• itscybernews
  • Posts
  • A single photo can now put your boss's face on a live video call. One finance worker watched his “colleagues” fill the screen — and wired away $25 million.

A single photo can now put your boss's face on a live video call. One finance worker watched his “colleagues” fill the screen — and wired away $25 million.

A free tool that hit #1 on GitHub lets anyone wear another person’s face in real time on a video call. The wonder, the $25M trapdoor, and the one-word fix that still beats it.

For as long as there have been video calls, seeing someone’s face was proof enough. If your boss appeared on the screen, moving and talking like your boss, it was your boss. That quiet certainty held for about fifteen years.

In 2026 it’s gone. A free, open-source tool called Deep-Live-Cam climbed to #1 on GitHub’s trending list and has since collected tens of thousands of stars — and what it does is disarmingly simple. Feed it one photograph of a face and point it at your webcam, and it puts that face over yours live, matching your head movements and lip-sync, inside an ordinary Zoom, Teams, or Google Meet call. Five minutes of setup. One photo. Anyone’s face.

That’s a genuine marvel and a genuine trapdoor, wearing the same coat. This issue is about both.

🎭 The wonderful part: a face you can put on and take off

Start with why this technology exists at all, because the honest version is delightful.

Real-time face and voice synthesis is the engine behind a wave of legitimately useful things:

  • Live dubbing. Give a talk in English and have the audience in São Paulo watch your own face speak fluent Portuguese, lips matched to the words, in real time. Language stops being a wall.

  • Presence without exposure. People who don’t want their real face on camera — abuse survivors, whistleblowers, kids’ entertainers, a streamer who’d like to keep a private life — can appear as a consistent avatar instead of a webcam feed.

  • Virtual production and accessibility. Small studios put an actor’s performance onto a character with a laptop instead of a motion-capture stage. Someone who hates being filmed can still join the meeting as themselves-on-a-good-day.

  • Play. A huge share of the tool’s fans just want to sit in a work call as a movie character for thirty seconds. Harmless, and honestly kind of great.

The barrier that used to guard all of this — you needed a render farm, a rig, and a VFX budget — is gone. One photo, a webcam, a few minutes. That’s the same democratization that put a recording studio in everyone’s pocket. Most of what people do with it is ordinary and fun.

And that is exactly why the dark version works so well.

🪤 The catch: if any face fits, then “I saw them” stops being proof

Here’s the sentence that should stick with you: the moment anyone can wear anyone’s face, seeing is no longer believing.

In early 2024, a finance worker at Arup — the British engineering firm behind the Sydney Opera House — got a message that seemed to come from the company’s UK chief financial officer, about a confidential transaction. He was suspicious. So he did the responsible thing: he joined a video call to check.

On the call were the CFO and several colleagues he recognized. They looked right. They sounded right. Reassured, he went ahead and sent HK$200 million — about $25 million — across 15 transfers.

Every single person on that call was a deepfake. Not the CFO, not one colleague — all of them synthetic, built from Arup executives’ publicly available video and audio. Hong Kong police disclosed the case in February 2024; Arup confirmed it was the victim that May. No arrests have been announced. The money was never recovered.

The unnerving part is how cheap the attacker’s side has become. Deep-Live-Cam is free. On the dark web, ready-made real-time deepfake video services for calls are advertised from around $30, custom face and voice included. What cost a nation-state a fortune a few years ago now costs less than lunch.

And it’s scaling fast:

  • Deloitte projects gen-AI could push US fraud losses to $40 billion by 2027, up from $12.3 billion in 2023 — a 32% a year climb.

  • Deepfake-related fraud losses topped $410 million in just the first half of 2025.

  • By some measures, AI and deepfakes now power roughly 1 in 8 successful scams.

The thread tying it together is the same one from every issue: a tool built to free people — from language barriers, from the camera, from expensive studios — hands a stranger the exact same power to impersonate them. The scarce thing is no longer making a convincing face. It’s proving the face is really you.

🛡️ The good news: the defenders moved fast — and one defense is free

It’s easy to read the above and want to unplug the router. Don’t. The counter-moves arrived quickly, and the most powerful one costs nothing.

  • Real-time detection landed. Tools like Pindrop Pulse for Meetings now scan live video calls for synthetic voice and video as the call is happening, flagging a fake in seconds. Identity vendors report liveness checks in the high-90s for accuracy, catching most swaps before they reach a human.

  • Layered checks trip the fake. Banks now stack voice, video, behavioral, and device signals. The more elaborate the deepfake, the more likely it stumbles on one of the other checks — a wrong device, an off location, a hand passing in front of the face that the swap can’t handle cleanly.

  • The authorities wrote it down. The FBI, together with the American Bankers Association, put out plain-English guidance: stop and think before urgent requests, verify through a channel you trust, and — the big one — agree a codeword in advance.

That last one is the quiet hero. A safe word beats every deepfake ever made, because no amount of AI can synthesize a secret it was never given. It’s 2026’s best security control, and it’s a single word you already know how to keep.

✅ What to actually do

For you and your family (5 minutes, tonight):

  1. Pick a family safe word. Something never posted online — no pet names, no birthdays. If a panicked “relative” or “boss” ever calls asking for money or gift cards, ask for the word. No word, no money.

  2. Treat urgency as the red flag itself. “Do this now, don’t tell anyone” is the signature of the scam, on video or not. Real emergencies survive a five-minute pause.

  3. Hang up and call back on a number you already have. Not the number that called you — the one in your own contacts. A deepfake can’t answer your known line.

  4. Make the face do something hard. Ask the person to turn their head fully sideways or slowly wave a hand across their face. Real-time swaps still glitch on profiles and occlusion. It’s not proof — but it’s a cheap tell.

For anyone who approves payments at work:

  1. “I saw them on the call” is no longer verification. Retire it. Any transfer over a set threshold needs a second, out-of-band confirmation — a callback to a known number, or a second approver.

  2. Give finance teams a payment codeword for unexpected transfer requests, and make it OK — encouraged, even — to slow a big wire down. The Arup employee’s instinct to double-check was right; the tools he used to check were the problem.

  3. Ask about real-time detection if your organization runs sensitive calls. The tech to flag a live fake now exists; a year ago it didn’t.

The takeaway

Picture the good version one more time: you give a presentation in your own voice and face, and a room full of people who don’t share your language watch you speak theirs — lips and all — in real time. A wall that stood between humans for all of history just came down.

But the same tool that lets you borrow a face for good lets a stranger borrow yours for money. The Arup worker did everything the old rules told him to do — he was suspicious, he asked for a video call, he looked his “colleagues” in the eye. The rules were just written for a world where faces couldn’t be faked, and that world ended.

The fix isn’t fancier technology. It’s a smaller, older idea: a shared secret between people who trust each other. Seeing someone is no longer proof it’s them. Knowing something only they would know still is.

Reply and tell us: what’s the most convincing scam attempt you’ve ever caught — and what tipped you off? Best answers get featured next week.

— itscybernews · written by a human, edited by an agent who now asks for a password ·