Payment fraud · process gate

Would the deepfake callactually be stopped?

Most wire-fraud and deepfake losses are a process failure, not a detection failure — there was no mandatory independent check before the money moved. Grade your payment-approval process on the six out-of-band verification controls that decide whether a fraudulent request slips through.

Get the Gate — $79one-time · instant download · yours to keep

Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.

Five deliverables · runnable
Runnable Python engine
stdlib
Verification workbook
.xlsx
Facilitator Playbook
.docx
Control-Hardening Runbook
.docx
5-process worked sample
.csv
Works alongside
Output Risk Triage · Safe-Use Drills · Incident Postmortem Gate
01.The Problem

The fake is convincing. The process is what fails.

$25M

lost in a single deepfake video-call wire fraud — every participant but the victim was AI-generated.

Tens of thousands

the average wire-fraud loss for a small business, and SMEs are now the prime target.

1 step

the decisive control: a mandatory out-of-band verification before any payment, bank-change, or reset is approved.

You can't out-train a perfect voice clone. What you can do is make a high-risk request unapprovable without independent validation — so the fake never reaches the part of the process that moves money. This Gate measures whether your process meets that bar, process by process.

02.See It Work

Mark six controls. Watch the gate override a high score.

Try it — Executive wire request

Mark each control, then watch the verdict. The verdict is the weakest control — and the gate can override a high score.

Out-of-band callback to a known-good number
Second-approver threshold on high-risk requests
Full sender / domain verification before action
Documented escalation & stop path
Verbal code-word protocol for voice / video
Vendor bank-detail-change re-verification
NOT DEFENSIBLEcontext 79/100

Gate tripped: neither the out-of-band callback nor the second approver is fully in place, so a single person can still push an urgent request through. NOT DEFENSIBLE regardless of score — bring either control to Present and it releases.

Fix first: Out-of-band callback.

Grades the process, never people. Not fraud detection or a guarantee. Runs offline in the workbook and engine.

03.What's Inside

A runnable engine, a workbook that reproduces it, and two playbooks.

The same verdict comes three ways — the Python engine, the Excel workbook, and the on-page demo are byte-for-byte identical. Here is the engine's real output on the five-process sample:

==================================================================
OUT-OF-BAND PAYMENT VERIFICATION READINESS GATE
Grades the process, not people. Not fraud detection or legal advice.
==================================================================

  PROCESS: Executive wire request
  Verdict: NOT DEFENSIBLE   (context score 79/100)
  >> GATE: neither independent-validation control is fully
     in place (out-of-band callback and second approver are
     both below full) — a single person can still push an
     urgent request through. NOT DEFENSIBLE regardless of score.
  Fix first: Out-of-band callback to a known-good number
  Controls:
    [1] PARTIAL  Out-of-band callback to a known-good number
    [1] PARTIAL  Second-approver threshold on high-risk requests
    [2] PRESENT  Full sender / domain verification before action
    [2] PRESENT  Documented escalation & stop path
    [2] PRESENT  Verbal code-word protocol for voice / video
    [2] PRESENT  Vendor bank-detail-change re-verification

  PROCESS: Vendor invoice payment (AP)
  Verdict: NOT DEFENSIBLE   (context score 64/100)
  Fix first: Out-of-band callback to a known-good number
  Controls:
    [0] MISSING  Out-of-band callback to a known-good number
    [2] PRESENT  Second-approver threshold on high-risk requests
    [2] PRESENT  Full sender / domain verification before action
    [1] PARTIAL  Documented escalation & stop path
    [1] PARTIAL  Verbal code-word protocol for voice / video
    [2] PRESENT  Vendor bank-detail-change re-verification

  PROCESS: Payroll bank-detail change
  Verdict: TIGHTEN   (context score 76/100)
  Fix first: Second-approver threshold on high-risk requests
  Controls:
    [2] PRESENT  Out-of-band callback to a known-good number
    [1] PARTIAL  Second-approver threshold on high-risk requests
    [2] PRESENT  Full sender / domain verification before action
    [2] PRESENT  Documented escalation & stop path
    [1] PARTIAL  Verbal code-word protocol for voice / video
    [1] PARTIAL  Vendor bank-detail-change re-verification

  PROCESS: New-supplier onboarding
  Verdict: NOT DEFENSIBLE   (context score 53/100)
  Fix first: Vendor bank-detail-change re-verification
  Controls:
    [1] PARTIAL  Out-of-band callback to a known-good number
    [2] PRESENT  Second-approver threshold on high-risk requests
    [1] PARTIAL  Full sender / domain verification before action
    [1] PARTIAL  Documented escalation & stop path
    [1] PARTIAL  Verbal code-word protocol for voice / video
    [0] MISSING  Vendor bank-detail-change re-verification

  PROCESS: Customer refund over $5k
  Verdict: DEFENSIBLE   (context score 100/100)
  Controls:
    [2] PRESENT  Out-of-band callback to a known-good number
    [2] PRESENT  Second-approver threshold on high-risk requests
    [2] PRESENT  Full sender / domain verification before action
    [2] PRESENT  Documented escalation & stop path
    [2] PRESENT  Verbal code-word protocol for voice / video
    [2] PRESENT  Vendor bank-detail-change re-verification

------------------------------------------------------------------
  PORTFOLIO: EXPOSED   (3 of 5 not defensible, exposure rate 60%)
  Weakest process to fix first: New-supplier onboarding
------------------------------------------------------------------
Out-of-band callback

Confirm the request voice-to-voice on a number from your own records — never the one in the email.

Second approver

No single person can move money or change a payment instruction above your threshold.

Sender / domain check

Inspect the full address and domain for look-alikes and reply-to mismatches, not the display name.

Escalation & stop path

A written, supported way to pause a suspicious request — with no penalty for a careful stop.

Code-word protocol

A pre-shared verbal code word for voice and video requests — the one control a live deepfake can't pass.

Bank-change re-verify

Every vendor or employee bank-detail change is independently re-verified before money moves.

04.The Standard

Weakest link wins. The gate does distinct work. People are never scored.

The weakest control is the verdict

Verification is a chain. The verdict is the lowest-marked control, never the flattering average — because one missing link is how a fraudulent request gets through. The context score is shown for context only.

The gate overrides the score

If neither the callback nor the second approver is fully in place, the process is NOT DEFENSIBLE even at 79/100 — a single person can still act alone on an urgent request. Clear either one and it releases. That's distinct work no average can do.

It grades the process, not people

Every verdict points to a control to add, never an accusation about who approved what. Careful, well-trained people still get caught when the process lets one person act alone. The fix is a stronger process.

05.What It Is — And Isn't

A process-design gate, not a detector.

What it is
  • A deterministic, offline gate that grades your payment-approval process from your own marks.
  • A way to find the single control to fix first, process by process, before fraud finds the gap.
  • A working aid for AP, finance, and ops to harden how a payment actually gets approved.
What it isn't
  • Not a deepfake detector, fraud-detection system, or guarantee against loss.
  • Not connected to your email, bank, or accounting systems — it reads nothing and moves no money.
  • Not a score of people, and not legal, financial, or insurance advice.

Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.

06.Who It's For

Anyone who can approve a payment without a CISO in the room.

  • Founders & operators who sign off on wires and vendor changes themselves.
  • Finance & AP teams hardening how invoices and bank changes get approved.
  • Bookkeepers & fractional CFOs standardizing a client's payment controls.
  • Ops leads writing the approval process down for the first time.
  • Agencies & MSPs giving clients a repeatable verification baseline.
  • Anyone who has read the deepfake-CEO headlines and wants to know if they'd be caught.
08.Common Questions

The honest answers.

No. It is not a deepfake detector, a fraud-detection system, or a guarantee against loss, and it connects to nothing. It grades the design of your payment-approval process — the verification steps that decide whether a fraudulent request could slip through — so you can close the gap a fraudster would use. The fix is process, not detection: most wire-fraud and deepfake-impersonation losses succeed because there was no mandatory independent verification step before the payment, not because the fake was undetectable.

Find the gap before
a fraudster does.

Grade every payment process, fix the named control first, and make a high-risk request unapprovable without independent validation. One purchase, lifetime access, 12 months of updates. $79, once.

Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai