A few months ago, a client sent us a voice note that had been used to extract a six-figure wire transfer from their controller. The voice was their CEO's. Cadence right, accent right, even the half-second cough she does when she is annoyed. It was generated from forty-three seconds of audio scraped from a podcast she did in 2022. The investigation took three weeks. The deepfake took twenty minutes.
That asymmetry is the whole story. Generation has gotten almost embarrassingly cheap. Detection has not. A motivated attacker can produce a convincing voice clone, a swapped face on a video call, or a fabricated screenshot of a Slack thread for under fifty dollars and an hour of work. The forensic and investigative playbooks built for a slower, more expensive world have not caught up.
Why detection alone will not save you
It is tempting to think the answer is a better deepfake detector. We test these regularly. The honest assessment is that the best of them are useful as a triage tool, occasionally good for clearly synthetic media, and unreliable as a single point of evidence. Generation models are tuned to defeat them, often using detection models as part of their training loop. The detector wins for a quarter, the generator catches up by the next release.
The teams that are getting this right have stopped treating deepfake defense as a single-tool problem and started treating it as a process problem. The detector is one input. The provenance chain is another. Behavioral verification is a third. No single layer is decisive; together they raise the cost of the attack high enough to deter everyone who is not state-sponsored.
The new forensic playbook
1. Treat any high-stakes media as untrusted by default
Voice notes ordering wires, video calls authorizing access changes, screenshots used as evidence in HR disputes — none of these can be the sole authentication anymore. The new operating standard for our clients is that any action above a defined threshold requires a second channel and a callback on a known number. Cumbersome, yes. The cumbersome version is the version that does not lose six figures.
2. Build a provenance trail wherever you can
The C2PA standard for media provenance is finally getting wider adoption. Capture devices, video conferencing tools, and an increasing share of camera apps now sign content at the moment of capture. It does not solve the problem — most attackers will not use signed tools — but it raises the bar on legitimate media. A board video that should be signed and is not is itself a flag.
3. Pair detection with behavioral verification
If a video call from your CEO is asking for an unusual action, ask a question only the CEO would answer correctly. Internal jokes work. Specific calendar references work. The deepfake gives a confidently wrong answer or a confidently irrelevant answer. This sounds silly until it saves your company a million dollars.
4. Investigate the trail, not the artifact
When a deepfake hits, the most productive forensic work is rarely on the file itself. It is on the surrounding trail — the email that delivered it, the account that posted it, the IP and device fingerprint of the upload, the social engineering script that accompanied it. Attackers leave more usable evidence in the delivery than in the artifact.
How to brief a non-technical leader
Leadership wants three answers. Can someone fake my voice — yes, easily. Can we detect it reliably — no, not on its own. What protects us — process. The mistake is letting the conversation stay on the technology. The conversation that actually changes outcomes is about which actions in the company should never be authorized over a single channel.
Where this is heading
Two trends are worth watching. The first is consumer-grade detection inside conferencing tools. Zoom, Teams, and Google Meet are all rolling out signals — sometimes a 'this call is being recorded' style banner that flags suspected synthetic participants. These will be useful and they will be wrong sometimes. Build them into the workflow but do not rely on them. The second is liability-driven adoption of provenance standards. Insurance carriers are starting to require provenance trails for high-value transactions, and that is the kind of pressure that moves industries faster than ethics campaigns ever do.
Deepfakes will keep getting better. Detection will keep being a useful but partial defense. The investigators and security teams who are pulling ahead are the ones who stopped expecting a tool to solve this and started building the process around the assumption that a convincing fake is now a Tuesday.
