Skip to content
.ca
sign in
4 minmedium

Deepfake vs. the Three-Finger Test

Threat actors are increasingly utilizing real-time deepfake technology to conduct sophisticated identity-based social engineering attacks over video calls. While physical tests like the 'three-finger test' can currently expose cheaper AI overlays due to object occlusion rendering flaws, rapid advancements in generative AI are rendering these visual tells obsolete. Organizations must shift from relying on human detection to implementing resilient, out-of-band verification processes for sensitive transactions.

Conf:highAnalyzed:2026-04-07reports

Authors: Marc (Huntress)

ActorsCybercrime Call Centers
DeepfakeSocial EngineeringIdentity-Based AttacksGenerative AI

Source:Huntress

Key Takeaways

  • Threat actors are actively using real-time AI face overlays (deepfakes) during video calls to conduct social engineering and financial fraud.
  • Physical verification methods like the 'three-finger test' exploit AI object occlusion flaws, but these are temporary fixes as advanced models rapidly patch these visual tells.
  • Identity-based attacks are considered the biggest blind spot by 26.5% of IT and security professionals.
  • Security awareness training is the single biggest pain point for internal IT teams (34.1%), highlighting the need for risk-based, practical training.
  • Organizations must implement strict, out-of-band verification processes (e.g., callbacks, two-person approvals) rather than relying on employees to visually spot deepfakes.

Affected Systems

  • Video Conferencing Platforms
  • Human Users (Finance, Executives, HR)

Attack Chain

Threat actors initiate video calls with targeted employees (often in finance, HR, or executive roles) using real-time AI face overlays to impersonate trusted individuals. They leverage this false identity to request sensitive actions, such as urgent wire transfers or new vendor payments. If the target relies solely on visual and audio confirmation within the compromised communication channel, the scammer successfully bypasses standard social engineering defenses. The attack succeeds because the victim is operating within a system that lacks mandatory out-of-band verification requirements.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No technical detection rules are provided; the article focuses on process-based mitigation and security awareness against deepfake social engineering.

Detection Engineering Assessment

EDR Visibility: None — Deepfake video overlays operate at the application/camera level or on external devices controlled by the attacker, leaving no standard EDR footprint on the victim's machine. Network Visibility: Low — Video call traffic is encrypted by the conferencing platform (e.g., Zoom, Teams), making it impossible to inspect the video stream for deepfake artifacts via network sensors. Detection Difficulty: Very Hard — Real-time deepfakes are designed to bypass human visual inspection and leave no technical IOCs on the victim's endpoint or network.

Required Log Sources

  • Application Logs (Video Conferencing)
  • Financial Transaction Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Users are receiving urgent financial requests via video conferencing platforms that bypass standard out-of-band verification procedures.Financial transaction logs correlated with video conferencing access logsExecutionHigh

Control Gaps

  • Lack of out-of-band verification for financial transactions
  • Over-reliance on human visual identification in video calls

Key Behavioral Indicators

  • Requests for urgent wire transfers or vendor payments during video calls
  • Refusal or inability of the caller to perform physical verification tests (e.g., turning head, waving hand, holding up fingers)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Implement mandatory out-of-band confirmation (e.g., calling back on a known, trusted phone number) for all wire transfers and sensitive requests.
  • Require two-person approval for new vendor payments or changes to payment routing.

Infrastructure Hardening

  • Establish strict, process-driven workflows that introduce intentional friction into financial and data-sharing transactions to prevent single-point-of-failure approvals.

User Protection

  • Educate high-risk targets (Finance, Executives, HR) on the existence and capabilities of real-time deepfakes.

Security Awareness

  • Train employees to recognize that visual confirmation on video calls is no longer sufficient for identity verification.
  • Shift security awareness training from generic compliance to risk-based scenarios reflecting actual threats, as generic training is a major pain point for 34.1% of IT teams.

MITRE ATT&CK Mapping

  • T1566.004 - Phishing: Spearphishing Voice
  • T1036 - Masquerading

Related