That Urgent Video From Your Boss? Hang Up and Call Back.
In February 2024, a finance worker in Hong Kong sat down for a video call with his company's CFO and several colleagues. The CFO gave clear instructions: transfer $25 million to a series of accounts immediately. The worker had doubts at first. But the faces looked right, the voices sounded right, and the meeting felt urgent. So he sent the money.
Every single person on that call was fake. Not just the CFO — all of them. AI-generated, from scratch, built to last long enough to make one employee feel certain enough to act. By the time anyone realized what had happened, the money was gone.
Here's the part that should stop you cold: nobody on that call needed to look perfect. They just needed to look convincing for long enough.
Deepfakes don't need to fool your eyes for long — they only need to make you act before you verify. The weapon isn't the video quality. It's the clock.
The Myth That's Getting People Hurt
Ask most people what a deepfake is, and they'll describe something from a viral video: a politician's face swapped onto a dancer, or a celebrity saying something they never said — and it's almost right but slightly off, like a wax figure that blinks too slowly. The assumption baked into that image is this: deepfakes only work when they're basically perfect.
That assumption is wrong. And it's the kind of wrong that costs real people real money.
A deepfake (an AI-generated video, audio clip, or image designed to look or sound like a real person) doesn't need to pass a forensics exam. It needs to pass you, at this specific moment, when you're scared or busy or being told there's no time to double-check. That's a much lower bar. And attackers know it. This article is part of a series — start with Why Spotting Synthetic Media Is Harder Than It Looks.
Urgency Is the Actual Weapon
Here's how the trick works, step by step — because once you see the mechanism, you can't unsee it.
An attacker creates a short clip. Maybe it's a voice note. Maybe it's a 15-second video of your "boss" or your "son." The content almost doesn't matter. What matters is the emotional package it comes wrapped in: something is wrong, it needs to happen now, and there's a reason you can't call back to confirm.
Your brain does something predictable when authority and urgency arrive together. It shortcuts. According to Adaptive Security, deepfake attacks are deliberately engineered around time pressure that suppresses rational scrutiny — meaning the goal of the urgency isn't just to rush you. It's to turn off the part of your brain that would normally say, wait, let me verify this through a different channel.
That's not a character flaw. That's human cognition working exactly as designed. We defer to authority figures. We respond to emergencies. Evolution built those instincts for good reasons. Deepfake attackers simply figured out how to load those instincts like a gun.
"Deepfake social engineering exploits what people see and hear, making instinctive verification nearly impossible." — Reality Defender
The Hong Kong case is the clearest proof. The worker wasn't careless. He had doubts. But he was on a live video call with multiple "colleagues," the CFO gave direct instructions, and the framing was urgent. Each element of that setup was chosen to make pausing feel more risky than acting. According to Reality Defender, deepfake attacks cost businesses nearly $500,000 on average per incident in 2024, with large enterprises losing as much as $680,000 in a single attack. Twenty-five million dollars is extreme — but it shows what happens when the psychological setup is thorough enough.
The Cracks Are Actually There — You Just Need Time to See Them
Here's the part that makes this whole thing feel more manageable: deepfakes are genuinely imperfect. The flaws are real and sometimes obvious — if you slow down.
Take audio deepfakes. AI-generated voices can sound unusually clean in a way that's almost eerie — too smooth, with an oddly robotic undertone under the words. The pacing goes slightly wrong, with pauses that don't land where a human's breath would. Emotional tone can feel flat. According to Stack Cyber, AI-generated voices may respond too quickly, pause unnaturally, or fail to match the emotional intensity of the moment. Listen carefully to a real person arguing versus a synthetic one, and you can often feel the difference. Previously in this series: That Shocking Video Of Someone You Love Your Brain Decided I.
Video fakes have their own tells. Research published by NIH/PMC found that deepfakes often break what researchers call emotional coherence — the way a real human's face, voice, and words all sync up naturally. When you're genuinely happy, your voice warms up, your face softens, and your words match. Deepfakes can fake each of those channels separately but struggle to make them flow together. An angry voice paired with an expressionless face. A smile that doesn't quite reach the eyes before the sentence ends. These are detectable — but only if someone is watching carefully.
Think of it like someone crashing a party wearing a very good mask of your friend. From across a crowded room, moving fast, you'd probably just wave. Sit down and actually look for thirty seconds, and you'd notice the mask doesn't move when he swallows. The seams show. The problem is, you were rushing.
Why People Get This Wrong — And It's Not Their Fault
The "deepfakes need to be perfect" myth makes complete intuitive sense. Everything we've been told about deception works on a quality spectrum: the better the forgery, the harder it is to catch. A bad fake ID gets spotted at the door. A great one doesn't. So naturally, we assume AI fraud works the same way.
But that's confusing the wrong variable. Deepfake attacks aren't competing with your forensic scrutiny. They're competing with your availability to scrutinize at all. They don't need to fool you for five minutes of careful examination. They need to hold up for ten seconds of shocked, panicked, this-feels-real-enough-and-I-need-to-act response.
That's a completely different game. And almost nobody has been taught to play it.
At CaraComp, we spend a lot of time thinking about how facial recognition and identity verification actually fail — not in theory, but in the specific moments when pressure and time distort human judgment. The lesson that keeps coming up is the same one that lives at the heart of every deepfake attack: your eyes and ears are reasonably good detectors, but only when you give them the chance to work. Up next: That Shocking Video Of Someone You Love Your Brain Decided I.
What You Just Learned
- 🧠 Deepfakes target your decision-making, not your vision — the goal is to make you act before the rational part of your brain checks in
- 🔬 The flaws are detectable — audio pacing, emotional incoherence, and visual timing all crack under careful observation; the problem is urgency removes careful observation
- 📈 This is growing fast — deepfake content is on track for 8 million files online in 2025, a 900% annual growth rate, making these attacks increasingly common
- 💡 The defense is procedural, not perceptual — "can I spot the fake?" is the wrong question; "can I verify this through a separate channel before I act?" is the right one
The One Rule That Actually Protects You
Forget trying to memorize a checklist of deepfake tells. That's playing defense on the attacker's terms. They will build the fake around whatever checklist you're running.
The rule that works is simpler and doesn't depend on your ability to spot bad lip-sync: if a short video, voice note, or image creates urgency and asks you to do something — send money, share a password, believe something serious — verify through a completely separate channel before you act. Not a reply in the same app. Not a call to the number in the message. A different channel. A call to a number you already have saved. A text to the person's real phone. Something the attacker can't intercept or fake in the same moment.
That's it. That's the whole defense. It works because the attack is designed around the assumption that you won't take that thirty-second pause. The attacker has no plan B if you do.
A deepfake doesn't need to fool you — it needs to rush you. The only question worth asking when a shocking clip lands in your inbox is not "does this look real?" but "have I verified this through a channel I trust, independently of this message?" Thirty seconds of friction is the entire defense.
The finance worker in Hong Kong wasn't naive. He was a professional, in a meeting, with multiple authority figures giving him clear instructions. The attack was designed by people who understood exactly how human trust works — and they engineered every detail to make the verification step feel unreasonable.
So next time someone sends you an urgent video and your gut says act now — that feeling? That's not intuition. That might be the attack working exactly as intended.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore Education
Your Face Can't Be Reset: The Hidden Cost of Proving You're Over 18 Online
Age verification is moving from "enter your birthday" to systems that scan your face and ID. Learn why that shift protects access but may expose your most permanent, irreplaceable data — and what to ask before you hand anything over.
privacyYour Kid's Face, Their Data: The Age-Check Trap Nobody Warned You About
A 13-year-old can fake a birthday in two seconds — but the "better" ways to stop that come with a privacy cost most families don't realize they're paying. Here's what age verification actually checks, and what it takes from you to do it.
biometricsThat 95% Face Match Could Be a Total Lie — Here's the Trick Fooling the Camera
Most people think facial recognition fraud happens when the algorithm sees a fake face. The real attack often happens before that — and the result looks completely legitimate. Learn what an injection attack is, why it's exploding, and what it means for trusting any biometric result.
