Verify identity with out-of-band channels

Never trust a single digital channel for high-stakes verification. Deepfake technology can now mimic voices and faces in real-time, making video calls and recorded audio unreliable for confirming sensitive actions. To protect your digital identity, switch to a different communication method than the one that initiated the request.

The AI Assistant Audit
1
Pause and assess the request

If a contact asks for money, credentials, or personal data via video or voice, treat the request as unverified. Do not proceed with the transaction or share information until you have confirmed the person’s identity through a separate, trusted channel. This pause is your primary defense against social engineering attacks that rely on urgency and visual proof.

The AI Assistant Audit
2
Switch to a pre-agreed text channel

Open your messaging app and send a plain text message to the person using a number or handle you have saved from previous, verified interactions. Avoid replying within the same chat thread where the suspicious video or audio originated. Text-based verification is harder to spoof in real-time and provides a clear, asynchronous record of the confirmation.

3
Use a secondary voice call

If text verification is insufficient, place a standard voice call to the person’s known phone number. Do not use the contact information provided in the suspicious message or email. Listening to a live human voice on a traditional cellular network adds a layer of security that AI audio synthesis struggles to replicate convincingly under pressure.

4
Confirm specific, non-obvious details

Ask a question that only the real person would know, such as a recent shared event or a specific detail from a previous conversation. Avoid generic questions like "Is this really you?" which a sophisticated AI might bypass with pre-recorded responses. Concrete details force the scammer to fail because they lack the context of your private relationship.

Enable multi-factor authentication everywhere

Multi-factor authentication (MFA) is your primary defense against deepfake scams. Even if attackers steal your password or clone your voice, MFA blocks access because they lack the second verification factor. This extra layer stops unauthorized logins before they can compromise your identity or drain your accounts.

1. Turn on MFA for your email account

Your email is the master key to your digital life. Attackers use compromised email to reset passwords for banking, social media, and work accounts. Enable MFA immediately, preferably using an authenticator app or a hardware security key. Avoid SMS-based codes, which can be intercepted via SIM-swapping attacks.

2. Secure your banking and financial apps

Financial institutions are prime targets for identity theft. Log into every bank, investment, and payment platform you use. Navigate to security settings and activate MFA. Use biometric verification (fingerprint or face ID) combined with a PIN or password. This ensures that even if someone steals your device, they cannot access your funds without your physical presence.

3. Activate MFA on social media and cloud storage

Social media profiles are often used to impersonate you in deepfake scams. Turn on MFA on platforms like Facebook, Instagram, X, and LinkedIn. Do the same for cloud storage services like Google Drive, iCloud, or Dropbox. These accounts hold personal photos, documents, and contacts that scammers can exploit to build convincing fake personas.

4. Add MFA to work and government accounts

Corporate and government portals often contain sensitive personal data. Contact your IT department to enable MFA for all work-related systems. For government services like tax portals or voter registration sites, check if they offer MFA options. If SMS is the only option, use it as a last resort, but prioritize app-based or hardware keys if available.

5. Use a password manager with MFA

A password manager stores all your credentials securely. Enable MFA on the password manager itself. This protects the vault that holds your passwords for every other account. If an attacker breaches your password manager, they still cannot access your accounts without the second factor. This creates a final barrier that is difficult to bypass.

  • Email accounts
  • Banking and investment platforms
  • Social media profiles
  • Cloud storage services
  • Work and government portals
  • Password manager
AI security
1
Review MFA settings

Start by listing every account that holds sensitive personal or financial data. Prioritize email, banking, and social media. Check if MFA is already enabled. If not, turn it on immediately.

2
Choose strong MFA methods

Prefer authenticator apps or hardware keys over SMS. SMS is vulnerable to interception. Set up your preferred method on each account. Test it to ensure it works before relying on it.

3
Back up recovery codes

Most MFA systems provide backup codes for emergencies. Save these codes in a secure, offline location. Do not store them in the same place as your passwords. If you lose access to your MFA device, these codes are your only way back in.

Audit your public digital footprint

Deepfake scams rely on raw material: your voice, your face, and your writing style. If that data is scattered across public platforms, it is easy for bad actors to scrape and clone. The goal here is not to hide, but to reduce the high-fidelity assets available for unauthorized AI training.

The AI Assistant Audit
1
Remove old voice and video samples

Search your name in quotes on major video platforms. Remove or make private any unlisted interviews, public speeches, or casual vlogs that capture clear audio and video. These high-quality clips are the primary fuel for voice and lip-sync cloning.

2
Scrub public contact directories

Many data brokers aggregate your phone number and address. Use the FTC’s Do Not Call list and opt-out forms from major data brokers like Whitepages and Spokeo. This limits the channels scammers use to verify a cloned identity during social engineering attacks.

AI security
3
Review social media privacy settings

Set all personal profiles to "Friends Only" or private. Disable location tagging on past posts, which can reveal your daily routine and physical location, adding context to a deepfake scam. Platforms like Facebook and Instagram have specific tools to download and delete old data.

4
Audit professional and academic profiles

Check LinkedIn, university faculty pages, and conference sites. These sources often contain high-resolution headshots and professional speaking videos. Request removal of outdated photos or videos that no longer represent your current likeness, especially if they are being used without your consent.

5
Check for unauthorized data broker profiles

Use services like DeleteMe or manually request removals from top data aggregation sites. These profiles often link your real name to your address and phone number, creating an "identity graph" that scammers use to personalize phishing attempts.

Reducing your digital footprint creates friction for attackers. The less clean data they have, the harder it becomes to create a convincing deepfake. Regular audits, at least once a year, help keep your digital identity secure against evolving AI threats.

Use deepfake detection tools

Automated detection tools act as a digital second opinion, flagging inconsistencies in audio and video that the human eye might miss. While no tool offers a 100% guarantee, they provide a critical layer of verification for incoming media files.

Start by running suspicious videos through reputable open-source detectors. The Facebook Meta AI Detection Tool is one of the most widely used options for identifying AI-generated content in social media posts. For audio, use tools like Adobe’s Audio Deepfake Detector to check for synthetic voice patterns.

The AI Assistant Audit

If you handle sensitive documents or corporate communications, consider enterprise-grade platforms. Darktrace’s 2026 cybersecurity report highlights how AI-driven anomaly detection is becoming standard for identifying synthetic media in corporate networks. These tools often integrate directly into email and messaging platforms to flag potential threats before they are acted upon.

Check Platform Safety Centers

Always verify the source of the detection tool. Prefer official releases from major tech companies or established cybersecurity firms over random online utilities. Keep these tools updated, as detection methods evolve rapidly alongside deepfake generation techniques.

Report suspicious synthetic media

When you identify a deepfake scam, immediate reporting is critical to disrupting the campaign and protecting others. Treat synthetic media like financial fraud: document the evidence, report it to the platform where it appeared, and alert relevant authorities. This escalation path ensures that the content is removed and the perpetrators are tracked.

Step 1: Preserve the Evidence

Before reporting, capture the content for your records. Screenshots alone are often insufficient for deepfakes. Use your browser’s "Save Page As" feature or a digital forensics tool to save the video file, the URL, and the page metadata. Note the timestamp and the account details of the sender or uploader. This digital footprint is essential for law enforcement and platform investigators to verify the source.

Step 2: Report to the Platform

Most social media platforms have specific mechanisms for reporting AI-generated content. Look for options labeled "Misleading AI-generated content" or "Synthetic media" in the report menu. If these specific categories are unavailable, report it as "Scam" or "Fraud." Platforms like Meta, TikTok, and X (Twitter) are increasingly prioritizing these reports under their integrity teams. Providing the preserved evidence from Step 1 significantly speeds up the review process.

Step 3: Alert Law Enforcement

For financial losses or identity theft, file a report with your local police department and the appropriate national cybercrime unit. In the United States, submit a complaint to the Internet Crime Complaint Center (IC3) at ic3.gov. The IC3 aggregates data on cybercrimes, including deepfake-enabled fraud, which helps federal agencies identify broader criminal networks. Include all preserved evidence and a timeline of events in your complaint.

Step 4: Notify Affected Parties

If the deepfake was used to impersonate a colleague, family member, or business partner, notify them immediately. They may receive further attempts to exploit the relationship. If the content was shared in a professional context, inform your company’s IT or security team so they can issue a warning to other employees. Proactive communication helps contain the spread and prevents secondary scams.