Why Spotting Deepfakes Is Only Half the Battle in Contact Center Security
Conor White
President, Strategic Initiatives
Conor White is part of the core team that founded Daon. He joined the company as Chief Technology Officer in 2001 with the goal of designing and delivering trusted experiences that put human beings back at the center of digital transactions. In 2015, Conor accepted the role of President of the Americas, where he led all Daon activities across North, South, and Latin America. Then, in 2023, he accepted the role of President, Strategic Initiatives, where he leads efforts to find Daon’s “next big thing.”
In his current role on the Senior Management team, Conor spearheads the company’s expansion by identifying opportunities to apply Daon’s tech stack in new markets and verticals around the world.
As CTO, Conor shaped Daon’s technology strategy, including the development of its award-winning IdentityX® platform. As President of the Americas, his responsibilities encompassed sales, business development, marketing, customer delivery and financial performance.
Conor has a proven, 25-year track record of innovation in digital identity and cybersecurity. He is an accomplished inventor, with more than 30 patents in the field of human authentication, and has architected some of the world’s highest-performing digital identity systems.
Conor is also a frequent speaker at international digital identity conferences on the topics of human identity, biometrics, and cybersecurity. He serves on several technology standards boards, both in the U.S. and abroad, and is a member of Daon’s Board of Directors.
Conor holds a B.Sc. in Computer Applications and an M.Sc. in Computer Science from Cork Institute of Technology. He is also a graduate of the Executive Leadership Program at Stanford University Graduate School of Business.
In his spare time, Conor enjoys traveling, playing bad golf and spending time with his wife and sons. In the last two years, he has become an avid cyclist (commuting almost daily when not traveling on business) and is seriously trying to find a way to get rid of his car!
January 8, 2026
Contact centers have invested heavily in deepfake detection technology, but they’re discovering that identifying a suspicious call can create more problems than it solves. The industry has focused intensely on building systems that can flag synthetic voices and AI-generated fraud attempts. These detection capabilities continue improving, with algorithms that can spot subtle audio anomalies and behavioral patterns that betray artificial voices. Yet organizations remain vulnerable because they haven’t solved the fundamental question: What happens after the system flags a call as potentially fraudulent?
Detection without effective response creates operational paralysis. Security teams receive alerts but lack clear protocols that balance fraud prevention with customer experience. The gap between “we detected something suspicious” and “here’s our response strategy” leaves financial institutions, healthcare providers, telcos, and other contact center operators exposed to losses they thought their technology investments had addressed. As generative AI transforms how fraudsters operate, organizations need to rethink authentication strategies beyond the detection layer, building response frameworks that can distinguish legitimate customers from sophisticated attackers without creating friction that drives both groups away.
The Generative AI Transformation
Generative AI has fundamentally altered how fraud gangs operate against contact centers. Fraudsters now use AI tools to conceive attack strategies, systematically gather consumer data, and create synthetic voices designed to bypass biometric security measures. The complexity extends beyond simple voice cloning. Fraud operations use AI to simulate specific demographics, requiring only a handful of accent patterns to target broad customer populations. They attempt to recreate a victim’s voice with enough precision to fool voice biometric systems, forcing contact center managers to reconsider fundamental assumptions about authentication security.
The result is an AI-versus-AI arms race. Organizations deploy powerful detection systems that can identify fake voices and generate warnings when calls exhibit suspicious characteristics. These capabilities have exposed a more complex challenge: detection alone doesn’t stop fraud. When an algorithm flags a call as potentially synthetic, the organization faces an immediate decision point without clear protocols. The technology to spot deepfakes exists and continues improving, yet many contact centers remain vulnerable because they haven’t solved the response problem.
Fraudsters understand this dynamic and exploit it. They use the same generative AI tools to prepare for multiple security layers, researching answers to security questions, practicing responses to common verification prompts, and refining their approaches between attempts. Detection becomes merely the first obstacle in a longer game that many organizations haven’t fully mapped out.
