Is That Face Even Real? The New First Question Fraud Teams Must Ask

Nearly eighty percent of people worldwide were targeted by deepfake or A.I.-generated fraud at least once in the past year. According to the Veriff Fraud Index for twenty twenty-five, that's not a projection. That's already happening. And the systems we trust to catch it? Most of them are checking the wrong thing first.

For fifteen years, identity verification has asked

For fifteen years, identity verification has asked one question. Does this face match the record? That question assumed something we can't assume anymore — that the face being checked is real. If you've ever unlocked your phone with your face, or verified your identity for a bank app by blinking into your camera, this shift already touches you. And if that feels unsettling, it should. But understanding how this works is exactly how you stop feeling powerless against it. Today I'm going to walk you through why the entire order of identity verification just flipped upside down — and what the new first question actually is. So what broke the old system?

The model most companies still use looks like this. Step one, capture your face. Step two, match it against your I.D. photo. Step three, run a liveness check — that's when the app asks you to blink or turn your head to prove you're a real person sitting in front of the camera. That liveness step became the industry standard about five years ago. It worked great against someone holding up a printed photo or wearing a mask. Vendors marketed it as the solution. Compliance frameworks like N.I.S.T. eight hundred dash sixty-three B and I.S.O. thirty-one oh seven baked it into their standards. So it's completely reasonable that most people — and most companies — still believe a face match plus a liveness check equals a verified identity.

But that belief is now dangerously outdated. According to data compiled by DeepStrike, attacks using face-swap deepfakes and virtual cameras to defeat liveness detection surged by seven hundred and four percent in twenty twenty-three alone. That's not a gradual uptick. That's an explosion. Commodity fraud tools — software anyone can download — can now replicate the defenses that cost companies millions to build. A deepfake video can blink on command. It can turn its head. It can pass every liveness prompt your banking app throws at it. For fraud teams, that means their strongest checkpoint just became their weakest. For the rest of us, it means the selfie you snapped to open an account might be competing against a synthetic face that performs the same verification steps flawlessly.

That's only half the problem

And that's only half the problem. The other half is something called an injection attack. In a normal verification session, your phone's camera captures your face and sends that image into the system. An injection attack skips the camera entirely. The attacker feeds a synthetic or manipulated biometric file straight into the verification pipeline at the software level. The system sees data that looks like it came from a camera. It processes it like a normal session. But no real camera was ever involved. The article from VOI Indonesia uses an airport security analogy that makes this click. Imagine you show your I.D. at the gate and walk through. That's the old face match. Then airports added a checkpoint — turn your head, prove you're alive. That's liveness. Now imagine someone bypasses the entire terminal and injects a hologram directly into the scanner's feed. The scanner sees a perfect passenger. But no one ever stood in front of it. That's an injection attack. And traditional liveness detection can't catch it, because the fake data enters the system after the camera step.

So what does a system that actually works look like now? Modern detection doesn't just look at whether a face has the right features. It analyzes the physics of the video itself. One system called Deepsight uses what it calls a Perception Layer — a multi-modal A.I. model that examines depth, motion, and visual consistency across multiple frames simultaneously. It's checking how light behaves on skin. It's looking for biological micro-signals. It's verifying frame-level consistency — whether the pixels between one frame and the next obey the laws of physics. The key insight is that deepfakes fail at the physics level before they fail at the appearance level. A synthetic face might look perfect to your eye. But light doesn't bounce off it the way it bounces off real skin. Motion doesn't carry through frames the way real movement does. The system has to verify that the camera itself is real before trusting anything it sees.

And this isn't theoretical. Since twenty twenty-two, North Korean state-backed groups have shown just how industrial this kind of fraud can get. They combined A.I.-generated headshots with doctored identity documents and malware to place operatives inside Western companies using fake identities. One cell of just eight people earned one point six four million dollars over three and a half years. A single synthetic identity pipeline created a hundred and thirty-five fake personas. Those personas targeted more than seventy-three thousand individuals. Every one of those fake identities could have passed a face match. Many could have passed a liveness check. What they couldn't survive is a system that asks the right first question — is this image even real?