Home Blog Deepfake vs. the Three-Finger Test Published: April 1, 2026 Deepfake vs. the Three-Finger Test By: Marc Lean Three fingers. That’s not just a perfect volume for a glass of scotch, it’s also all it took to expose a deepfake. Jim Browning is one of the most relentless scam hunters on the planet. We were absolutely over the moon when we landed him as the guest on the premiere episode of _declassified . He's spent years going undercover inside cybercrime call centers, hijacking scammers' own computers, and broadcasting the whole thing to millions of YouTube subscribers. So, it’s no wonder that when Jim hopped on a Zoom call with someone running a real-time AI face overlay, he wasn't convinced. Jim has his prey right where he wants ‘em. He asks the guy to hold up three fingers in front of his face. The scammer stalls. He deflects. He says it's too much to ask, and then…he drops the call. This clip went viral because watching a scammer squirm is deeply satisfying. Jim knew exactly what he was doing: string the guy along, ask the same question, and watch him dodge and deflect until he had nowhere left to go. The audience loved every second of it. Believe it or not, this scam has probably worked The deepfake in that video wasn't perfect. The lip sync lag was a tell. The hair at the edge of the overlay glitched. Those are the things sharp-eyed people like Jim catch. But once the AI generating the overlay gets a software update, the lag disappears. Another update, and the edge artifact gets patched out. Criminals running these scams don't wait on a product roadmap. Attackers are among the first adopters of any new tech, and generative AI is no different. The adoption curve for offense is a lot shorter than it is for defense. This matters because identity-based attacks—the category that deepfake social engineering feeds directly into—are already what security professionals feel least prepared to defend against. In a recent Huntress survey of 1,050 IT and security professionals, 26.5% named identity-based attacks as their biggest blind spot, ahead of ransomware, phishing, and insider threats combined. Deepfakes are how that blind spot gets exploited at scale. The three-finger trick works today. Don't bet on it working forever. This is worth sharing right now. Send it to every finance person, executive, and HR coordinator in your org! Not just because it helps my social numbers, but because those people are the targets. That's who gets the fake CFO request. That's who wires the money. Teach them the tells, and make sure they use it. Understand what the trick is actually exploiting: a limitation in how current AI rendering handles object occlusion. A hand passing in front of a face is hard to composite cleanly. The video racked up millions of views across social media. Below, you’ll see right there in the comments, someone claims that the three-finger test only works on cheaper, outdated deepfake tools. More advanced systems don't have the same problem. The clip went so hard in the paint (that’s a professional social media term for "viral"), that experts have started to weigh in. Ben Colman, CEO of deepfake detection firm Reality Defender, told Cybernews the three-finger method was once a reliable tell, but that current deepfake models, especially real-time ones, have already fixed that limitation. Manny Ahmed, CEO of digital media verification platform OpenOrigins, went further, warning that relying on it gives people false confidence, which is arguably worse than no check at all. There are other physical tests worth knowing, like asking someone to turn their head sideways or to wave a hand quickly past a light source. That’s because real-time deepfakes struggle to render moving shadows accurately. But here's the thing Mia, a tech writer who covered the viral moment extensively , got exactly right: every time a detection trick goes viral, it becomes part of the adversarial feedback loop. It tells scammers precisely what to optimize next. The three-finger trick worked because cheap deepfake tools couldn't handle occlusion. That’s now a known problem to solve, and the scammers are solving it. The answer isn't to find the next trick. The answer is to build processes that don't depend on a human catching the tell in real time. What resilient organizations do differently The teams that don't get burned by this kind of attack share one habit: they built verification into their workflows before the stakes were high. Wire transfer? Call back on a known number. New vendor payment? Two-person approval. Executive request over video or chat? That doesn't move without a second channel confirmation, no exceptions. The friction is the point. Process kills social engineering more reliably than awareness alone. As Chris Henderson, CISO at Huntress, puts it: “People don't fail because they're careless. They fail because they're human, and the systems weren't designed to catch human