The Traditional Response Problem
When fraud detection systems flag a suspicious call, organizations typically follow one of three escalation paths: ask additional security questions, route the call to specialized fraud teams, or deny service to the caller. Each approach carries significant problems that fraudsters have learned to exploit or that damage legitimate customer relationships.
Additional security questions seem logical but fail against prepared fraudsters. Generative AI tools can research answers to standard knowledge-based authentication prompts with remarkable efficiency. Mother’s maiden names, previous addresses, account history—the information required to pass these checks exists in databases that data breaches have exposed repeatedly. Knowledge-based authentication has become the weakest link in contact center security precisely because the “secrets” it relies on are no longer secret. Fraudsters arrive prepared with comprehensive dossiers on their targets.
Routing calls to fraud detection teams introduces delays that frustrate legitimate customers while giving fraudsters time to refine their approaches. These specialized teams become bottlenecks during high-volume periods. The escalation itself can tip off fraudsters that their attempt has been detected, allowing them to disconnect and try again with adjusted tactics.
Denying service outright creates the worst outcome when detection produces false positives. A legitimate customer locked out during an urgent situation—a medical emergency requiring prescription refill, a time-sensitive financial transaction—experiences catastrophic service failure. The reputational damage and customer loss from incorrect fraud flags can exceed the financial impact of successful fraud attempts, making organizations hesitant to act decisively even when detection systems issue clear warnings.
But These Issues Are Easily Solvable
Push notification authentication to mobile devices fundamentally changes the security equation by moving verification outside the voice channel entirely. This approach functions as a curveball for fraudsters who have prepared extensively to circumvent voice channel security. Fraud gangs invest in professional-grade voice synthesis, practice social engineering scripts, and research victim backgrounds to defeat audio-based authentication. Without access to the customer’s physical device, all that preparation becomes irrelevant.
The mobile authentication approach validates identity rather than credentials. Pushing a notification to a registered mobile device triggers facial recognition or document validation, creating a biometric factor completely separate from the phone call. This addresses what contact center security should fundamentally accomplish: identifying the actual human being rather than validating knowledge that data breaches may have compromised. Even if fraudsters somehow intercept the push notification, they lack the facial biometrics or identity documents required to proceed.
This shifts authentication from “what you know” to “who you are,” making the economics of fraud significantly less favorable. The investment required to compromise voice synthesis, gain physical device access, and spoof biometric verification exceeds the potential return for most fraud operations. When a single attack requires defeating multiple independent security systems, fraudsters conduct the same cost-benefit analysis as any business operation.
Evolution to Layered Security
Contact centers historically relied on single-layer security: asking security questions and hoping callers answered correctly. As organizations became more security-conscious, voice biometrics added a second layer, creating the first multi-factor approach to telephone authentication. The current evolution moves toward dual biometrics—voice plus facial or document verification—establishing three distinct security layers that generate substantial friction for fraudsters.
Each additional layer doesn’t just add incremental difficulty. The complexity increases exponentially because fraudsters must compromise multiple independent systems simultaneously. A successful attack requires defeating voice synthesis detection, gaining physical access to a registered mobile device, and spoofing facial biometrics or forging identity documents. Success probability decreases as layers accumulate, since failure at any single checkpoint terminates the attack.
This progression addresses a fundamental principle: security doesn’t need to be perfect to be effective. The goal isn’t making fraud impossible but making it sufficiently difficult that attackers redirect their efforts elsewhere. Organizations still relying on knowledge-based authentication or single-factor verification become more attractive targets by comparison. Triple-layer security effectively redistributes fraud risk across the market, protecting organizations that implement comprehensive defenses while leaving unprepared competitors exposed to attacks that follow the path of least resistance.
Healthcare Applications
Healthcare contact centers present unique authentication challenges because HIPAA requires securing sensitive patient data while enabling access for multiple legitimate parties. Contact center representatives may interact with patients, account holders, spouses, children, or caregivers—all of whom may have legitimate reasons to access protected health information or request prescription refills.
