Request access
RankShield Network · Financial

Deepfake paymentfraud protection.RankShield Financial defends against deepfake payment fraud — a form of authorized push payment (APP) fraud where a cloned voice or face convinces a person or AI agent to approve a transfer. It binds a signed liveness verdict 1:1 to each payment intent and holds the payment before it settles on an irreversible rail.

detector-signedanti-replay nonceheld before settlement
liveness verdict · signed detectordetector-signed
synthetic likelihood12 / 100
threshold: hold at ≥ 70
verdict · human · live
RELEASED — liveness confirmed, intent may settle

The verdict is cryptographically signed by an enrolled detector and bound 1:1 to this exact payment intent, so it can’t be forged or replayed. Liveness applies only inside the app’s own verified channel.

01 // The threat
The threat

What is deepfake and authorized push payment (APP) fraud?

Deepfake payment fraud is authorized push payment (APP) fraud powered by synthetic media. An attacker clones a trusted person — an executive, a supplier, a family member — and uses that fabricated voice or face to make a human, or an autonomous AI agent, approve a payment they believe is legitimate. Because the victim authorizes the transfer themselves, the bank sees a properly approved instruction, not an intrusion. On instant rails like RTP and FedNow the money settles with finality in seconds, so by the time the deception surfaces there is nothing to claw back. The window to stop it is before release — not after. Conventional defenses were built to spot a stranger taking over an account; deepfake APP fraud has no stranger to spot, because the rightful account holder is the one clicking approve. That inversion is what makes it so effective and why the countermeasure has to move upstream to the moment of approval.

Final
Instant-rail payments (RTP, FedNow) settle irrevocably — no chargeback once the deepfake is believed.
~$8.3B → ~$14.9B
Deloitte estimate of US generative-AI-enabled fraud losses, 2024 to 2028 — directional, not a guarantee.
Signed
The liveness verdict is cryptographically signed and bound to one specific payment intent.
02 // The moment it happens
The moment it happens

Why does instant settlement make a cloned CEO so dangerous?

A deepfake only has to be believed once. When the rail is irreversible, that single moment of belief is the whole attack — there is no later fraud review that can undo it. On batch ACH or card rails, a suspicious payment could be queued, reviewed, and reversed over hours or days. On RTP and FedNow the payment is final in seconds, so the cloned voice does not need to survive scrutiny; it only needs to survive the few moments it takes to press send. That collapses the defender's timeline from days to the pre-approval instant, which is exactly why the liveness check has to sit before release rather than in a downstream review queue.

The deepfake wire

A cloned CEO authorizes a $96,000 wire

Finance gets a call. The voice is the CEO’s — cloned from a public keynote. The instructions are urgent, specific, and plausible. The clip is even re-used from an earlier recording to pass a naive check. By the time anyone doubts it, an irreversible payment has already settled.

RankShield: a liveness challenge on the app’s own verified channel returns a signed synthetic verdict; the replayed clip fails the anti-replay nonce and is treated as synthetic — the intent is held, not released.
03 // The un-forgeable binding
The binding

How is a signed verdict bound to one payment, un-forgeably?

A verdict only matters if it can’t be lifted, forged, or reused. RankShield reduces the payment to a canonical intent — that exact payer, payee, amount, and purpose — and the detector’s verdict is cryptographically signed by an enrolled detector identity and bound 1:1 to that intent. Move the verdict to a different payment and the binding breaks. A one-time challenge nonce enforces freshness: a recorded clip, or the same media submitted twice, fails the nonce and is treated as synthetic rather than accepted as a live human response. So a stolen or replayed approval doesn’t clear — it holds. The signature also proves origin: because the verdict carries an enrolled detector's identity, an examiner or a partner bank can confirm which detector produced it, rather than trusting an anonymous number that anyone could assert.

Detector-signed

enrolled identity

The verdict carries a signature from an enrolled detector identity — not an anonymous score. Its origin is verifiable, so it can’t be spoofed by an unenrolled party.

Bound 1:1

one intent only

The verdict is tied to one canonical payment intent. Change a field or reuse it on another payment and the binding no longer verifies.

Anti-replay

one-time nonce

A one-time challenge nonce enforces freshness. A replayed clip fails the nonce and is treated as synthetic media, not a fresh human.

Held, not scored

gates settlement

When synthetic likelihood crosses the threshold, the intent is held before the irreversible rail — a decision, not an after-the-fact alert.

04 // Why replay fails
Anti-replay, in detail

Why can’t an attacker just replay a real recording of the right person?

