Articles

Deepfake Video Call Scams & BEC: The Case for Continuous Identity Verification

July 7, 2026
Author
Katelyn Halbert
Senior Talent Acquisition Partner
deepfake-video-call-featured-image
Summary
  • Business Email Compromise (BEC) has evolved into live deepfake video call fraud, where attackers impersonate executives on camera in real time.
  • In 2024, the engineering firm Arup lost $25.6 million in a single day to a deepfake video meeting, where every participant except the victim was AI-generated.
  • Most deepfake defenses act like a one-time checkpoint at the start of a call, so they miss the mid-meeting swap that defines these attacks.
  • Continuous identity verification confirms that every participant is a real human, the right human, and in the right location for the full duration of a call, not just at login.
  • Pindrop Pulse® for Meetings delivers continuous identity verification and real-time deepfake detection on Zoom, Microsoft Teams, and Webex.

You know the email. The one that looks like it came from your CEO. “I’m in back-to-backs, wire this before EOD, don’t call, just handle it.” Your company spent a decade teaching people to catch that email. You bought the filters, added the banners, put the little “EXTERNAL” tag on everything, and ran the phishing quizzes every quarter.

All of it was built to stop an attacker hiding behind text. That attacker was running Business Email Compromise, or BEC: impersonating a trusted executive to authorize a fraudulent payment. Today the same attack runs on video.

Deepfake video call fraud is a form of BEC in which an attacker uses real-time AI-generated audio and video to impersonate a trusted executive on a live video meeting, then uses that manufactured trust to authorize a fraudulent payment or extract access. The attacker doesn’t hide anymore; now they show up on the call and look like someone you know.

How a deepfake video call attack works

A finance manager is asked to join a video call via email. The CFO is there. So is someone from legal, and a VP she recognizes. For eighteen minutes, it’s a completely normal meeting. Everyone looks and sounds right, but then, near the end of the call, the CFO makes an ask: a time-sensitive vendor payment needs to go today. As the CFO looks directly at the employee, the employee sends it.

None of them were real.

In early 2024, UK-based engineering firm Arup lost $25.6 million in a single fraudulent wire transfer after a Hong Kong finance employee was deceived by a deepfake video meeting in which every participant except the victim was AI-generated. It remains the largest publicly reported loss from a deepfake video call scam.

The truth is phishing didn’t go away. It’s evolved.

How Business Email Compromise evolved from email to live video deepfakes

Business Email Compromise has evolved through three distinct phases, each removing one layer of trust that organizations relied on to verify identity.

1.

Email impersonation

Attackers spoofed executive emails, stripping away letterhead and formal process. Organizations eventually countered this with email filters, external sender warnings, and phishing training.

2.

Voice cloning

The same impersonation moved to phone calls, eliminating the defense of heard confirmation. Defenders are still building adequate responses to this phase.

3.

Live video deepfakes

AI now generates a synthetic executive, including their face, voice, and real-time reactions, inside an active video call. This phase removes visual confirmation, the strongest and least-questioned trust signal of all. Seeing someone on a video call is no longer proof that it is them.

Who is at risk from deepfake video fraud?

The threat is not limited to CFOs or finance teams. Any employee who takes a video call is a potential target, including recruiters, legal, procurement, and executive assistants.

Deepfake technology also operates in reverse: fabricated job candidates now use AI-generated video to pass live hiring interviews, gaining insider access with real credentials and real system access. Pindrop covers the deepfake hiring threat in depth separately.

A successful attack does not require a perfect deepfake. It requires one distracted employee who is reasonably confident that the person on screen is who they appear to be.

Why one-time deepfake detection fails: the case for continuous identity verification

Most deepfake defenses operate as a one-time checkpoint: they scan the video feed at the start of a call, make a real-or-synthetic determination, and stop monitoring. This is the same login-once, trust-all-day model that zero trust replaced in network security, and it has the same fatal flaw.

Live deepfake attacks are designed to exploit that gap. An attacker joins a call with a clean, unmanipulated feed, spends the first portion of the meeting building trust, and introduces the synthetic impersonation only at the moment of the fraudulent request. A checkpoint at the start of the call never sees the swap because the swap happens after it has already stopped watching.

Continuous identity verification (CIV) is a security approach that confirms, for the full duration of a live video meeting, that each participant is a real human, the right human, and is connecting from the right location; not just at login, but throughout the entire call. CIV applies the zero trust principle to video meetings: never verify once and walk away. It closes the gap that one-time deepfake detection leaves open.

Pindrop’s continuous identity verification framework runs three checks simultaneously throughout every call to detect deepfakes in live meetings:

  • Real Human: Confirms whether each participant is a live person or AI-generated synthetic audio and video.
  • Right Human: Confirms whether the participant at minute 18 is the same verified person who joined at minute 1, detecting mid-call swaps.
  • Right Location: Confirms where each participant is actually connecting from, flagging VPN masking and geographic mismatches as identity risk signals.