Biometrics addresses both security and access management through disambiguation. Voice biometric verification can determine which authorized individual connected to an account is actually calling, distinguishing between the primary account holder and their spouse or caregiver without relying on easily compromised security questions. This enables appropriate access levels for each authorized party. A caregiver might have permission to refill prescriptions but not access billing information, while a spouse might have full account access.
This approach strengthens data security while improving user experience for the multiple parties involved in healthcare administration. The premise behind HIPAA—that healthcare data must be secure—drives the case for biometric authentication. The challenge lies in enrolling all authorized users during account setup and maintaining biometric templates as family situations change, requiring processes that balance security rigor with the practical realities of healthcare access.
Financial Services Risk Calibration
Financial institutions must calibrate authentication strength to transaction risk, applying more stringent methods to high-risk interactions while maintaining efficiency for routine inquiries. Fraudsters typically use contact centers for account takeover but execute the actual fraud through digital channels afterward, making certain transaction types particularly vulnerable entry points.
Wire transfers—especially to new recipients—represent the highest-risk contact center transactions. Password resets, address changes, and beneficiary modifications enable account takeover and warrant enhanced security regardless of how convincing the caller sounds. Understanding these fraud patterns allows organizations to apply step-up authentication selectively rather than adding friction to every balance inquiry or routine service request.
A customer requesting a large wire transfer to an unfamiliar recipient should trigger push notification step-up authentication regardless of initial voice verification results. Properly positioned, customers welcome this additional verification as evidence the bank protects their assets rather than viewing it as an obstacle. The key lies in transparent communication about why enhanced verification occurs. When organizations explain that unusual transaction patterns prompt additional security measures, legitimate customers understand they’re being protected while fraudsters realize the institution maintains defenses that extend beyond what they initially encountered.
Voice Biometrics Viability
Predictions about the death of voice biometrics echo earlier claims that facial recognition became obsolete after fraudsters demonstrated mask-based spoofing attacks. The relevant question isn’t whether any single biometric technology is invincible but whether it provides a valuable security layer compared to alternatives.
Voice biometrics remains more viable than the knowledge-based authentication it replaced, particularly when combined with deepfake detection and supplementary biometric factors. The technology continues evolving to address generative AI threats, and the future likely includes more voice AI rather than less. Agentic AI assistants will increasingly handle contact center interactions through voice interfaces, creating expanded rather than diminished reliance on voice-based verification. The voice interaction model from early virtual assistant deployments is experiencing resurgence through generative AI capabilities that make conversational interfaces more natural and effective.
The optimal strategy isn’t about achieving perfect security through a single tool but creating layered defenses where defeating one layer doesn’t compromise the entire system. Voice biometrics combined with deepfake detection, mobile push authentication, and facial verification creates security depth that makes successful fraud attempts economically unviable. Fraudsters must defeat multiple independent systems simultaneously, and the investment required exceeds returns for most attack scenarios.
Invisible Security as Ideal
The ideal contact center authentication system operates transparently, validating users without providing clues about security measures. Current practices give fraudsters extensive intelligence about security checkpoints, allowing them to prepare responses or attempt multiple calls with refined approaches between each try.
Transparent validation combined with invisible fraud detection keeps attackers guessing about what triggers enhanced authentication. Legitimate customers proceed without friction while suspicious interactions face step-up verification without warning. This approach maximizes security effectiveness while minimizing customer experience impact. Organizations that announce every security measure—requiring specific phrases, warning about verification steps, explaining authentication protocols—educate fraudsters about defenses they need to defeat.
The future of contact center authentication lies not in increasingly visible security theater but in sophisticated systems that distinguish legitimate users from fraudsters without announcing their methods. Detection capabilities matter, but response strategies determine whether those capabilities translate into actual protection.