Because a genuine live response has to answer a challenge that did not exist a moment earlier. For each liveness check RankShield mints a one-time nonce — a fresh, unpredictable value — and a valid response must be produced against that specific nonce. A recording, however authentic, was captured before the nonce was issued, so it cannot contain it and cannot satisfy the freshness requirement. This defeats the most practical deepfake attack: not synthesizing a perfect face in real time, but replaying a captured clip of the real executive. Even a flawless recording of the right person, re-submitted, fails the nonce check and is treated as synthetic. The verdict is then bound to the exact intent, so the same fresh response cannot be shuttled onto a second, larger payment. Freshness and binding together mean an approval is good for one human, one challenge, one payment — and nothing else.

One-time
Each challenge issues a fresh nonce; a response is valid only against that nonce.
Pre-nonce
Any recording was captured before the nonce existed, so it can’t carry it.
One payment
The fresh verdict is bound 1:1 — it can’t be moved onto a different, larger transfer.
05 // An honest boundary
An honest boundary

Why must liveness live in the app’s own channel?

Liveness only works where RankShield controls the media path. A payment app never receives the audio or video of a live carrier or FaceTime call — the operating system does not hand call streams to third-party apps — so it is impossible to analyze one, and we won’t pretend otherwise. Instead, RankShield issues its own challenge inside its verified channel and captures the response directly. That is the only place a liveness verdict can be trustworthy, because it’s the only place the app actually holds the stream. Any vendor that claims to inspect a live carrier or FaceTime call for deepfakes is describing something the phone’s operating system does not permit. Our boundary is deliberately narrow and honest: we defend the channel we own, and we do not claim the one we cannot see.

Own channel
liveness runs only where the app controls the media path
No live calls
a carrier or FaceTime call’s stream never reaches the app to analyze
Nonce-fresh
each challenge is one-time; recordings fail the freshness check
Provenance
device co-sign supported; hardware-attestation verifier is a stub today
06 // Capture provenance
Where the media came from

What is capture provenance, and how honest is it today?

Capture provenance is the second half of trusting a liveness response: not only was the response fresh and bound to the intent, but the media came from a real device you can reason about. RankShield supports the capturing device co-signing the media, and it supports checking platform attestation — App Attest on iOS, Play Integrity on Android, or a TEE-backed signal — so a response can be tied to a genuine, unmodified app on a real device rather than a synthetic feed injected into the pipeline. Being precise about the state of this: the hardware-attestation verifier is a stub today. It returns unverified until the integration is wired, and we do not claim it is fully live. The mechanisms carrying weight right now are the signed detector verdict and the 1:1 intent binding. Device attestation is designed to strengthen provenance as it comes online, layering a hardware-rooted signal on top of the verdict — but we describe it as it is, not as we wish it were.

Device co-sign

supported

The capturing device can co-sign the media, tying a response to the device that produced it rather than an anonymous upload.

Platform attestation

App Attest · Play Integrity · TEE

Platform signals can attest that a genuine, unmodified app on a real device produced the capture — checked where the integration is wired.

Stub today

returns unverified

The hardware-attestation verifier is a stub now; it returns unverified until wired. We describe it honestly, not as fully live.

In force now

verdict + binding

The signed detector verdict and 1:1 intent binding are the mechanisms carrying weight today; provenance strengthens over them.

07 // The gate
The gate

How does the verdict gate settlement?

The synthetic-likelihood verdict is a signed input to the pre-settlement release decision. When it meets or exceeds the hold threshold, the payment intent is held and never released to the irreversible rail; below the threshold it may proceed; in the uncertain band the flow can step up to an additional check. Drag the meter above to watch a held verdict flip to released. Because the decision happens before settlement — not after — it acts at the one instant a deepfake-driven payment is still reversible. That is the difference between catching APP fraud and merely reporting it. The verdict does not sit in isolation, either: it joins the approver's identity and, for agent-initiated payments, the agent's granted authority as one of the gating inputs the release decision weighs before anything reaches the rail.

How agent-approved payments are governed
08 // Verdict vs. score
Signed verdict vs. bare score

How is a signed, bound verdict different from a deepfake score?

A bare deepfake score is a probability handed to the payment system to interpret — frequently after the money has already moved. A RankShield verdict is signed by an enrolled identity, bound 1:1 to the exact intent, made fresh by a one-time nonce, and used as a gating input before settlement. The table below sets the two side by side. The point is not that any single detector is more accurate; it is that the output is identity-signed, replay-resistant, intent-bound, and acts pre-settlement — the properties that decide whether a deepfake-driven payment is stopped or merely logged.

PropertyBare deepfake scoreRankShield signed verdict
TimingOften after settlementBefore release, pre-settlement
OriginAnonymous numberSigned by an enrolled detector identity
ReplayA recording can passOne-time nonce fails the recording
BindingNot tied to a paymentBound 1:1 to the exact intent
Channel honestyMay claim live-call analysisOwn verified channel only
EffectAlert to review laterGates the release-or-hold decision
09 // Who it protects
Where it fits

Who does deepfake payment fraud protection protect first?

