Technologies for creating fake video and voice messages are accessible to anyone these days, and scammers are busy mastering the art of deepfakes. No one is immune to the threat — modern neural networks can clone a person’s voice from just three to five seconds of audio, and create highly convincing videos from a couple of photos. We’ve previously discussed how to distinguish a real photo or video from a fake and trace its origin to when it was taken or generated. Now let’s take a look at how attackers create and use deepfakes in real time, how to spot a fake without forensic tools, and how to protect yourself and loved ones from “clone attacks”.

How deepfakes are made

Scammers gather source material for deepfakes from open sources: webinars, public videos on social networks and channels, and online speeches. Sometimes they simply call identity theft targets and keep them on the line for as long as possible to collect data for maximum-quality voice cloning. And hacking the messaging account of someone who loves voice and video messages is the ultimate jackpot for scammers. With access to video recordings and voice messages, they can generate realistic fakes that 95% of folks are unable to tell apart from real messages from friends or colleagues.

The tools for creating deepfakes vary widely, from simple Telegram bots to professional generators like HeyGen and ElevenLabs. Scammers use deepfakes together with social engineering: for example, they might first simulate a messenger app call that appears to drop out constantly, then send a pre-generated video message of fairly low quality, blaming it on the supposedly poor connection.

In most cases, the message is about some kind of emergency in which the deepfake victim requires immediate help. Naturally the “friend in need” is desperate for money, but, as luck would have it, they’ve no access to an ATM, or have lost their wallet, and the bad connection rules out an online transfer. The solution is, of course, to send the money not directly to the “friend”, but to a fake account, phone number, or cryptowallet.

Such scams often involve pre-generated videos, but of late real-time deepfake streaming services have come into play. Among other things, these allow users to substitute their own face in a chat-roulette or video call.

How to recognize a deepfake

If you see a familiar face on the screen together with a recognizable voice but are asked unusual questions, chances are it’s a deepfake scam. Fortunately, there are certain visual, auditory, and behavioral signs that can help even non-techies to spot a fake.

Visual signs of a deepfake

Lighting and shadow issues. Deepfakes often ignore the physics of light: the direction of shadows on the face and in the background may not match, and glares on the skin may look unnatural or not be there at all. Or the person in the video may be half-turned toward the window, but their face is lit by studio lighting. This example will be familiar to participants in video conferences, where substituted background images can appear extremely unnatural.

Blurred or floating facial features. Pay attention to the hairline: deepfakes often show blurring, flickering, or unnatural color transitions along this area. These artifacts are caused by flaws in the algorithm for superimposing the cloned face onto the original.

Unnaturally blinking or “dead” eyes. A person blinks on average 10 to 20 times per minute. Some deepfakes blink too rarely, others too often. Eyelid movements can be too abrupt, and sometimes blinking is out of sync, with one eye not matching the other. “Glassy” or “dead-eye” stares are also characteristic of deepfakes. And sometimes a pupil (usually just the one) may twitch randomly due to a neural network hallucination.

When analyzing a static image such as a photograph, it’s also a good idea to zoom in on the eyes and compare the reflections on the irises — in real photos they’ll be identical; in deepfakes — often not.

Lip-syncing issues. Even top-quality deepfakes trip up when it comes to synchronizing speech with lip movements. A delay of just a hundred milliseconds is noticeable to the naked eye. It’s often possible to observe an irregular lip shape when pronouncing the sounds m, f, or t. All of these are telltale signs of an AI-modeled face.

Static or blurred background. In generated videos, the background often looks unrealistic: it might be too blurry; its elements may not interact with the on-screen face; or sometimes the image behind the person remains motionless even when the camera moves.

Odd facial expressions. Deepfakes do a poor job of imitating emotion: facial expressions may not change in line with the conversation; smiles look frozen, and the fine wrinkles and folds that appear in real faces when expressing emotion are absent — the fake looks botoxed.

Auditory signs of a deepfake

Early AI generators modeled speech from small, monotonous phonemes, and when the intonation changed, there was an audible shift in pitch, making it easy to recognize a synthesized voice. Although today’s technology has advanced far beyond this, there are other signs that still give away generated voices.

