Synthetic Identity Will Break Casual Verification

Voice, face, writing style and private context can all be imitated. Build verification around registered identity, independent channels and consequence.

The answer

Casual verification is the set of signals people use without admitting they are authenticating: familiar voice, expected tone, correct background, private detail, known urgency. Synthetic media and compromised context weaken all of them.

Casual verification is the set of signals people use without admitting they are authenticating: familiar voice, expected tone, correct background, private detail, known urgency. Synthetic media and compromised context weaken all of them. A convincing identity no longer requires perfect imitation. It needs enough accuracy to survive the few seconds before a trusted person acts. The Swiss NCSC has already described CEO fraud using a deepfake-enabled online meeting. The strategic lesson is broader than video: appearance is becoming cheap evidence.

Identity is a claim with consequence

Do not demand the same ceremony for every interaction. Ask what the claimed person is trying to cause. A greeting, draft or scheduling request may tolerate low assurance. A new beneficiary, credential reset, private disclosure, legal commitment or public statement requires strong independent proof.

Retire the private-fact challenge

Mother’s maiden name, travel schedule, adviser identity and recent transaction detail may feel private. They exist in public records, breached data, email histories and social graphs. Knowledge proves access to information, not identity. Use possession of a registered authenticator, verified institutional account and independent call-back instead.

Value object — The Consequence Verification Matrix

For each instruction class, define:

  • Consequence: routine, sensitive, high value or exceptional.
  • Permitted originating channels.
  • Required identity factors.
  • Independent verification route.
  • Number and independence of approvers.
  • Evidence retained.
  • Action if verification fails or the claimant invokes urgency.

Publish the matrix to the people who receive instructions, not only to security.

Verify the route, not the performance

Do not debate whether the video looked real. End the interaction and start a new one through a registered route. Call the known number, use the existing authenticated account or contact a second authorised person. A synthetic performance can follow across channels if the attacker chooses them. Independence requires a route selected from the institution’s record.

Expect mixed reality

The hardest event combines real and synthetic elements: a compromised genuine account, authentic documents, a cloned voice and a live human operator. Controls should not depend on identifying which component is fake. They should determine whether the requested action is authorised through evidence the attacker does not control.

Protect the person who pauses

Hierarchy makes casual verification dangerous. Staff fear insulting a principal or delaying an opportunity. Give them standard language and explicit authority to stop: “This action requires independent confirmation through the registered route.” A genuine principal should recognise the process as protection.

Familiarity is not assurance

Humans will continue to trust faces and voices because that is how social life works. Institutions can preserve that convenience for low-consequence interaction. When identity can move money, authority or private information, casual familiarity must yield to designed verification.

Sources

  1. Swiss NCSC: Online meeting with deepfake bossSwiss NCSC: Online meeting with deepfake boss

    Primary authority

  2. Swiss NCSC: CEO-FraudSwiss NCSC: CEO-Fraud

    Primary authority

  3. NIST Digital Identity GuidelinesNIST Digital Identity Guidelines

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry