Step-by-step workflow for evaluating suspected deepfake video, audio, or images. Quick-reference checklists for visual inspection, audio analysis, provenance verification, and escalation guidance.

Who this is for: Security professionals, communications teams, journalists, trust and safety teams, and anyone who needs to evaluate whether specific content is AI-generated or AI-manipulated.

What Deepfakes Are and Why They Matter

Deepfakes are AI-generated or AI-manipulated media — video, audio, or images — designed to convincingly depict events that did not occur or words that were not spoken. They are used in three primary threat contexts:

Financial fraud. Impersonation of executives or trusted contacts to authorize transactions. The Hong Kong deepfake CFO fraud used real-time multi-participant video deepfakes to steal $25.6 million. The UK energy company voice cloning attack used a cloned CEO voice to extract $243,000.
Impersonation and harassment. Non-consensual intimate imagery, identity theft, and reputation attacks. The Taylor Swift deepfake image incident accumulated 47 million views before platform removal.
Disinformation. Manipulated political content designed to influence public opinion. The Slovakia election deepfake audio spread during a pre-election moratorium when candidates could not publicly respond.

No single detection technique reliably identifies all deepfakes. Detection and generation are in a continuous arms race. This guide provides a layered evaluation workflow — combining manual inspection, automated tools, provenance checks, and procedural verification — that represents the current best practice.

For the underlying science — why these methods work, where they fail, and what the incident evidence shows — see the Deepfake Detection Methods reference page.

Threat patterns this guide addresses

This guide applies to three threat patterns in the TopAIThreats taxonomy:

Deepfake Identity Hijacking — synthetic media impersonation for fraud or manipulation
Synthetic Media Manipulation — AI-enabled alteration of authentic media

Step 1: Pause — Do Not Act on Unverified Content

Before analyzing the content, ensure no action is taken based on it:

If the suspected deepfake requests action (transfer funds, share credentials, make a statement): stop and verify first
If it claims to be from a known person: do not respond through the same channel
If it is spreading virally: do not reshare, even to debunk — amplification aids the attacker

Step 2: Preserve the Evidence

Before running any analysis, document what you have:

Save the original file (do not screenshot a video — download the source file if possible) Record the URL, platform, and account that shared it Note the timestamp when you first encountered it Capture metadata (right-click → Properties/Get Info, or use ExifTool)

Step 3: Check for Content Credentials (C2PA)

Upload the file to a C2PA verification tool to check for cryptographic provenance:

Verify at verify.contentauthenticity.org or cr.adobe.com If credentials present: Check the creation device, timestamp, and edit history. Intact credentials from a trusted source are strong evidence of authenticity. If credentials absent: This does not indicate a deepfake — most content in circulation lacks C2PA enrollment. As of 2026, C2PA adoption remains limited to specific camera hardware (Sony, Nikon, Leica) and software ecosystems (Adobe, Microsoft); the majority of online content has no Content Credentials. Proceed to manual and automated analysis.

Step 4: Visual Inspection Checklist (Video and Images)

Examine the content for these indicators. Each is suggestive, not conclusive — multiple indicators together increase confidence.

Face and skin

Unnatural blending at the face-to-background boundary (hairline, ears, jawline) Over-smoothed skin texture (missing pores, wrinkles, natural variation) Skin tone mismatch between face and neck/hands

Eyes

Mismatched corneal reflections between left and right eyes Unnatural blink timing or absent blinking Gaze that doesn't track naturally (looking "through" rather than "at")

Lighting and shadows

Face lighting inconsistent with environmental lighting direction Missing or incorrect shadows (under nose, jaw, brow) Eye reflections showing different lighting than the scene

Video-specific (play at 0.25x speed)

Flickering or warping at face edges during head movement Face sharpness that changes unnaturally during motion Lip sync errors, especially on "b," "p," and "m" sounds

Step 5: Audio Inspection Checklist (Voice Calls and Audio)

Speech patterns

Unnaturally consistent pacing (lacks micro-pauses and rhythm variation) Word stress that sounds algorithmic rather than conversational Filled pauses ("um," "uh") that sound synthetic or are absent

Breathing and noise

No audible breathing between phrases Audio is "too clean" — no room noise, background ambience, or mic artifacts Abrupt changes in noise floor between segments

Voice quality

Subtle errors on unusual words or phoneme combinations Voice sounds familiar but "slightly off" in a way that is hard to articulate

Step 6: Run Automated Detection (Triage Only)

Use one or more automated detection systems as a supporting signal. A negative result does not confirm authenticity.

Examples of systems used for deepfake detection include:

System	Best for	Access
Intel FakeCatcher	Real-time video analysis	Enterprise (Intel hardware)
Hive Moderation	Platform-scale scanning	API (commercial)
Deepware Scanner	Quick individual video checks	Consumer / API
Sensity AI	Threat intelligence correlation	Enterprise

Submit the content to at least one detection system Record the confidence score and tool version Treat the result as triage input, not a verdict

For how these systems work and why they fail on novel generation methods, see Deepfake Detection Methods — Automated Detection Systems.

Step 7: Verify Out-of-Band (High-Stakes Contexts)

For any content that could drive a consequential decision:

Identity claims

Call the purported person back on a pre-established number (not one provided in the suspicious communication) Use a pre-arranged code word or challenge question Require written confirmation through a separate channel (email from known address, corporate messaging)

Source claims

Verify through the organization's official channels directly Do not trust the video/audio itself as evidence of its own source

Legal or evidentiary use

C2PA provenance + chain of custody records are required Automated detection results alone are insufficient for legal proceedings Engage a digital forensics specialist Jurisdictions differ in evidentiary requirements and forensic standards; consult local legal counsel

Step 8: Escalate When Necessary

Not all deepfakes require the same response. Escalation depends on context:

Financial impact

If the deepfake has been or could be used to authorize financial transactions:

Freeze affected accounts or transactions immediately Notify your finance/treasury team and internal security File a report with law enforcement (FBI IC3 in the U.S., Action Fraud in the UK) Preserve all evidence (Step 2) for forensic and legal use

Legal exposure

If the deepfake could result in litigation, regulatory action, or evidentiary proceedings:

Engage legal counsel before taking public action Ensure chain of custody for all preserved media Commission independent digital forensic analysis Document the timeline of discovery and response

Organizational reputation

If the deepfake targets your organization’s leadership, brand, or public communications:

Activate your AI Incident Response Plan if one exists Coordinate with communications team before issuing any public statement Contact the platform hosting the content for expedited removal Brief affected individuals (executives, employees depicted)

Election or political content

If the deepfake relates to elections, political figures, or public policy:

Report to the relevant electoral authority Use platform-specific synthetic media reporting mechanisms Do not reshare, even with commentary — this amplifies the content

If the deepfake is circulating on social media and does not target your organization:

Report via the platform's synthetic/misleading content mechanism Do not reshare or engage publicly No further action required unless the content escalates

Quick Decision Tree

Suspected deepfake
├── Requesting action (money, credentials, statement)?
│   └── YES → STOP. Verify out-of-band (Step 7) BEFORE anything else.
│
├── Has Content Credentials (C2PA)?
│   ├── YES, intact from trusted source → Likely authentic.
│   └── NO → Continue analysis (Steps 4-6).
│
├── Multiple visual/audio indicators present?
│   ├── YES → Treat as suspected deepfake. Escalate per Step 8.
│   └── NO / UNSURE → Run automated detection. Verify out-of-band if high-stakes.
│
└── Low-stakes context (social media, not targeted)?
    └── Report to platform. Do not reshare.

Where This Guide Fits in AI Threat Response

This guide covers detection — evaluating whether specific content is AI-generated. It is one part of a layered response:

Detection (this guide) — Is this authentic? Evaluate specific media for signs of AI generation or manipulation.
Detection methods — How does detection work? Technical reference on forensic analysis, automated systems, provenance, and their limitations.
Prevention — Can we prove content is real? Establishing authenticity at the point of creation.
Organizational defense — Can we prevent harm even if detection fails? Verification protocols, training, and procedural controls.
Incident response — What do we do now? Response procedures when a deepfake attack succeeds.

What This Guide Does Not Cover

Why detection methods work and fail — see Deepfake Detection Methods for technical mechanisms, incident evidence, and the detection-generation arms race
Voice cloning specifically — see Voice Cloning Detection
Organizational prevention controls — see Deepfake Social Engineering Prevention
AI threat risk assessment — see How to Assess AI Threat Risk

How to Detect Deepfakes: A Practitioner Checklist