Nesoi Blog

Deepfake Security Awareness Training: A Practical Guide

Deepfake security awareness training only works with practice. See why just 0.1% of people spot fakes reliably and how to build a program that sticks.

Nesoi Team7 min read
A hiring manager studying a candidate closely during a remote video interview, the moment deepfake security awareness training is meant to prepare her for

When researchers showed 2,000 people a mix of real and synthetic media, just 0.1% got every item right. Not 10%. One person in a thousand. Meanwhile over 60% of the same group remained confident they could spot a fake, according to iProov's 2025 study.

That gap between confidence and competence is the entire problem with deepfake security awareness training today. Your people are not just unable to catch synthetic media. They are certain they can, which means they never slow down long enough to check.

This guide covers what the research actually says about human deepfake detection, why the standard annual security video makes the overconfidence worse, and a five step process for building training that changes behavior.

Why deepfake security awareness training is suddenly urgent

Deepfake security awareness training moved from nice-to-have to urgent because attackers now use synthetic media in the two workflows every company runs: hiring and internal approvals.

Gartner projects that by 2028, one in four candidate profiles worldwide could be fake. In a survey of 3,000 job candidates, 6% admitted to interview fraud, including having someone else sit the interview for them, HR Dive reported.

"It's getting harder for employers to evaluate candidates' true abilities, and in some cases, their identities," said Jamie Kohn, senior research director in Gartner's HR practice.

The supply side exploded too. Citi Institute projected 8 million deepfakes shared online by the end of 2025, up from roughly 500,000 in 2023. The US Department of Justice ran coordinated 2025 actions against North Korean remote IT worker schemes that used stolen identities and AI-generated personas to land real jobs at real companies, The Hacker News reported.

The practical result: a recruiter on a video call, a finance clerk on an approval call, and an IT helpdesk agent resetting a password are all now security controls. Most of them have never been trained as such.

Can people actually learn to spot a deepfake?

Yes, and the research here is more encouraging than the headlines suggest. Humans are genuinely good at detecting deepfake video, far better than they are at detecting deepfake images.

A 2026 study published in PMC ran two experiments. In the image study, 2,203 participants scored 49% overall accuracy, essentially a coin flip. But in the video study, 1,901 participants hit 63% overall accuracy, with a discrimination score well above chance.

The comparison against machines is the surprising part. On static images, a trained algorithm hit 97% accuracy against the humans' 49%. On video, that flipped: humans scored 63% while the detection algorithm performed at chance.

"I think we were all a little shocked to see humans outperform AI on videos," said researcher Brian Cahill in the University of Florida writeup. "But the videos have more cues, it's a richer context."

Two findings should shape your training design:

  • People catch real things, not fake things. In the video study, participants correctly identified 75% of genuine videos but only 50% of the fakes. The failure mode is waving fakes through, not flagging real people.
  • Analytical thinking predicted success. The researchers found deliberate, slow reasoning correlated with better detection. Gut reaction did not.

That second point is the whole ballgame. You are not training people to memorize artifacts, because those artifacts change with every model release. You are training a habit of deliberate verification under time pressure.

Four coworkers at a glass wall covered in sticky notes during a hands-on security awareness workshop, practicing how to respond to a suspected deepfake

Why most deepfake training fails

Most deepfake training fails because it teaches recognition through passive viewing, and recognition is a discrimination skill that only develops through repeated attempts with feedback.

The standard program is a slide deck or a talking-head video listing telltale signs: unnatural blinking, odd lighting at the hairline, lips slightly out of sync. Three problems:

  1. The tells expire. Every artifact on that list describes a model generation that is already obsolete. Learners memorize a checklist that stops working within months.
  2. Watching is not practicing. Nobody learns to discriminate between similar stimuli by being told the difference. Radiologists, wine tasters, and air traffic controllers all train the same way, which is many judgment attempts with immediate corrective feedback.
  3. It inflates confidence. This is the damaging part. A learner who watches a deepfake explainer walks away feeling informed, which pushes them further into that 60% who are confident and wrong. Training that raises confidence without raising skill makes your organization less safe.

The fix is not more content. It is changing what the learner does. Passive video is where this particular skill goes to die, which is why interactive training videos that force a judgment call before revealing the answer work so much better for this material.

How to build deepfake security awareness training that works

Build the program around repeated judgment calls and a verification procedure people can execute when they are unsure. Here is the five step process.

  1. Map your actual attack surface first. List the specific moments where synthetic media could cause loss: candidate video interviews, vendor payment changes, executive voice requests, helpdesk identity resets. Train those roles on those scenarios, not on generic "spot the fake celebrity" exercises.

  2. Drill with paired judgments, not lectures. Show a short clip, require a real-or-fake call before any explanation, then reveal the answer with the reasoning. Volume matters more than production value here. Twenty judgments with feedback beats one polished twelve minute video.

  3. Calibrate confidence explicitly. Ask learners to rate their certainty alongside each judgment, then show them their accuracy against their confidence. Discovering you were 90% sure and 55% right is the single most behavior-changing moment in this entire curriculum.

  4. Teach the procedure, not just the perception. Because detection tops out around two thirds accuracy even for attentive humans, perception alone is an unacceptable control. Every learner needs a rule they can follow when something feels off: end the call, call back on a known number, verify through a second channel. Gartner's recommendations point the same direction, toward multi-layered screening and identity verification rather than relying on a human eye.

  5. Refresh on a short cycle. Generation quality changes fast. A five minute quarterly drill with current examples keeps the skill alive far better than an annual module, and it lets you retire tells as they stop being true.

An employee working late, verifying a suspicious request by calling back on a known number rather than trusting what he saw on screen

How to measure whether your deepfake training worked

Measure detection accuracy and verification behavior, not completion rates. Completion tells you people pressed play.

Track four things:

  • Discrimination accuracy over time. Score hits on fakes separately from correct calls on real media. Since the research shows people wave fakes through at roughly a 50% rate, your fake-catch rate is the number that matters.
  • The confidence gap. Average confidence minus average accuracy. A shrinking gap means calibration is improving, which is the real safety outcome.
  • Verification rate. In simulated scenarios, what percentage of learners actually used the callback procedure rather than trusting their judgment? This is the behavior you want, even from people who guessed right.
  • Time to escalate. How long between the suspicious moment and the report. Faster escalation limits damage more than better detection does.

Set the bar at behavior. A program where everyone verifies and nobody is certain beats a program where detection scores improved by eight points.

FAQ

How often should we run deepfake security awareness training?

Run a short drill quarterly rather than one long annual module. Generation quality shifts fast enough that examples go stale within months, and spaced practice across the year produces far better retention than a single session. Five to ten minutes per quarter is enough if learners are making real judgment calls.

Should we train everyone or just high risk roles?

Train everyone on the verification procedure, and drill the detection scenarios only with exposed roles like recruiting, finance, IT helpdesk, and executive assistants. The callback habit is universal and cheap to teach. Deep scenario practice is expensive and should follow your actual attack surface.

Can employees ever get good enough to catch deepfakes reliably?

No, and designing your program around that fact is the point. Attentive humans reach roughly two thirds accuracy on video and worse on images, so detection should be treated as an early warning signal rather than a control. The goal of training is faster escalation and consistent verification, not perfect eyes.

The takeaway

The uncomfortable finding in the research is not that people are bad at spotting deepfakes. It is that they are bad at it while feeling good at it, and passive training widens that gap by handing out confidence without skill.

Fixing it means changing what learners do, from watching an explanation to making a call, being told they were wrong, and trying again. That is a training design problem before it is a security problem. Skills that have to hold up under pressure are built through practice and feedback, which is exactly what a passive video can never provide.

Turn your training into an interactive experience

Nesoi transforms static content into interactive video experiences with AI tutors your team actually finishes.

Book a demo