Notifications
Clear all
Topic starter
11/06/2026 11:05 pm
TL;DR: AI tools are lowering the cost and skill barrier for phishing, voice cloning, and synthetic identity fraud, while research cited in the article shows voice authentication can be bypassed at up to 99% success in practical testing. Traditional knowledge-based verification is no longer enough when attackers can replicate or synthesise the signals it trusts.
NHIMG editorial — based on content published by iProov: deepfakes, human-AI collaboration, and the crisis of trust in identity verification
Questions worth separating out
Q: How should security teams reduce deepfake risk in account recovery flows?
A: Security teams should remove any recovery step that depends on static knowledge, voice similarity, or easily reused personal data.
Q: Why do voice-based identity checks fail against AI-generated impersonation?
A: Voice-based checks fail because AI can now reproduce many of the acoustic signals they rely on, including tone, pacing, and emotional style.
Q: What do organisations get wrong about deepfake detection training?
A: They assume people can be trained to spot synthetic media reliably enough to stop fraud.
Practitioner guidance
- Replace voice-only authentication for high-risk actions Use voice as a convenience signal, not a standalone factor, for account recovery, wire transfers, password resets, and helpdesk approvals.
- Remove static knowledge-based recovery questions Eliminate challenge questions and secret-based recovery paths that attackers can research, infer, or generate with AI.
- Tighten helpdesk and account recovery scripts Train service desks to treat urgent, emotionally persuasive, or highly specific requests as fraud indicators.
What's in the full article
iProov's full blog post covers the operational detail this post intentionally leaves for the source:
- The article’s full explanation of science-based biometrics and how they differ from static liveness checks.
- The vendor’s discussion of adaptive threat monitoring and why ongoing deepfake response matters for verification workflows.
- The specific examples of phishing, push bombing, SIM swapping, and voice cloning used to frame the identity fraud problem.
- The article’s direct framing of genuine human presence as the intended control objective for identity assurance.
👉 Read iProov’s analysis of deepfake-driven identity fraud and human presence →
Deepfake identity fraud: what IAM teams need to rethink now?
Explore further
12/06/2026 7:35 am
Deepfake fraud has turned identity proof into an adversarial problem. The article shows that synthetic media no longer supports only deception at the edges of the user journey. It now attacks the core assumption that a human can be reliably distinguished from a generated imitation in real time. The implication is that human IAM controls must be designed for adversarial simulation, not ordinary authentication friction.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when synthetic media causes identity fraud?
A: Accountability usually sits with the team that owns the identity journey, not with the fraud victim or the user who was impersonated. IAM, fraud, and helpdesk leaders should define ownership for recovery controls, escalation rules, and verification failures. Where regulated payments or customer access are involved, governance must be explicit and auditable.
👉 Read our full editorial: Deepfakes are breaking identity trust in the fifth industrial revolution
