Casual verification is the set of signals people use without admitting they are authenticating: familiar voice, expected tone, correct background, private detail, known urgency. Synthetic media and compromised context weaken all of them. A convincing identity no longer requires perfect imitation. It needs enough accuracy to survive the few seconds before a trusted person acts. The Swiss NCSC has already described CEO fraud using a deepfake-enabled online meeting. The strategic lesson is broader than video: appearance is becoming cheap evidence.
Identity is a claim with consequence
Do not demand the same ceremony for every interaction. Ask what the claimed person is trying to cause. A greeting, draft or scheduling request may tolerate low assurance. A new beneficiary, credential reset, private disclosure, legal commitment or public statement requires strong independent proof.
Retire the private-fact challenge
Mother’s maiden name, travel schedule, adviser identity and recent transaction detail may feel private. They exist in public records, breached data, email histories and social graphs. Knowledge proves access to information, not identity. Use possession of a registered authenticator, verified institutional account and independent call-back instead.
Value object — The Consequence Verification Matrix
For each instruction class, define:
- Consequence: routine, sensitive, high value or exceptional.
- Permitted originating channels.
- Required identity factors.
- Independent verification route.
- Number and independence of approvers.
- Evidence retained.
- Action if verification fails or the claimant invokes urgency.
Publish the matrix to the people who receive instructions, not only to security.
Verify the route, not the performance
Do not debate whether the video looked real. End the interaction and start a new one through a registered route. Call the known number, use the existing authenticated account or contact a second authorised person. A synthetic performance can follow across channels if the attacker chooses them. Independence requires a route selected from the institution’s record.
Expect mixed reality
The hardest event combines real and synthetic elements: a compromised genuine account, authentic documents, a cloned voice and a live human operator. Controls should not depend on identifying which component is fake. They should determine whether the requested action is authorised through evidence the attacker does not control.
Protect the person who pauses
Hierarchy makes casual verification dangerous. Staff fear insulting a principal or delaying an opportunity. Give them standard language and explicit authority to stop: “This action requires independent confirmation through the registered route.” A genuine principal should recognise the process as protection.
Familiarity is not assurance
Humans will continue to trust faces and voices because that is how social life works. Institutions can preserve that convenience for low-consequence interaction. When identity can move money, authority or private information, casual familiarity must yield to designed verification.
