Long files increase cost and latency, while very short clips may lack enough evidence. Real-time systems must trade feature depth for response speed. Adversaries can also add noise, resize, crop, re-encode or play media through a speaker and camera to alter the detector’s input.
The most durable information-gain insight is to evaluate a detector as part of a decision system. A mediocre detector can add value when paired with transaction controls and source intelligence. A highly accurate model can cause harm when used as an automatic gate with no appeal, explanation or domain calibration.
Evaluation checklist
| Question | Why it matters | Minimum evidence |
| Were generator families held out? | Tests true novelty rather than memorisation | Results on unseen architectures |
| Was platform recompression included? | Matches social and messaging conditions | Per-platform breakdown |
| Are audio, video and image reported separately? | Modalities fail differently | Separate confusion matrices |
| What is the operating threshold? | Accuracy changes with risk tolerance | False-positive and false-negative rates |
| Are demographic and language effects measured? | Reduces unequal error | Subgroup performance |
| Can the result be reproduced? | Needed for audit and evidence | Model version, hash and configuration |
| How are inconclusive files handled? | Prevents forced binary decisions | Abstention policy and human review |
Incident Response, Evidence Handling and Reporting
This section explains what to do after the seven checks produce a suspicious or inconclusive result. The first objective is containment. Stop the payment, access change, publication or public response that the media is attempting to trigger. Preserve the original communication and avoid alerting the suspected attacker until security and legal teams decide on a strategy.
Collect the original file where possible, not only a screen recording. Export the email with headers, save chat history, record meeting identifiers, capture caller details and preserve account logs. Calculate a SHA-256 hash of each original file and document who handled it. Analysts should work on copies and record every conversion, frame extraction and tool used.
Separate the authenticity finding from the incident finding. A detector may be inconclusive while the request is still fraudulent because the account was compromised or the payment details are abnormal. Conversely, a synthetic training video may be authorised and harmless. The report should state the questioned claim, evidence examined, tool versions, limitations, confidence level and operational decision.
Report financial fraud quickly to the bank and relevant law-enforcement or fraud-reporting channel. In the UK, internal teams should also follow National Cyber Security Centre guidance for phishing and suspicious communications, and use sector-specific reporting duties where applicable. For public misinformation, coordinate with communications teams so corrections do not repeat or sensationalise the false content.
Review the control failure after the incident. Was the employee unable to find a trusted number? Did an executive bypass approval? Did the meeting platform lack guest controls? Did staff believe questioning a senior request would be punished? Technical detection is only one corrective action. Process design, culture and access governance usually deliver the larger risk reduction.
The final lesson is consistent with the emerging provenance ecosystem. In a January 2026 Content Authenticity Initiative review, senior director Andy Parsons wrote that confidence comes from ‘verifiable behavior’, not claims of utility. The same standard should apply to deepfake defence: controls must produce evidence that can be checked after the pressure of the moment has passed.
Minimum incident record
Record the source, original file hash, first-seen time, claimed identity, requested action, financial exposure, verification steps, detector outputs, decision, reporting actions and post-incident control changes.
Takeaways
- Start with the source and requested action; pixel inspection comes later.
- Treat blinking, hands and plastic skin as weak clues unless other evidence agrees.
- Use keyframe reverse search to find earlier uploads and changed captions.
- Call a known number before moving money, changing credentials or sharing codes.
- Use C2PA credentials as positive provenance evidence, not proof that a claim is true.
- Confirm the displayed $399 Reality Defender business price cadence before procurement.
- Benchmark detectors on unseen generators, recompressed media and real operating thresholds.
- Preserve originals, hashes, tool versions and decision records during every serious incident.
Conclusion
Deepfake detection in 2026 is less about spotting a strange face and more about rebuilding a trustworthy chain from source to decision. Synthetic video and cloned audio will continue to improve, which means visible artefacts will become less dependable. At the same time, ordinary compression, accessibility tools and editing can make authentic media look suspicious. A binary ‘real or fake’ mindset is therefore too crude for serious work.
The durable approach is layered. Verify who published the material, inspect visual and audio consistency, trace earlier versions, check provenance, use detectors as advisory evidence, and test the request through an independent channel. Businesses gain the most protection by designing payments, access changes and executive requests so that no single voice, face or account can authorise them.
