“Pretty Sure” Isn't Good Enough. Why Deepfake Detection Must Go Deeper

Recently, I heard a chief information security officer (CISO) put it bluntly: “Bad guys are adopting AI faster than everyone else.” I was in a room of 22 government chief information officers (CIOs). No one argued. And nowhere is widespread AI exploitation more visible than in the explosion of deepfakes.

One of the biggest existential threats to us all is how easily, effectively, and quickly someone can create a fake image, video, or voice for less than $10 a month. It is no longer enough to use “what you see” as proof that something happened or exists.

For federal agencies (and state and local agencies right behind them), this isn’t just a misinformation problem—it’s an identity verification and access-control problem. When the mission includes protecting systems and benefits, “pretty sure” just isn’t good enough.

Creating a Convincing Deepfake is Easier Than You Think

Deepfakes are easily the hottest topic during the community ed class I teach.

At some point during the semester, I tend to demonstrate for the class how easy it is to manipulate an image by creating a deepfake of myself getting arrested on live news. Without fail, half the room immediately reaches for their phone—not to record it, but to try it themselves. That moment tells you everything.

We're not talking about hours of work by a skilled editor. We're talking about minutes. With free or cheap tools, anyone can generate a convincing fake image, swap a face onto a video, or clone someone's voice from just a few seconds of audio. The barrier to entry is gone.

How to Spot Deepfakes While Scrolling Social Media

In my class, I remind students that it's important to use common sense while scrolling social media—for example, pausing when you notice visual cues that feel off. Some common giveaways for deepfakes include:

• Overly even lighting
• Too much facial symmetry
• Blurry backgrounds
• Skin that looks too smooth
• Strange edges around hair and ears

These visual cues are absolutely worth knowing. They'll help you think twice before forwarding a viral video or trusting a screenshot. For low-stakes, social media situations, a trained eye still has value.

But here's the honest truth: telltale signs are fading. AI tools are improving faster than human perception can keep up. What you can catch today may be completely undetectable tomorrow.

And that gap matters enormously because not all deepfake threats are equal. Scrolling past a suspicious post is one thing. But what about a federal agency verifying someone's identity before granting access to sensitive systems? A state agency onboarding a benefits recipient? A local government employee provisioning access to internal apps?

In those scenarios, there is no room for a missed signal. You can't hedge your way through a high-stakes identity decision. That's a completely different problem, and it requires a completely different solution.

How Incode Revolutionizes Deepfake Detection

At Incode, we take a much more holistic approach to verification: don't trust the image; interrogate the moment. Any sophisticated deepfake can fool a camera. What it can't easily fake is the context of a real, live human interaction.

That’s exactly why we built Deepsight.

‍

‍

When someone presents their face for identity verification, Deepsight doesn’t merely analyze pixels. It reads the motion sensors in the device to detect screen-replay attacks (in which a bad actor holds a screen or projector up to the camera instead of a real face). It checks whether the camera has been hijacked or the device jailbroken, both common vectors for injecting synthetic video into the verification stream. It uses active liveness detection to confirm that a real, present person is generating the biometric in real time—not a photo, not a looped video, not an AI-generated face.

The human eye looks for artifacts. Incode looks for truth. That distinction matters when the cost of getting it wrong isn't a mistaken retweet; it's unauthorized access to a sensitive federal system or a fraudulent account opening.

It's Not Just Fake Photos; It's Fake Everything

Here's the part that most people don't think about: deepfakes aren't just about creating a fake picture or video of someone. Scammers and hackers are using the same AI tools to convincingly forge identity documents, weaponize agent interactions, and even create fake websites that look identical to legitimate ones.

In the context of sensitive websites where users enter their Social Security numbers (SSNs), tax information, and personal data, that final capability is especially troubling. Paying attention to something as simple as a .gov domain can protect you from these fake sites. But verifying identity is no longer as simple as gut-checking a user’s biometric scan or driver’s license.

AI is making it easy to fake anything. The only answer is identity verification (IDV) built for a world where seeing is no longer believing.

FAQ about Deepfakes, Identity Verification, and Government Security

Why are deepfakes a federal cybersecurity concern?

Deepfakes can be used for identity fraud, account takeover, and social engineering—including attempts to gain access to federal systems, contractor portals, and sensitive workflows where identity proofing and authentication matter.

How can a government agency verify identity when photos and video can be faked?

For higher-assurance scenarios, agencies need more than visual inspection. The goal is to validate a real, present person through live interaction signals (liveness) plus additional checks that reduce risk of replay or synthetic injection. This can be achieved by working with a third-party IDV vendor like Incode.

What’s the difference between “spotting” a deepfake and preventing deepfake-enabled identity fraud?

Spotting focuses on human-perceived artifacts in media. Preventing fraud focuses on high-assurance identity verification controls that work even when the media looks perfect.

What is liveness detection and why does it matter for federal and state agencies?

Liveness detection helps confirm a real person is present during verification, rather than a photo, a replayed video, or a synthetic face. It’s especially important for government use cases where remote identity proofing is tied to access, benefits, or compliance.

How do deepfakes impact state and local government services?

State and local agencies face many of the same risks: benefits fraud, impersonation of employees or residents, and fraudulent account creation for online services. Deepfakes raise the stakes because they reduce the cost and skill required to attempt identity fraud at scale.

What are common deepfake attack methods during remote verification?

Examples include screen-replay attacks (presenting a display to the camera), injected or hijacked camera feeds, and synthetic media presented as “live” video.

How does Incode help protect identity verification workflows from deepfakes?

Incode focuses on validating the moment, combining active liveness approaches with device and session signals to detect replay and manipulation attempts that a simple visual check can miss.

What should agencies and integrators prioritize first to reduce deepfake risk?

Start by identifying the highest-risk workflows (privileged access, onboarding, and benefits), then align verification controls to the required assurance level—especially for remote identity proofing.

‍

‍

Incode was named a Leader in the 2025 Gartner® Magic Quadrant™ for Identity Verification. Download the report to learn more.

‍