Wooden or electronic tone. If the voice sounds unusually flat, without natural intonation variations, or there’s a vaguely electronic quality to it, there’s a high probability you’re talking to a deepfake. Real speech contains many variations in tone and natural imperfections.

No breathing sounds. Humans take micropauses and breathe in between phrases — especially in long sentences, not to mention small coughs and sniffs. Synthetic voices often lack these nuances, or place them unnaturally.

Robotic speech or sudden breaks. The voice may abruptly cut off, words may sound “glued” together, and the stress and intonation may not be what you’re used to hearing from your friend or colleague.

Lack of… shibboleths in speech. Pay attention to speech patterns (such as accent or phrases) that are typical of the person in real life but are poorly imitated (if at all) by the deepfake.

To mask visual and auditory artifacts, scammers often simulate poor connectivity by sending a noisy video or audio message. A low-quality video stream or media file is the first red flag indicating that checks are needed of the person at the other end.

Behavioral signs of a deepfake

Analyzing the movements and behavioral nuances of the caller is perhaps still the most reliable way to spot a deepfake in real time.

Can’t turn their head. During the video call, ask the person to turn their head so they’re looking completely to the side. Most deepfakes are created using portrait photos and videos, so a sideways turn will cause the image to float, distort, or even break up. AI startup Metaphysic.ai — creators of viral Tom Cruise deepfakes — confirm that head rotation is the most reliable deepfake test at present.

Unnatural gestures. Ask the on-screen person to perform a spontaneous action: wave their hand in front of their face; scratch their nose; take a sip from a cup; cover their eyes with their hands; or point to something in the room. Deepfakes have trouble handling impromptu gestures — hands may pass ghostlike through objects or the face, or fingers may appear distorted, or move unnaturally.

Screen sharing. If the conversation is work-related, ask your chat partner to share their screen and show an on-topic file or document. Without access to your real-life colleague’s device, this will be virtually impossible to fake.

Can’t answer tricky questions. Ask something that only the genuine article could know, for example: “What meeting do we have at work tomorrow?”, “Where did I get this scar?”, “Where did we go on vacation two years ago?” A scammer won’t be able to answer questions if the answers aren’t present in the hacked chats or publicly available sources.

Don’t know the codeword. Agree with friends and family on a secret word or phrase for emergency use to confirm identity. If a panicked relative asks you to urgently transfer money, ask them for the family codeword. A flesh-and-blood relation will reel it off; a deepfake-armed fraudster won’t.

What to do if you encounter a deepfake

If you’ve even the slightest suspicion that what you’re talking to isn’t a real human but a deepfake, follow our tips below.

• End the chat and call back. The surest check is to end the video call and connect with the person through another channel: call or text their regular phone, or message them in another app. If your opposite number is unhappy about this, pretend the connection dropped out.

• Don’t be pressured into sending money. A favorite trick is to create a false sense of urgency. “Mom, I need money right now, I’ve had an accident”; “I don’t have time to explain”; “If you don’t send it in ten minutes, I’m done for!” A real person usually won’t mind waiting a few extra minutes while you double-check the information.
• Tell your friend or colleague they’ve been hacked. If a call or message from someone in your contacts comes from a new number or an unfamiliar account, it’s not unusual — attackers often create fake profiles or use temporary numbers, and this is yet another red flag. But if you get a deepfake call from a contact in a messenger app or your address book, inform them immediately that their account has been hacked — and do it via another communication channel. This will help them take steps to regain access to their account (see our detailed instructions for Telegram and WhatsApp), and to minimize potential damage to other contacts, for example, by posting about the hack.