Open questions remain. Detection benchmarks still lag new generators, provenance systems are not universal, watermarks can be lost, and consumer-grade real-time protection remains uneven. Those limits do not justify resignation. They justify precise confidence language, strong process controls and evidence that another analyst can reproduce. The winning defence is not perfect perception. It is a system in which deception cannot easily become action.
Frequently Asked Questions
What is the easiest way to detect a deepfake video?
Check the source first, then extract keyframes and reverse-search them. Compare lighting, lip movement, scene geometry and background objects across neighbouring frames. For high-stakes claims, verify through an official channel and use a detector only as supporting evidence.
Can deepfakes be detected by eye?
Sometimes, but not reliably. Obvious fakes may show flickering edges, mismatched reflections or poor lip sync. Modern generators can remove these defects, while genuine compressed footage may look artificial. Human inspection should trigger verification, not produce a final verdict by itself.
What is the best free deepfake detection tool?
There is no universal best tool. InVID-WeVerify is strong for keyframes, reverse search and source verification. Deepware offers a free beta face-focused scan. Adobe Inspect checks Content Credentials. Use at least two methods because each addresses a different part of the problem.
How do I know whether a voice call is AI-generated?
Listen for room-tone changes, clipped endings, odd breathing and mismatched emotion, but do not rely on hearing alone. End the call and ring the person through a known number. For business requests, require a second approver and never share one-time codes.
Does C2PA prove that an image is real?
No. C2PA Content Credentials can verify signed provenance information and declared edits. They do not prove that the depicted event is truthful, and missing credentials do not prove a fake. Treat valid credentials as one positive evidence layer.
Are deepfake detectors accurate?
Accuracy depends on the media type, generator, compression and threshold. Models often perform well on familiar benchmarks and worse on unseen generators or heavily recompressed files. Ask for false-positive and false-negative rates under conditions matching your workflow.
How can a business stop a deepfake CEO scam?
Require independent callback to a registered number, dual approval for payments, confirmation of bank-detail changes, and a ban on sharing codes through calls or video. Preserve the message and meeting evidence, then involve security and the bank immediately.
Can reverse image search find AI-generated images?
It can find earlier copies, source pages and reused images, which may expose a false caption or fake identity. It does not directly classify an image as AI-generated. Combine it with provenance checks, account analysis and forensic review.
References
Federal Bureau of Investigation. (2026). 2025 IC3 annual report. https://www.fbi.gov/file-repository/2025_ic3report.pdf
Guan, H., Horan, J., & Zhang, A. (2025). Guardians of forensic evidence: Evaluating analytic systems against AI-generated deepfakes. National Institute of Standards and Technology. https://www.nist.gov/publications/guardians-forensic-evidence-evaluating-analytic-systems-against-ai-generated-deepfakes
Bhatti, Z. H., Ahtisham, B., Tausif, S., George, N., Bajwa, N. H., & Javed, M. (2026). Can you tell it’s AI? Human perception of synthetic voices in vishing scenarios. arXiv. https://arxiv.org/abs/2602.20061
Müller, N. M., & Choong, W. H. (2026). Eroding trust in real speech: A large-scale study of human audio deepfake perception. arXiv. https://arxiv.org/abs/2605.26136
Coalition for Content Provenance and Authenticity. (2026). C2PA technical specification, version 2.4. https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html
Reality Defender. (2026). RealAPI pricing and SDK documentation. https://www.realitydefender.com/product/realapi; https://docs.realitydefender.com/sdks/quickstart
Del Valle, G. (2026, April 16). The only way to fight deepfakes is by making deepfakes. The Verge. https://www.theverge.com/report/913445/deepfake-detection-reality-defender-pindrop-ai
Ulrich, F. (2026, June 9). When reality is in doubt, news editors ask this Berkeley professor: Is it AI? San Francisco Chronicle. https://www.sfchronicle.com/bayarea/article/hany-farid-ai-deepfakes-22291920.php
Parsons, A. (2026, January 18). The state of content authenticity in 2026. Content Authenticity Initiative. https://contentauthenticity.org/blog/the-state-of-content-authenticity-in-2026
