Quick answer: Real-time face-swap tools now run on consumer hardware, putting deepfake video calls within reach of fraud operators. Spot one by asking for a complex hand-over-face gesture (the three-finger test), a 90-degree profile turn, a sudden light-source change, and by verifying urgent requests through a known-number callback or a pre-shared safe word.
A recruiter calls you on Zoom. The face matches the LinkedIn photo. The voice is right. The story tracks. They want you to wire a deposit, sign an NDA, share a tax document. Everything feels normal.
The face on the screen is generated in real time. The voice is cloned. The person on the other end is in a room you cannot see, running a consumer-grade face-swap pipeline on a gaming GPU.
This is the version of deepfake fraud that landed British engineering firm Arup with a $25 million loss in a single day when a finance employee joined a video call with multiple "executives," all AI-generated. Clips of job-interview scammers failing the three-finger test have surfaced on social platforms, exposing the consumer version of the same playbook. The detection has to happen during the call. There is no URL to paste into a checker.
This post walks through seven physical tests you can run live on any video call, the 30-second sequence that compresses them into a normal-feeling conversation, and what to do when the person on screen fails.
For the broader technical grounding on how synthetic video gets generated in the first place, see the pillar guide on what a deepfake actually is.
$25 million
Stolen from British engineering firm Arup in a single day in January 2024 via a deepfake video call. The finance employee who authorized 15 wire transfers was on a video conference with multiple "executives" who were all AI-generated. Real-time face-swap is no longer hypothetical, and it is no longer a hypothetical defense problem either.
Source: Hong Kong Police (February 2024); Arup public confirmation (May 2024).
Why Real-Time Face-Swap Is the Next Detection Frontier
Three structural shifts make the live video call the highest-leverage detection surface in 2026.
Consumer-grade real-time face-swap exists. Tools like DeepFaceLive and equivalent open-source pipelines run on a single mid-tier GPU. The barrier to running a convincing face-swap during a Zoom call dropped from "research lab" in 2023 to "Twitch streamer setup" by 2026. The pool of attackers is no longer state actors and well-resourced criminal groups; it is anyone with a gaming PC.
Video calls carry the same trust phone calls used to. The face on the screen is treated as identity confirmation. Hiring managers run interviews over Zoom and treat the face as proof of who is on the other end. Finance teams approve wire transfers based on a video call with a "CFO." Real-time face-swap breaks the visual-identity layer in the same way voice cloning broke phone-call trust, and the visual layer is the one most workplaces have not yet learned to distrust.
Detection happens during the call, not after. Unlike a TikTok URL you can paste into a checker after the fact, a Zoom call is real-time. The test has to run in the conversation, on the person, while they are watching you. The good news: real-time face-swap models have specific physical failure modes that you can elicit with simple requests. The bad news: you have to actually do it, in the middle of a call, with a stranger you do not want to offend.
Seven Real-Time Tests to Run on a Suspicious Video Call
These work against the current generation of consumer real-time face-swap tools through 2025 and 2026. The strongest models handle one or two of these better than older versions, so absence of a failure on any single test does not clear the call.
1. The three-finger test (hand crossing the face). Ask them to hold up three fingers in front of their face and wave slowly side to side. Real-time face-swap models struggle when a hand crosses the face boundary. The swap either drops (showing the real face underneath briefly) or warps the hand and fingers visibly. This is the test that has surfaced multiple deepfake job-interview scammers on camera in 2026.
2. The 90-degree profile turn. Ask them to turn their head fully to the side, showing the profile view of their face. Most consumer real-time face-swap models are trained predominantly on front-facing source data. The swap collapses or shows hard edges at the jawline and ear when the face turns past about 60 degrees. A real person turns smoothly; a swapped face shows visible seams at the transition.
3. Sudden light-source change. Hold a lit phone close to your camera, or briefly cover and uncover your light source. The "person" on the other end should react: pupils contract, the head tilts away from glare, the skin tone shifts in real time. Real-time face-swap models do not reliably model sudden lighting changes on the swapped face. The lighting on the AI-rendered face often stays inconsistent with the rest of the scene during the transition.
4. Specific gesture combo. Ask them to perform a sequence: spell today's date on their fingers, perform a named handshake, draw a number in the air with their index finger while their face is fully visible. Multi-step physical sequences expose model latency. A real person performs the sequence in continuous motion; a real-time face-swap pipeline drops frames or fails to maintain identity through fast motion.
5. Stand up and step back. Ask them to stand up briefly, step back from the camera so their full upper body is visible, then sit down. Real-time face-swap models operate on a tight crop around the face. When the face leaves the model's tracked region (during the stand-up or step-back), the swap fails or you briefly see the real face. The transition is the tell.
6. Side-channel verification. End the video call. Call back on the phone using a number you have on file, or message them on a platform they have used before with you. This is the same logic as the callback verification for AI voice cloning: a real person will accept the channel switch without resistance; a scammer will manufacture reasons you cannot leave the current call. The resistance is the tell.
7. Pre-shared safe word or context-only knowledge. A short word or phrase agreed in advance with the real person, or a question only the real person would know how to answer (where you met, the name of a shared dog, a project detail). This is the gold standard. Clones replicate voice and face. They cannot replicate private context. The principle is the same one AARP recommends for family voice cloning scams.
For the broader operator playbook that pairs real-time face-swap with cloned voices and romance-scam framing, see how to spot a deepfake romance scam. The seven tests above apply to any live video call, not only romantic contexts.
Think you found an AI video?
Paste the URL and let the Ledger community verify it. Free.
The 30-Second Test Sequence
A scannable workflow you can run on any live video call without making the call feel like an interrogation. The structure works as a casual gesture conversation.
- 0:00–0:05: Ask them to wave with one hand, fingers spread, palm facing camera. Watch for finger-blending or edge warping.
- 0:05–0:10: Ask them to turn their head to the side ("can you check if your camera's catching your good side?"). Watch the profile transition.
- 0:10–0:15: Three-finger test. Ask them to hold up three fingers and wave slowly across their face.
- 0:15–0:20: Hold up your phone with the flashlight on near your camera, briefly. Watch for pupil reaction and light reflection on the face.
- 0:20–0:25: Ask them to stand up briefly to grab something off-camera.
- 0:25–0:30: Drop in a context-only question or propose a callback on the phone.
If two or more steps fail, end the call. The sequence runs as a normal back-and-forth in conversation. The pressure to comply within the call is the operator's only leverage; the tests are how you take that pressure off.
What to Do When Someone Fails the Test
Three steps in order.
End the call. Do not negotiate, do not transfer anything, do not sign anything, do not share any document. The social cost of awkwardly ending a video call is recoverable in 60 seconds. The financial or operational cost of completing a deepfake transaction is not. The operator counts on the social discomfort to keep you in the call; the call itself is the leverage they have, and ending it removes it.
Verify externally before any follow-up. Reach the person you thought you were talking to through a channel you have used before with them: a phone number you have called before, an email address you have written to before, a Slack DM thread you have used before. Do not use the contact information given to you in the suspect call.
Report the incident. For workplace scams, report to your security team and your finance/treasury team immediately, even if no money moved. The Arup case was discovered through standard post-transaction follow-up; earlier reporting compresses the discovery window. For personal scams, report to the FTC at reportfraud.ftc.gov and to the FBI's Internet Crime Complaint Center at ic3.gov. For job-interview deepfakes specifically, the bidirectional candidate-and-recruiter detection guide covers the reporting flow for both sides.
If the deepfake video call was preceded by social-media outreach from a TikTok, Instagram, X, or LinkedIn profile, that profile is the searchable side of the operator. The face on the video call is ephemeral; the profile that recruited you into the call is not.
What Ledger Does Differently
The video call is real-time, and the detection has to be too. Ledger does not check live Zoom calls. The seven tests above are yours to run.
What Ledger covers, and what compounds with this guide, is the social-media surface where the same operator pattern lives. Almost every real-time face-swap scam in 2026 starts with a profile reach-out: a LinkedIn recruiter contact, an Instagram DM, a TikTok video that funnels to a "consultation call," a romance match on a dating app that escalates to a video call. The profile that contacted you exists on a public platform. The operator running it has other victims, other profiles, and a pattern you can search for.
Paste the originating profile URL into the free AI video detector. The community has already flagged a growing list of operator accounts. If the profile that pulled you into the suspect video call shows up in the database, that is the second confirmation you need.
If you want to help build the community record so the next person who gets pulled into a deepfake video call sees the profile flagged before they accept, join the iOS or Android waitlist and be among the first to flag accounts when the apps ship.
[APP-DOWNLOAD]
Related Posts
- What Is a Deepfake? A Plain-English Guide for Social Media Users: the technical foundation that explains how real-time face-swap models work and why the seven tests above expose them
- Deepfake Romance Scams Cost Americans $1.1B in 2025. Here Is How to Spot One.: the romance-scam sibling where real-time face-swap is paired with voice cloning and emotional manipulation
- AI Deepfake Job Interviews Are Real. How to Spot a Fake Candidate or a Fake Recruiter.: the workplace sibling for the recruiter-impersonation and candidate-impersonation versions of the same vector
- How to Tell If a Voice Is AI-Generated: 7 Signs to Listen For Before You Trust Audio: the audio-only sibling, since most real-time face-swap calls pair video deepfakes with cloned voices