The difference between one-time deepfake detection and continuous identity verification is coverage. One-time detection asks whether a single frame appears synthetic at the moment of joining. Continuous identity verification asks, throughout the entire call, whether each participant is still who they claimed to be and still connecting from where they claimed to be. Only continuous verification catches a mid-call deepfake swap because it’s the approach still watching when the swap occurs.

EU AI Act deepfake rules: what August 2026 enforcement means for organizations

The EU AI Act‘s deepfake transparency provisions become enforceable on August 2, 2026. Organizations that deploy or distribute AI-generated content without required disclosures face fines of up to €15 million or 3% of global annual turnover, whichever is higher.

Why EU AI Act compliance does not prevent deepfake meeting fraud

The regulation requires labeling of AI-generated content, but it doesn’t require or provide tools to detect unlabeled deepfakes. An attacker running live video impersonation fraud will not voluntarily disclose that the feed is synthetic. Disclosure rules and detection capability are not the same thing, and the EU AI Act provides only the former.

Media Zero Trust is coming for video meetings

Zero trust already replaced the login-once, trust-all-day model in network security. The same shift is now underway for video meetings with media zero trust, for the same reason: an attacker who can maintain a persistent presence across an entire session will defeat a control that only checks once at the start.

For organizations that run on video calls, the identity problem no longer ends at login. Visual confirmation (like seeing a face on screen) is no longer reliable proof of identity. The only approach that holds up against live deepfake impersonation is one that continuously confirms each participant is a real human, the right human, and connecting from the right location for the full duration of every call.

Business Email Compromise has evolved from text to voice to live video. Each phase required organizations to stop trusting a signal they had previously relied on. In the video phase, that signal is the face on the screen. The organizations best positioned to defend against this threat are those that stop treating visual perception as sufficient proof of identity and start treating every meeting participant as an endpoint that requires continuous verification.

Learn about deepfakes in hiring

Frequently asked questions

A deepfake video call scam is a form of fraud in which an attacker uses AI-generated audio and video to impersonate a trusted individual, like an executive, colleague, recruiter, or job candidate, live on a video meeting, then uses that trust to request a payment, gain access, or clear a security checkpoint. It is the video-era evolution of Business Email Compromise.

Traditional BEC impersonates an executive over email. Deepfake video call fraud runs the same play on camera, with a synthetic face and voice that react in real time. Both aim to trick someone into a fraudulent action, but the video version removes the visual cue people rely on most: seeing the person. Deepfake video fraud is considered more dangerous than email BEC because visual confirmation was the strongest remaining trust signal, and the one least likely to be questioned in real-time.

Most deepfake detection tools perform a one-time scan at the start of a call and do not monitor participants continuously. Live deepfake attacks exploit this gap by joining clean and swapping in the manipulation later in the meeting—a strategy that a checkpoint at the door will never catch.

Continuous identity verification (CIV) confirms, for the entire duration of a call rather than only at the start, that each participant is a real human, the right human, and is connecting from the right location. It extends the zero trust security model, which holds that no user or device should be trusted based on a single verification event, from network endpoints to live meeting participants.

No. The EU AI Act addresses disclosure, not detection. It requires AI-generated content to be labeled, but does not require or provide tools to detect unlabeled deepfakes. Attackers running live impersonation fraud will not voluntarily label their fakes, so the regulation does not prevent this type of attack. Organizations need continuous detection technology, not disclosure rules, to defend against live deepfake meeting fraud.

Detecting deepfakes in live video meetings requires continuous verification of audio and video for synthetic manipulation, real-time participant authentication against a verified identity baseline, and location intelligence to flag connection anomalies such as VPN masking. Standard platform security controls often don’t include these capabilities natively. Third-party continuous identity verification tools such as Pindrop Pulse® for Meetings integrate directly with these platforms to provide real-time deepfake detection throughout a call.

Deepfake hiring fraud is an attack in which a fabricated job candidate uses AI-generated video and audio to impersonate a human applicant during a live video interview, with the goal of gaining employment and the system access that comes with it. It is the reverse application of the same deepfake technology used in executive impersonation fraud: instead of an attacker posing as an insider to extract value, the attacker poses as a candidate to become an insider.

Pindrop Pulse® for Meetings is a real-time deepfake detection and continuous identity verification product for enterprise video conferencing. It detects AI-generated audio and video, authenticates participants throughout the call (not just at login), and uses location intelligence to flag VPN masking and geography mismatches—on Zoom, Microsoft Teams, and Webex.

Digital trust isn’t
optional—it’s essential

Take the first step toward a safer, more secure future for your business.