In early 2024, a finance worker at the engineering firm Arup joined a routine video call with his CFO and several colleagues. Following their instructions, he made 15 transfers totalling $25 million. Every person on that call was a deepfake. The money was never recovered.
That case turned a fear into a headline: synthetic media is now a serious fraud tool, not just a way to put a celebrity’s face on someone else’s body. This guide explains what deepfakes are in 2026, the risks that actually matter, how to spot deepfakes and verify what you’re seeing, and the detection technology and laws racing to keep up.
What a Deepfake Actually Is
Start with a clear definition, because the word gets stretched. A deepfake is synthetic audio, video, or imagery generated or altered by AI to depict something that didn’t happen. Modern tools use generative models (the same family behind AI image and text generators) to swap faces, sync lips to new words, or clone a voice.
The barrier has collapsed. A convincing voice clone now needs as little as three seconds of sample audio. That clip is easily lifted from a voicemail or a social video. There are four common forms: face-swaps, lip-sync edits, full synthetic video, and voice clones. That last one is the cheapest to make and, to my mind, the most dangerous.
The Real Risk: Fraud, Not Just Fake Celebrities
Cultural panic fixates on fake politicians and celebrities. The money, though, is being lost somewhere quieter. Deepfake-enabled fraud crossed $1 billion in direct losses in 2025, and businesses lost an average of roughly $500,000 per incident. Voice deepfakes alone jumped about 680% year-over-year in 2024.
And this is not a niche corporate worry. Surveys in 2026 report that around 85% of organisations faced at least one deepfake-related incident in the past year, with crypto and finance hit hardest. Deloitte has projected that generative-AI-enabled fraud in the US could reach $40 billion by 2027.
Arup is the template here: urgency, authority, and a video call that defeats the old advice of “just get them on camera.” Seeing is no longer verifying.
How to Spot a Deepfake (and Why Your Eyes Aren’t Enough)
Here’s the hard truth about how to spot deepfakes: you can no longer reliably detect a good one by eye. The old tells (unnatural blinking, weird hands, mismatched lighting) are disappearing fast as the models improve, and leaning on them just gives you a false sense of security.
The fix is process, not perception. Treat how a message reaches you as the signal, not how polished it looks:
- Trigger on urgency. Almost every deepfake scam pushes you to act fast on money, credentials, or access. Urgency is the red flag, not the pixels.
- Verify out-of-band. Call the person back on a number you already have, or confirm on a separate channel. A deepfake can’t follow you to a known phone line.
- Check the source and provenance. Where did the file originate? Does it carry Content Credentials (more on those below)? Who first posted it?
- Slow the money down. For any payment or sensitive request, require a second approver. Process beats perception every time.
My own rule is blunt: any video or call that asks for money or access gets a callback before anything moves. Being the cautious one costs a few minutes. Being wrong cost Arup $25 million.
The Tech Fighting Back: Provenance and Watermarks
Detection has largely shifted from “spot the fake” to “prove what’s real.” The industry is converging on a two-layer standard. The first layer is C2PA Content Credentials — cryptographically signed metadata that records how a file was captured and edited, and whether AI was involved. Major players including OpenAI and Google support it in some paths.
The second layer is invisible watermarking, like Google’s SynthID, embedded in AI-generated images, audio, video, and text. Both help, but be clear-eyed about the limits: Content Credentials can be stripped by a screenshot, re-upload, or resize, and watermarks only flag content made by tools that add them. The majority of AI generators in 2026 don’t, leaving a real coverage gap. Provenance is a strong positive signal when it’s there. Its absence proves nothing.
The Law Is Catching Up
Regulation is arriving, unevenly. The EU AI Act’s transparency rules (Article 50) begin applying in August 2026, requiring AI-generated or manipulated media to be machine-readable and labelled, even when there’s no intent to deceive. The EU is also banning “nudifier” apps, with compliance due by December 2026.
In the US it’s more of a patchwork. The DEFIANCE Act gives victims of non-consensual intimate deepfakes a federal right to sue, with statutory damages up to $150,000 (more for cases tied to harassment or assault). Colorado’s AI Act enforcement began in early 2026, while a California labelling law (AB 2655) was struck down in 2025 over conflicts with Section 230. The direction is clear; the coverage is not yet uniform.
Deepfakes Aren’t All Bad
It’s worth resisting pure doom, because the same technology has genuine, consented uses. Film studios use it for de-aging and multi-language dubbing, and accessibility tools can restore a voice for someone who has lost theirs. Training simulations, museum exhibits that “interview” historical figures, and satire or art all benefit.
The dividing line is consent and disclosure. Synthetic media made with permission and labelled clearly is a creative tool. The same media made to impersonate or deceive is the problem the rest of this article is about.
Frequently Asked Questions
How can I tell if a video is a deepfake? Don’t rely on visual glitches — good deepfakes have none. Instead verify the source, check for Content Credentials, and confirm any urgent request through a separate, known channel.
Are deepfakes illegal? It depends where you are and what the deepfake does. Non-consensual intimate deepfakes and fraud are increasingly illegal (e.g. the US DEFIANCE Act), and the EU AI Act requires labelling from August 2026, but there’s no single global law.
What are Content Credentials (C2PA)? A signed “nutrition label” attached to a media file that records how it was made and edited, including whether AI was used. They help prove authenticity but can be stripped when files are re-shared.
How much audio does a voice clone need? As little as three seconds of clear speech can produce a recognisable clone — which is why voice-based scams have exploded.
In Conclusion
Deepfakes have grown from a curiosity into a billion-dollar fraud tool, and the comfortable instinct that “I’ll be able to tell” no longer holds. The realistic answer to how to spot deepfakes in 2026 is process, not perception: treat urgency as a warning, verify through channels a fake can’t reach, and lean on provenance like Content Credentials where it exists. The technology and the law are catching up — but your habits are still the strongest filter you have.
Have you (or your company) already had a brush with a deepfake or voice-clone scam? For the technology driving all this, see what AI agents are, and for how synthetic media is reshaping audio, read how podcasts reshaped storytelling and culture.