It protects the parties who authorize high-value, irreversible payments under time pressure — corporate treasury teams targeted by cloned executives, banks and credit unions whose customers are coached into APP scams, and any operator wiring agent-initiated payments. In each case the attacker's goal is the same: get a trusted-sounding approval to clear before anyone can second-guess it. RankShield inserts a signed liveness verdict at the approval step inside the channel the institution controls, so a synthetic or replayed approval is held rather than released. For a bank, that means offering members a pre-settlement gate against coached scams. For treasury, it means a cloned-CEO wire request has to survive a fresh, bound liveness challenge before it can move. The same verdict model also feeds agentic payment governance, where an AI agent's approval is checked against its granted authority, so the defense spans both human and agent approvers rather than only one.

Deepfake defense for banks and credit unions
FAQ

Deepfake payment fraud — questions, answered.

What is deepfake payment fraud?
Deepfake payment fraud is authorized push payment (APP) fraud driven by synthetic media — a cloned voice, face, or video used to convince a person or an AI agent that a legitimate party authorized a payment. Because the victim is tricked into approving the transfer themselves, the payment looks authorized to the bank. On instant rails like RTP and FedNow it settles with finality in seconds, so there is nothing to reverse once the deception is discovered.
Can RankShield detect a deepfake on a live phone or FaceTime call?
No, and any vendor claiming that is overreaching. A payment app does not receive the audio or video of a live carrier or FaceTime call, so it cannot analyze one. RankShield performs liveness only inside its own verified channel — a challenge it issues and captures directly — where it controls the media path. That is an honest boundary: the moment a call happens on the carrier or a third-party app, no software on the phone gets the stream to inspect.
How is a liveness verdict bound to a specific payment?
The detector verdict is cryptographically signed by an enrolled detector identity and bound 1:1 to the exact payment intent — that payer, payee, amount, and purpose. Change any field, or lift the verdict onto a different payment, and the binding breaks. A one-time challenge nonce makes it anti-replay: a recorded or re-submitted clip fails the freshness check and is treated as synthetic rather than accepted as a fresh human response.
What happens when the synthetic score crosses the threshold?
The verdict gates settlement. When the signed synthetic-likelihood score meets or exceeds the hold threshold, the payment intent is held and never released to the irreversible rail. Below the threshold it may proceed; in the uncertain middle band the flow can step up to an additional check. The verdict is a signed input to the pre-settlement release decision, not a passive risk score that fires an alert after the money is gone.
How does this help against authorized push payment (APP) fraud specifically?
APP fraud works because the payer is manipulated into authorizing a real transfer, so conventional account-takeover controls see nothing wrong. RankShield attacks the manipulation itself: it verifies liveness of the approving human inside its own channel and binds that signed verdict to the intent before release. If the approval is synthetic or replayed, the intent is held — catching the fraud at the one moment it is still reversible.
Is the hardware attestation of the capturing device live?
Not yet. RankShield supports capture provenance, where the capturing device co-signs the media and platform attestation (App Attest, Play Integrity, TEE) can be checked. Honestly, the hardware-attestation verifier is a stub today — it returns unverified until the integration is wired. We do not claim it is fully live. The signed detector verdict and 1:1 intent binding are the mechanisms in force now; device attestation strengthens provenance as it comes online.
Why is a replayed clip treated as synthetic rather than accepted?
Because a fresh human response has to answer a challenge that did not exist a moment ago. RankShield issues a one-time nonce for each liveness challenge, and a valid response must carry that specific nonce. A recorded clip — even a real recording of the real person — was captured before the nonce was issued, so it cannot contain it. Failing the freshness check, the media is treated as synthetic and the intent is held. Replaying an old approval simply does not clear.
Does a signed verdict slow the payment down?
The verdict is designed to resolve inside the pre-settlement window, not after it. The liveness challenge and detector verdict happen at authorization, before the intent is released to the rail, so a released payment continues on its normal instant-settlement path untouched. Only a held or stepped-up payment adds friction, and only for the specific transaction that failed a check. The safe default is to hold rather than to pay, because on an irreversible rail a wrongly released payment cannot be recalled.
How is this different from a deepfake detector that just returns a score?
A bare detector returns a probability and leaves the payment system to decide what to do with it — often after the money has moved. RankShield turns the detector output into a signed verdict, binds it 1:1 to the exact payment intent, enforces freshness with a one-time nonce, and makes that verdict a gating input to the release-or-hold decision before settlement. The distinction is not model accuracy alone; it is that the verdict is identity-signed, replay-resistant, intent-bound, and acts pre-settlement instead of reporting after.
Verify, then settle

Hold the deepfake payment before it settles.

RankShield Financial is rolling out signed liveness verdicts bound 1:1 to the payment intent, with design partners on instant and tokenized rails. Request access and we’ll map the held-before-settlement model to your approval flow.

Request accessAuthorized push payment fraud