From ‘Does This Look Fake?’ to ‘Can This Be Proved Real?': The Difference Between Detection and Verification

After the Arup case (2024) and M&S social engineering attack (2025), every security team in the UK has been asking the same question: how do we stop AI-powered social engineering and impersonation attacks?

Budgets are shifting, new tools are being evaluated, and most conversations focus on detection: software that analyses whether a voice sounds synthetic, whether an email reads as AI-generated, or whether a video call shows signs of manipulation.

Detection is not a bad answer. It just answers the wrong question. As AI improves, the question should shift from “does this look fake?” to “can this be proved real?”. Currently, the gap between those two questions is where fraud succeeds.

What detection tools actually do

Detection tools analyse signals: voice patterns, email metadata, image artefacts, or inconsistencies in video rendering. They compare those signals against models of what manipulated content might look like.

This creates two structural weaknesses.

At 85% confidence, 15 in every 100 decisions are wrong. As the underlying AI improves and synthetic content becomes harder to distinguish from genuine content, the confidence scores move in the wrong direction.

Second, detection assumes the attacker must produce something recognisably synthetic. Increasingly, they do not. As AI improves, a cloned voice delivered over a normal phone call leaves little or no synthetic footprint to analyse. 

What verification does instead

Verification does not analyse the communication itself. It bypasses the content and confirms identity directly with the person.

When UnDoubt is used, any high-risk request requires a mutual verification where both sides confirm they control their trusted devices in real-time before taking any actions. The user confirms the request using biometric authentication such as Face ID or fingerprint verification. The device then produces a cryptographic response that only it can generate.

The outcome is binary: the verified person approved the request, or they did not. There is no probability score to interpret and no threshold to calibrate.

AI can clone a voice, generate a face, or imitate a writing style. But it cannot answer a cryptographic challenge tied to a trusted device it does not control. That is what makes the attack fail.

Detection and verification solve different problems

This distinction matters because many organisations are currently evaluating deepfake detection software as their response to AI-driven fraud. However, detection and verification are not competing versions of the same tool. They operate at different layers.

The practical implication: if your threat model includes someone impersonating a colleague, executive, supplier, or customer to trigger a high-risk action, detection alone is not sufficient.

Where this gap is most costly in the UK

• ‍Financial services carry some of the highest exposure. Payment fraud, CEO impersonation, and business email compromise all exploit the same gap: the moment between a request arriving and an action being taken. A voice that sounds like the CFO. An email that reads like the IT director. A video call that appears completely genuine. These are attack surfaces that detection struggles to secure, and verification is designed to close.‍
• Professional services firms face similar exposure. Law firms, consultancies, and accountancy firms handle sensitive client data, large financial transfers, and urgent decisions made under pressure. These are ideal conditions for impersonation attacks.‍
• For individuals, the risk is more personal but no less serious. Voice cloning now requires only 3 seconds of public audio. A call that sounds exactly like a family member may originate entirely from AI-generated systems. The same verification infrastructure protecting enterprise approvals can also protect individuals from acting on impersonated requests.

How UnDoubt fits into an existing security stack

UnDoubt works alongside existing identity and security systems rather than replacing them.

• UnDoubt Workforce provides mutual verification for your employees across all communication channels. Protection against CEO impersonation, colleague deepfakes, and internal help desk social engineering.  
• UnDoubt Connect extends verification to suppliers, partners, and clients. 
• UnDoubt Verify secures customer-facing helpdesk interactions and credential resets. Protection against business impersonation and inbound social engineering attacks on IT helpdesks. 
• The UnDoubt app brings the same verification infrastructure to individuals, families and small businesses. 

Across every product, the process remains consistent: a request is made, a verification challenge is issued, the real person confirms or declines the request on their trusted device, and the action proceeds, or it does not based on the result. 

How to Protect Yourself or Your Business from Impersonation Fraud

If your organisation handles payment approvals, credential resets, supplier bank changes, or sensitive executive communications, you already have exposure that detection tools alone are not designed to close.

The question is no longer whether verification belongs in the security stack. It is how quickly organisations can implement it before the next impersonation incident occurs.

For Enterprises: contact us at undoubt@lastingasset.com to discuss a pilot programme tailored to your organisation’s highest risk workflows. 

For Individuals: Download UnDoubt app and protect your money and data from impersonators.    

UnDoubt: Impersonation Fraud Prevention FAQ

What is the difference between deepfake detection and real-time identity verification?

Deepfake detection analyses whether a piece of content (a voice, video, or written message) shows signs of AI generation or manipulation. Real-time identity verification tools (such as UnDoubt) confirm that the person behind a request controls a trusted device registered to them. 

Does UnDoubt replace MFA or IAM systems?

No. UnDoubt complements existing identity and access management tools rather than replacing them. MFA confirms a valid credential is in use. UnDoubt confirms that the person making a request, during a call, in an email, or in a message, is genuinely who they claim to be at that specific moment. They operate at different layers.

Can detection tools stop AI-driven fraud in 2026?

Detection tools remain useful, but the fundamental challenge is that as AI improves, synthetic content becomes harder to distinguish from genuine content. Detection tools calibrated against today’s AI will be less effective against tomorrow’s. Verification does not depend on detecting; it bypasses content entirely and confirms identity at the source.

How does cryptographic verification work?

When a user registers with UnDoubt, their device generates a cryptographic key pair that is permanently bound to that device's secure hardware. Any verification request sent to them is encrypted specifically for that device – only it can read the message, and no one else can intercept or respond to it. This gives both parties confidence: the sender knows their request is private and device-specific, and the recipient knows they are the sole possible respondent. Biometric unlock ensures the device cannot be used without the registered owner present.

Which UK industries are most at risk from impersonation fraud?

Financial services, legal firms, consultancies, insurers, and organisations handling high-value approvals or sensitive client communications currently face the greatest exposure.