How to stop your own face getting deepfaked

• Restrict public access to your photos and videos. Hide your social media profiles from strangers, limit your friends list to real people, and delete videos with your voice and face from public access.
• Don’t give suspicious apps access to your smartphone camera or microphone. Scammers can collect biometric data through fake apps disguised as games or utilities. To stop such programs from getting on your devices, use a proven all-in-one security solution.
• Use passkeys, unique passwords, and two-factor authentication (2FA) where possible. Even if scammers do create a deepfake with your face, 2FA will make it much harder to access your accounts and use them to send deepfakes. A cross-platform password manager with support for passkeys and 2FA codes can help out here.
• Teach friends and family how to spot deepfakes. Elderly relatives, young children, and anyone new to technology are the most vulnerable targets. Educate them about scams, show them examples of deepfakes, and practice using a family codeword.
• Use content analyzers. While there’s no silver bullet against deepfakes, there are services that can identify AI-generated content with high accuracy. For graphics, these include Undetectable AI and Illuminarty; for video — Deepware; and for all types of deepfakes — Sensity AI and Hive Moderation.
• Keep a cool head. Scammers apply psychological pressure to hurry victims into acting rashly. Remember the golden rule: if a call, video, or voice message from anyone you know rouses even the slightest suspicion, end the conversation and make contact through another channel.

To protect yourself and loved ones from being scammed, learn more about how scammers deploy deepfakes:

• How phishers and scammers use AI
• How fraudsters bypass customer identity verification using deepfakes
• Watch the (verified) birdie, or new ways to recognize fakes
• Is it the boss — or is it a fraudster? Scams disguised as urgent orders from top brass
• Don’t believe your ears: voice deepfakes

Imagine: a user lands on a scam site, decides to make a purchase, and enters their bank card details, name, and address. Guess what happens next? If you think the attackers simply grab the cash and disappear — think again. Unfortunately, it’s much more complicated. In reality, the information enters a massive shadow-market pipeline, where victims’ data circulates for years, changing hands and being reused in new attacks.

At Kaspersky, we’ve studied the journey data takes after a phishing attack: who gets it, how it’s sorted, resold, and used on the shadow market. In this article, we map the route of stolen data, and explain how to protect yourself if you’ve already encountered phishing, or if you want to avoid it in the future. You can read the detailed report complete with technical insights on Securelist.

Harvesting data

Phishing sites are carefully disguised to look legitimate — sometimes the visual design, user interface, and even the domain name are almost indistinguishable from the real thing. To steal data, attackers typically employ HTML forms prompting users to enter their login credentials, payment card details, or other sensitive information.

As soon as the user hits Sign In or Pay, the information is instantly dispatched to the cybercrooks. Some malicious campaigns don’t harvest data directly through a phishing site but instead abuse legitimate services like Google Forms to hide the final destination server.

The stolen data is typically transmitted in one of three ways — or a combination of them:

• Email. This method is less common today due to possible delays or bans.
• Telegram bots. The attackers receive the information instantly. Most of these bots are disposable, which makes them hard to track.
• Admin panels. Cybercriminals can use specialized software to harvest and sort data, view statistics, and even automatically verify the stolen information.

What kind of data are phishers after?

The range of data sought by cybercriminals is quite extensive.

• Personal data: phone numbers, full names, email, registration and residential addresses. This information can be used to craft targeted attacks. People often fall for scams precisely because the attackers possess a large amount of personal information — addressing them by name, knowing where they live, and which services they use.
• Documents: data and scans of social security cards, driver licenses, insurance and tax IDs, and so on. Criminals use these for identity theft, applying for loans, and verifying identity when logging into banks or e-government portals.
• Credentials: logins, passwords, and one-time 2FA codes.
• Biometrics: face scans, fingerprints, and voice samples used to generate deepfakes or bypass two-factor authentication.
• Payment details: bank card and cryptocurrency wallet details.
• And much more.

According to our research, the vast majority (88.5%) of phishing attacks conducted from January through September 2025 targeted online account credentials, and 9.5% were attempts to obtain users’ personal data, such as names, addresses, and dates. Finally, 2% of phishing attacks were focused on stealing bank card details.

What happens to the stolen data next?

Not all stolen data is directly used by the attackers to transfer money to their own accounts. In fact, the data is seldom used instantly; more commonly, it finds its way onto the shadow market, reaching analysts and data brokers. A typical journey looks something like this.

1. Bulk sale of data

Raw data sets are bundled into massive archives and offered in bulk on dark web forums. These dumps often contain junk or outdated information, which is why they’re relatively cheap — starting at around US$50.

2. Data sorting and verification

These archives are purchased by hackers who act as analysts. They categorize datasets and verify the validity of the data by checking if the login credentials work for the specified services, if they are reused on other sites, and if they match any data from past breaches. For targeted attacks, cybercriminals compile a digital dossier. It stores information gathered from both recent and older attacks — essentially a spreadsheet of data ready to be used in hacks.

3. Resale of verified data

The sorted datasets are offered for sale again, now at a higher price — and not only on the dark web but also on the more familiar Telegram.

According to Kaspersky Digital Footprint Intelligence, account prices are driven by a large number of factors: account age, 2FA authentication, linked bank cards, and service userbase. It’s no surprise that the most expensive and in-demand commodity on this market is access to bank accounts and crypto wallets.

Category	Price, US$	Average price, US$
Crypto platforms	60–400	105
Banks	70–2000	350
E-government portals	15–2000	82.5
Social media	0.4–279	3
Messaging apps	0.065–150	2.5
Online stores	10–50	20
Games and gaming platforms	1–50	6
Global internet portals	0.2–2	0.9
Personal documents	0.5–125	15

4. Repeat attacks

Once a cybercriminal purchases a victim’s digital dossier, they can plan their next attack. They might use open-source intelligence to find out where the person works, and then craft a convincing email impersonating their boss. Alternatively, they could hack a social media profile, extract compromising photos, and demand a ransom for their return. However, rest assured that nearly all threatening or extortion emails are just a scare tactic by scammers.

Cybercriminals also use compromised accounts to send further phishing emails and malicious links to the victim’s contacts. So, if you receive a message asking you to vote for a niece in a contest, lend money, or click on a suspicious link, you have every reason to be wary.

What to do if your data has been stolen

1. First, recall what information you entered on the phishing site. If you provided payment card details, call your bank immediately and have the cards blocked. If you entered a login and password that you use for other accounts, change those passwords right away. A password manager can help you create and store strong, unique passwords.
2. Enable two-factor authentication (2FA) wherever possible. For more details on what 2FA is and how to use it, read our guide. When choosing a 2FA method, it’s best to avoid SMS, as one-time codes sent via a text can be intercepted. Ideally, use an authenticator app, such as Kaspersky Password Manager, to generate one-time codes.
3. Check the active sessions (the list of logged-in devices) in your important accounts. If you see a device or IP address you don’t recognize, terminate that session immediately. Then change your password and set up two-factor authentication.

How to guard against phishing

• Don’t click on links in emails or messages without first scanning them with a security solution.
• If you receive a suspicious email, always check the sender’s address to see if you’ve had any contact with that person before. If someone claims to represent a government authority or company, be sure to compare the domain the email was sent from with the domain of the organization’s official website. No official correspondence should ever come from a free email service.
• Use an authenticator app for two-factor authentication.
• Create hack-resistant passwords. Our research shows that hackers can crack almost 60% of all passwords in the world in less than an hour. Alternatively, consider switching to passkeys, which offer much stronger account protection, but keep in mind that they come with their own caveats.
• Remember: using the same password for multiple services is a critical mistake. This is exactly what malicious actors exploit. Even if you’ve never fallen for a phishing scam, your passwords and data can still end up in data breaches, as cyberattackers target not just individuals but entire companies. This year, the Identity Theft Resource Center has already recorded over two thousand data breaches. To minimize the risks, create a unique and strong password for every account. You don’t have to — and actually can’t — memorize them all. It’s better to use a password manager, which generates and securely stores complex passwords, syncs them across all your devices, auto-fills them on websites and in apps, and alerts you if any of your credentials appear in a known data breach.

More on phishing and scams:

• How phishers and scammers use AI
• Phishing 101: what to do if you get a phishing email
• Email extortion: how scammers use blackmail
• Telegram scams with bots, gifts, and crypto
• Et cetera