Draw me a smiley face”: Old-school tests are tripping up new-school deepfakes
The Wall Street Journal studies that firms are quietly beating AI impostors with delightfully low-tech strikes: ask the caller to draw a smiley face and maintain it to the digital camera, nudge them to pan the webcam, throw in a curveball query solely a actual colleague would know, or cling up and name again on a identified quantity. Simple, a bit cheeky, and—proper now—surprisingly efficient.
Here’s the factor I maintain listening to from CISOs once I ask, “What truly works on a Tuesday afternoon?”
They say the combo transfer issues: mix fundamental human challenges with coverage checkbacks and solely then lean on detection software.
That’s not shade on the instruments; it’s an admission that social engineering—not simply silicon—is carrying these scams.
And sure, the numbers are grim: deepfake fraud losses topped $200 million in Q1 2025 alone, which helps clarify why even very conventional corporations are piloting call-back and passphrase protocols.
If you need a government-grade cross-check, NIST’s latest steering on face-photo morph detection gives a well timed reminder: algorithms mislead, however provenance and layered checks can shut the hole. It’s not about one magic detector; it’s about workflow.
Zoom out for a minute—as a result of one thing else shifted this week. Google is baking C2PA Content Credentials into Pixel 10’s digital camera and Google Photos so pictures can carry cryptographic “diet labels” about how they had been made.
That’s provenance, not detection, nevertheless it adjustments the default: show it, or be handled as unverified.
You may ask: “Cute doodles apart, does any of this cease the headline-grabbing heists?” Sometimes—particularly when folks bear in mind to decelerate.
Law enforcement, for its half, is getting quicker at clawbacks: earlier this yr Italian police froze almost €1 million from an AI-voice rip-off that impersonated a cupboard minister to shake down enterprise leaders. It wasn’t excellent justice, nevertheless it was concrete.
Let me be candid: I used to roll my eyes at “analog defenses” as a result of they felt… flimsy.
Then I watched a actual incident overview the place a finance supervisor defused a suspicious video name by asking the “CFO” to angle the webcam towards the whiteboard.
The lag, the artifacts, the awkward silence—it was a inform. That actual tactic exhibits up in professional playbooks too: change the lighting, transfer the digital camera, maintain up right this moment’s newspaper (sure, that previous chestnut nonetheless works). The level is to yank the attacker off their pre-rendered rails.
There’s coverage momentum, not simply road smarts. Provenance schemes like C2PA will solely matter if platforms show and respect them, and if organizations wire provenance checks into consumption flows.
YouTube’s early steps to label camera-captured, unaltered clips by way of Content Credentials trace at the place this might go if extra ecosystems play alongside.
Does this imply detectors are useless? Not in any respect. They’re simply transferring backstage whereas procedures transfer front-of-house.
The pragmatic learn from requirements our bodies is: mix authentication (who/what created this), verification (did it change, and the way), and analysis (does this make sense in context?). It sounds fussy till you bear in mind the stakes.
One extra query I maintain getting from readers: “Is this overkill for small groups?”
Honestly, no. Pick two strikes you possibly can practice in an hour—verbal passphrases that change weekly and a exhausting rule to name again on a saved quantity for any cash request.
Tape a reminder subsequent to the monitor. It’s not glamorous, however neither is wiring out HK$200 million on a pretend Zoom. The lesson is human: after they anticipate you to zig, you zag—on goal, collectively, each time.
Bottom line: the smiley-face take a look at isn’t a punchline—it’s a sample interrupt. Pair it with call-backs, provenance checks, and a tradition that rewards “decelerate” over “rush it,” and also you’ve acquired a combating probability towards fakes that look and sound uncomfortably actual.