mistakes. Deepfake calls work not because victims are gullible, but because they're operating in systems that were never built to verify identity under that kind of pressure." Build the system that catches the mistake. Don't bet on the human catching the tell. Excerpt on security awareness training from How to Build A Resilient Security Team for 2030 Jim Browning didn't watch this happen. He went looking for it. John Hammond and Jim Browning didn't just stumble onto a deepfake scam. They went hunting for one on purpose. Then they documented the full economy behind it and brought it to Huntress' _declassified series so you'd know exactly how these operations run. Call centers with org charts. Retention teams that re-scam prior victims with promises to recover their losses. Operations pulling in over $20 million a year behind the front of legitimate businesses. There's a lesson in the method, not just the clip, and it’s one we abide by here at Huntress: understanding how attackers work is its own form of defense. If you want to understand how resilient teams are actually building defenses against this kind of attack, Huntress just published a field guide for exactly that: How to Build a Resilient Security Team for 2030 . It covers identity as a primary attack surface, how resilient teams structure ownership, and what separates teams that contain incidents from those that don't. And if you want to dive deeper into the scam we just covered, be sure to watch episode 1 of _declassified . p.s. Hi, I’m Marc, and I help head up the content and social teams here at Huntress. First, thanks for reading this blog. Second, have you seen one of these scams in the wild? Been on a call where something felt off? We're collecting stories, and I want yours. Come find me on LinkedIn . Summarize with AI ChatGPT Claude Perplexity Google AI Summarize This Page ChatGPT Claude Perplexity Google AI Don't let "later" cost you Join us on May 20 (12pm EST) for _declassified, for an unfiltered look from Truman Kain at the overlooked security obligations that hit hard later. Register now Share On This Page We Are Huntress Phishing is everywhere. But it can be prevented. We Are Huntress Phishing is everywhere. But it can be prevented. Phishing is a cyberattack (usually email-based) that occurs when threat actors disguise themselves as legitimate entities to trick users into revealing personally identifiable or sensitive information.Phishing is one of the most common tactics used by hackers because it's efficient and effective. With new tools and tech like AI at their disposal, hackers can now send out convincing phishing attacks to the masses with little effort required. The good news: we can be one step ahead. Care is Compromised Medical services are disrupted, causing treatment delays, misdiagnoses, and even spikes in mortality rates. Data is Breached Sensitive patient data can be stolen and used for identity theft, blackmail, or sold online. Finances Take a Hit Ransom payments, recovery costs, and lost revenue are just a few of the financial hits. And don’t forget potential HIPAA fines. Patients Lose Trust Your reputation can suffer, and when that happens, your patients will go elsewhere for care. Legal Backlash Lawsuits from patients affected by a breach aren’t uncommon. You may also face regulatory penalties for non-compliance with data protection laws. Operational Chaos Accessing patient records, providing emergency care, and communicating among your staff becomes far more complex. Huntress is custom built for you. But don't take our word for it – hear directly from businesses like yours. Try Huntress for Free On This Page We Are Huntress Phishing is everywhere. But it can be prevented. Huntress Managed EDR in action See how our expert-led solution can help you stay one step ahead of threat actors—without overwhelming your in-house team or busting your budget. Start a Free Trial Schedule a Demo You Might Also Like Deceitful Tactics and Honest Mistakes: Remedying Human Error Amid the Rise of Social Engineering Across Healthcare Understand the impact of human error across healthcare, and discover how Huntress’ managed solutions can better defend your organization from social engineering scams. Learn More Not Location, Not Tunnel, but a Secret Third Thing: Datacenter Infrastructure & Identity Attacks Do you know where identity attacks come from? It’s not just location or VPNs, but there’s a "secret third thing" in identity attacks. See how a new AS-based detection system closed this critical visibility gap. Learn More That “Friendly” Prompt is ClickFix That "friendly" prompt is a ClickFix scam. Learn about this advanced social engineering tactic that tricks users into running malicious code on their own systems, and why security resilience is your winning bet. Learn More AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT and Grok Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering