Introduction
Six weeks into the contract, the engineer was still on the team. He had passed identity verification, sanctions screening, and right-to-work checks. He had passed four rounds of technical interviews on video. The background screening provider running the retrospective audit had cleared him at every stage.
He was a deepfake.
The screening provider had been engaged by a Brazilian banking client to review its remote hiring pipeline. Detection ran across 47 archived interview recordings covering both direct hires and third-party contractors from the prior six months. Sixteen were flagged as synthetic. Six had already been rejected during the hiring process for unrelated reasons. Ten had passed background screening. Four went on to sign contracts. One was six weeks into an active contract at the client's operations centre.
None of the ten had raised a flag in the background check. All ten had passed document verification, sanctions, and right-to-work.The gap was not in what screening does. It was in what screening is designed to see.
The Interview As An Identity Attack Surface
A remote video interview generates three implicit identity signals that look identical in the moment but answer completely different questions. Standard hiring tooling conflates all three, and that conflation is why synthetic candidates are passing enterprise hiring controls today.
The first is liveness or presentation attack detection: is a real person present, rather than a photo, screen replay, or mask? This is mature in identity verification platforms at customer onboarding. It is not present in a video interview call.
The second is stream integrity: is the video feed coming from a physical camera, or is it being injected by software before it reaches the platform? Some specialist tools check this. Interview tools and applicant tracking systems generally do not.
The third is deepfake content detection: with a live person and a genuine camera stream, is the face being shown authentic? This is the specialist layer. Nothing in a standard hiring stack addresses it.
Background screening verifies the document layer. It confirms an identity is admissible in the market: passport, sanctions, right-to-work, employment history. Deepfake detection verifies the biometric layer. It confirms the person on the interview call is the person on the document. These are complementary controls, and neither replaces the other. In enterprise remote hiring, both are needed.
The Approach: Retrospective Audit, Then Rolling Analysis
The engagement moved in two stages. The first was a retrospective archive review with no commercial commitment. The screening provider submitted 47 recorded interview sessions covering both direct hires and third-party contractors across the prior six months. Each recording was analysed independently by Phocus and returned with explainable signal output covering lip-sync alignment, facial edge consistency, and micro-expression patterns.
The second stage, initiated after the retrospective findings were reviewed by the screening provider's product and operations leadership, made retrospective analysis a standing part of the candidate review process. Interview recordings are submitted to Phocus after each session, and the signal report is returned before any offer is finalised. A probability score with signal-level reasoning reaches the screening provider's operations team alongside the recruiter's own assessment. The recruiter adds no step during the interview. The candidate adds no step.
The contractor track, where the audit finding originated, was extended to match within two weeks. Both tracks now run through the same detection layer regardless of whether the hire is permanent, contract, or vendor-managed.
The Results: Six of Forty-Seven, with Signal-Level Reasoning
Of the sixteen flagged recordings, eight showed consistent lip-sync desynchronisation across multiple sessions. Five showed facial edge degradation when the candidate moved against a light background. Three passed every visual check applied manually and were flagged only by automated detection of sub-threshold micro-expression patterns. One of those three was the contractor still active on the team at the client bank.
The operational impact of the integration was minimal by design. Detection runs passively against the recording the interview platform already produces. There is no additional candidate-facing step, no change to the recruiter's workflow, and no impact on time-to-offer. The only added surface is a review of any flagged session before an offer is finalised.
What Screening Verifies. What Detection Verifies.
Background screening and deepfake detection are separate categories of control. They answer different questions about a candidate and they draw on different evidence.
Screening operates on the document layer. It validates identity documents against issuing authorities, checks sanctions lists, verifies right-to-work status, and confirms employment history. Its evidence is external records. Its output is a judgement on whether an identity is admissible.
Detection operates on the biometric layer. It analyses the video recording of the candidate to determine whether the face on camera has been synthetically altered or replaced. Its evidence is the recording itself. Its output is a judgement on whether the person appearing as this identity is authentic.
In enterprise remote hiring, both are needed. A candidate who fails screening should not be onboarded. A candidate whose interview recording shows evidence of synthetic manipulation should not be onboarded either. Neither control replaces the other.
Key Takeaways
1. Screening and detection cover different categories of risk. Background screening validates the document; deepfake detection validates the person on the call. Enterprise remote hiring needs both, and neither replaces the other.
2. Retrospective audit is the fastest path to a baseline. The recording archive already exists. Running detection against six months of past interviews gives a signal no live pilot can match: the candidates who passed, the ones who did not, and the patterns that separated them.
3. Contractor tracks are the highest-exposure segment. In this engagement, the finding that mattered most came from the contractor track. Any screening provider serving enterprises with meaningful contractor populations should assume detection coverage is uneven by default.
4. Detection integrates without changing recruiter or candidate workflows. Detection runs against the recording the interview platform already produces. Neither party adds a step. Only the operations team sees the additional signal.
5. One onboarded contractor is the story worth telling. A synthetic candidate who reached six weeks of active employment at a client site is the risk that justifies the control. Population statistics matter less than the singular event.
How This Proceeds
An engagement of this kind is not a single procurement decision. What a screening provider authorises at the first stage is the analysis only, with no commitment to what follows.
01. Retrospective archive review. The screening provider submits recorded interview sessions from the past six to twelve months, drawn from one or more of its clients. Phocus returns a report per session with explainable signal output. No commercial commitment.
02. Rolling analysis pilot. Interview recordings from a defined subset of active remote hiring campaigns are submitted to Phocus as they're captured. Real data on flag rates and how the Phocus report fits into the existing candidate review process, with exit criteria agreed before the pilot starts.
03. Full coverage. All interview recordings from the screening provider's remote hiring flows are submitted to Phocus as standard practice. Calibrated thresholds, review workflow embedded in the candidate assessment pipeline, and quarterly review against evolving attack patterns and model retraining schedule.
Last update: Q2 2026







.webp)


