Would the deepfake callactually be stopped?
Most wire-fraud and deepfake losses are a process failure, not a detection failure — there was no mandatory independent check before the money moved. Grade your payment-approval process on the six out-of-band verification controls that decide whether a fraudulent request slips through.
Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.
The fake is convincing. The process is what fails.
lost in a single deepfake video-call wire fraud — every participant but the victim was AI-generated.
the average wire-fraud loss for a small business, and SMEs are now the prime target.
the decisive control: a mandatory out-of-band verification before any payment, bank-change, or reset is approved.
You can't out-train a perfect voice clone. What you can do is make a high-risk request unapprovable without independent validation — so the fake never reaches the part of the process that moves money. This Gate measures whether your process meets that bar, process by process.
Mark six controls. Watch the gate override a high score.
Mark each control, then watch the verdict. The verdict is the weakest control — and the gate can override a high score.
Gate tripped: neither the out-of-band callback nor the second approver is fully in place, so a single person can still push an urgent request through. NOT DEFENSIBLE regardless of score — bring either control to Present and it releases.
Fix first: Out-of-band callback.
Grades the process, never people. Not fraud detection or a guarantee. Runs offline in the workbook and engine.
A runnable engine, a workbook that reproduces it, and two playbooks.
The same verdict comes three ways — the Python engine, the Excel workbook, and the on-page demo are byte-for-byte identical. Here is the engine's real output on the five-process sample:
==================================================================
OUT-OF-BAND PAYMENT VERIFICATION READINESS GATE
Grades the process, not people. Not fraud detection or legal advice.
==================================================================
PROCESS: Executive wire request
Verdict: NOT DEFENSIBLE (context score 79/100)
>> GATE: neither independent-validation control is fully
in place (out-of-band callback and second approver are
both below full) — a single person can still push an
urgent request through. NOT DEFENSIBLE regardless of score.
Fix first: Out-of-band callback to a known-good number
Controls:
[1] PARTIAL Out-of-band callback to a known-good number
[1] PARTIAL Second-approver threshold on high-risk requests
[2] PRESENT Full sender / domain verification before action
[2] PRESENT Documented escalation & stop path
[2] PRESENT Verbal code-word protocol for voice / video
[2] PRESENT Vendor bank-detail-change re-verification
PROCESS: Vendor invoice payment (AP)
Verdict: NOT DEFENSIBLE (context score 64/100)
Fix first: Out-of-band callback to a known-good number
Controls:
[0] MISSING Out-of-band callback to a known-good number
[2] PRESENT Second-approver threshold on high-risk requests
[2] PRESENT Full sender / domain verification before action
[1] PARTIAL Documented escalation & stop path
[1] PARTIAL Verbal code-word protocol for voice / video
[2] PRESENT Vendor bank-detail-change re-verification
PROCESS: Payroll bank-detail change
Verdict: TIGHTEN (context score 76/100)
Fix first: Second-approver threshold on high-risk requests
Controls:
[2] PRESENT Out-of-band callback to a known-good number
[1] PARTIAL Second-approver threshold on high-risk requests
[2] PRESENT Full sender / domain verification before action
[2] PRESENT Documented escalation & stop path
[1] PARTIAL Verbal code-word protocol for voice / video
[1] PARTIAL Vendor bank-detail-change re-verification
PROCESS: New-supplier onboarding
Verdict: NOT DEFENSIBLE (context score 53/100)
Fix first: Vendor bank-detail-change re-verification
Controls:
[1] PARTIAL Out-of-band callback to a known-good number
[2] PRESENT Second-approver threshold on high-risk requests
[1] PARTIAL Full sender / domain verification before action
[1] PARTIAL Documented escalation & stop path
[1] PARTIAL Verbal code-word protocol for voice / video
[0] MISSING Vendor bank-detail-change re-verification
PROCESS: Customer refund over $5k
Verdict: DEFENSIBLE (context score 100/100)
Controls:
[2] PRESENT Out-of-band callback to a known-good number
[2] PRESENT Second-approver threshold on high-risk requests
[2] PRESENT Full sender / domain verification before action
[2] PRESENT Documented escalation & stop path
[2] PRESENT Verbal code-word protocol for voice / video
[2] PRESENT Vendor bank-detail-change re-verification
------------------------------------------------------------------
PORTFOLIO: EXPOSED (3 of 5 not defensible, exposure rate 60%)
Weakest process to fix first: New-supplier onboarding
------------------------------------------------------------------Confirm the request voice-to-voice on a number from your own records — never the one in the email.
No single person can move money or change a payment instruction above your threshold.
Inspect the full address and domain for look-alikes and reply-to mismatches, not the display name.
A written, supported way to pause a suspicious request — with no penalty for a careful stop.
A pre-shared verbal code word for voice and video requests — the one control a live deepfake can't pass.
Every vendor or employee bank-detail change is independently re-verified before money moves.
Weakest link wins. The gate does distinct work. People are never scored.
Verification is a chain. The verdict is the lowest-marked control, never the flattering average — because one missing link is how a fraudulent request gets through. The context score is shown for context only.
If neither the callback nor the second approver is fully in place, the process is NOT DEFENSIBLE even at 79/100 — a single person can still act alone on an urgent request. Clear either one and it releases. That's distinct work no average can do.
Every verdict points to a control to add, never an accusation about who approved what. Careful, well-trained people still get caught when the process lets one person act alone. The fix is a stronger process.
A process-design gate, not a detector.
- A deterministic, offline gate that grades your payment-approval process from your own marks.
- A way to find the single control to fix first, process by process, before fraud finds the gap.
- A working aid for AP, finance, and ops to harden how a payment actually gets approved.
- Not a deepfake detector, fraud-detection system, or guarantee against loss.
- Not connected to your email, bank, or accounting systems — it reads nothing and moves no money.
- Not a score of people, and not legal, financial, or insurance advice.
Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.
Anyone who can approve a payment without a CISO in the room.
- Founders & operators who sign off on wires and vendor changes themselves.
- Finance & AP teams hardening how invoices and bank changes get approved.
- Bookkeepers & fractional CFOs standardizing a client's payment controls.
- Ops leads writing the approval process down for the first time.
- Agencies & MSPs giving clients a repeatable verification baseline.
- Anyone who has read the deepfake-CEO headlines and wants to know if they'd be caught.
Tighten the process, then the surfaces around it.
Triage every customer-facing AI surface on liability exposure before the next answer goes out.
ViewRun six AI safe-use drills past your team and find out whether they catch the everyday mistakes.
ViewGrade a finished incident postmortem and gate the close until the critical fixes are done.
ViewThe honest answers.
Find the gap before
a fraudster does.
Grade every payment process, fix the named control first, and make a high-risk request unapprovable without independent validation. One purchase, lifetime access, 12 months of updates. $79, once.
Not fraud detection or legal advice. This grades the design of your approval process from your own marks — it detects nothing, connects to nothing, scores no people, and guarantees no outcome. Confirm your controls with your bank and, where relevant, your insurer or counsel.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai