What is a deepfake, and how worried should I actually be in 2026?

More context

A deepfake is media — usually video, increasingly voice or image — that has been generated or altered by AI to make a real person appear to do or say something they did not. The name combines deep learning (the AI technique) with fake; it was coined in 2017 around an early class of face-swap algorithms. In 2026 the underlying technology is dramatically better, dramatically cheaper, and available through free or low-cost consumer services.

The realistic threat shape for ordinary people in 2026 — what is actually happening, in order:

1. Voice-clone phone scams. A criminal clones the voice of someone you love (child, grandchild, partner) from 5-30 seconds of public audio, then calls you sounding exactly like them. The call is short and urgent: an accident, an arrest, a hostage situation, a sudden bank-account problem. The goal is a fast wire transfer or a delivery of cash to an address. This is the dominant deepfake threat to households globally and is growing fast — France’s CNIL, the FBI, the UK’s Action Fraud have all issued advisories.
2. Executive-impersonation video calls. A finance employee receives a video call from “the CFO” (and sometimes other “senior colleagues” too) requesting an urgent transfer. The Arup case in Hong Kong (early 2024) lost $25M this way. Similar attempts on European companies are public; the unreported ones are presumably larger.
3. Romance and investment scams reinforced with video. A scammer pretending to be a real-looking person on a dating app uses pre-recorded deepfake video clips and AI voice during calls to maintain the illusion long enough to push a fake crypto investment.
4. Political and reputational fakes. Politicians, business leaders, public figures being made to appear to say things they did not. These are the most-discussed deepfakes but, for most ordinary people, the least likely to affect daily life.
5. Non-consensual intimate imagery. A serious and growing harm, especially to women and teenage girls. Increasingly criminalised explicitly (France’s SREN law 2024, EU AI Act, UK Online Safety Act, US federal TAKE IT DOWN Act 2025).

The practical defences are about process, not image-spotting:

• A family code word. Agree a single word with your closest people that you can ask for during any “I’m in trouble” call. A voice clone cannot guess it.
• The known callback. For any urgent money request, hang up and call back on the number you already have for that person or institution. Don’t dial the number the call came from.
• Two-channel confirmation at work. No transfer over a certain amount is authorised by video or voice alone — you also confirm in chat with the person, or in person, or with a second signatory.
• Slow down. Every successful deepfake scam relies on you acting in seconds. The 90 seconds it takes you to call back is the entire defence.
• For video calls: ask the other person to do something current generative video struggles with — turn fully sideways, cover one eye with their hand, hold up an object the scammer would not have. It is not perfect, but it raises the cost of the attack.

What is being built (slowly): content provenance standards like C2PA / Content Credentials, where legitimate cameras and editing software sign content cryptographically so that consumers can verify “this video really did come from a Canon camera and was edited only in Adobe Premiere”. Major platforms (TikTok, LinkedIn, Adobe, OpenAI) have begun supporting it; broad consumer-side adoption is still emerging.

Deepfakes are not the end of trust online. The discipline they push us toward — verify through a known second channel, never act on voice or video alone, agree code words — is the same discipline that has always defended against impersonation. It is just no longer optional.