Summary
Problem:
Most of the team has been conditioned, whether intentionally or not - to treat a live video call as proof of identity. If they are unsure about that payment request, they Just jump on a quick Zoom. That reflex is now a liability. Real-time face replacement where someone appears on a call as your CEO, a vendor, or your accountant, no longer requires a Hollywood budget or advanced research. It can be done on a standard laptop using a handful of inexpensive or free tools.
Why SMBs are especially at risk?:
Small and mid-sized businesses are prime targets. Larger organizations have dedicated security teams and multiple layers of verification. SMBs, on the other hand, rely on trust, speed, and tight-knit teams where people recognize each other by face. That’s exactly what deepfake fraud exploits. And for a SMB, single fraudulent wire transfer can have serious, even existential consequences.
The approach this newsletter recommends:
The most effective way to train your team isn’t through slides, it’s through experience. Let them see a convincing fake face in a real call setting, then reveal it. That moment replaces a flawed assumption (“I saw them, so it’s them”) with a more resilient habit: verifying sensitive requests through a separate, trusted channel that can’t be spoofed.
No technical expertise required:
This isn’t a hacking exercise. If you can install software, follow a checklist, and copy-paste a key, you can run this. Anyone reasonably comfortable with a computer can handle it, an IT admin, an operations or finance lead, or a hands-on owner. The only slightly technical step (running a small app with a couple of terminal commands) is clearly explained and can be delegated. No coding or AI background is needed.
What’s included below:
This is one of the numerous way to setup realtime deepfake video calls.
You’ll find the exact four-tool setup, the legal and consent guidelines to establish first, a step-by-step walkthrough, and instructions for running the session so the lesson actually sticks. Attackers already understand how to do this. The goal is to make sure your team does too, because you can’t train people to recognize a threat they’ve never seen. You can see the final output and a quick walkthrough of the setup here: YouTube demo video
Why this matters now?
For years, the advice was simple: if something feels off, verify it on a video call. Seeing a live face was considered reliable proof of identity. That assumption no longer holds. Real-time face replacement has moved from labs and big-budget productions into accessible, consumer-grade tools that run on an ordinary laptop. What once felt like a safeguard, “just confirm it on camera”, has become a potential point of attack.
The purpose of this exercise is focused: to show your team that “trusting what you see” is no longer a sufficient verification method. It’s not about creating fear or deceiving people long-term. It’s about replacing a risky instinct with a stronger one, confirming sensitive requests through a separate, trusted channel that attackers can’t easily replicate.
The legal and ethical guardrails (read this first)
Using a deepfake of a real person, even for internal purposes, can carry legal risk depending on your jurisdiction. Issues like impersonation, rights to one’s likeness, recording consent, and employment law may all apply. Consent isn’t just a checkbox, it’s essential.
Before running this exercise:
Obtain clear, written, and informed consent from anyone whose likeness is used, as well as from all participants on the call.
Frame it as an announced exercise or reveal it quickly, the goal is the learning moment, not prolonged deception.
Keep a visible on-screen label indicating that this is an educational deepfake demonstration (the setup below includes this).
Involve legal or HR if you’re rolling this out more broadly; a simple approval can prevent unnecessary risk.
Avoid using a real employee’s face without explicit permission. The walkthrough below uses a synthetic, AI-generated face to ensure no real individual is being impersonated.
What you actually need
Just four components, that’s the entire setup:
OBS Studio: a free, open-source tool that lets you route a virtual camera feed into your video platform
Zoom (or Google Meet) : whatever your team already uses for calls
Decart AI : a real-time video transformation engine, the free tier works for short sessions, with roughly $10–$20 for longer usecases
A lightweight custom app built on Decart’s real-time API to connect everything together
There are multiple ways to create a real-time deepfake pipeline. This is simply one practical approach. The underlying technology is evolving quickly, so think of this setup as a snapshot rather than a fixed standard, the key takeaway is the concept, not the exact tools.
How it works?
The custom app captures your live webcam feed and sends it to Decart AI, which applies the face transformation in real time and returns the modified video to your browser. OBS Studio then captures that browser window and outputs it as a virtual camera. Finally, Zoom (or your chosen platform) treats that virtual camera just like any standard webcam feed.
Your webcam → Custom app → Decart AI → Browser tab (deepfake render)
↓
OBS Studio (virtual camera)
↓
Zoom / GoogleMeetStep-by-step setup for macOS (For Windows it should be similar)
1. Set up OBS Studio
Download OBS Studio from https://obsproject.com/ and install it.
Open OBS and add a new Scene using the left sidebar. You'll see a black scene by default.
Right-click the scene → Add Source → Text (FreeType2). Set the text to something that clearly flags the exercise, e.g. "Educational purpose - real-time deepfake demo."
Drag that text toward the bottom of the scene and resize it using the bounding handles.
Open a browser tab and load http://localhost:3000/. It'll be blank for now, the custom app will live here shortly.
Right-click the scene again → Add Source → macOS Screen Capture. Choose Method: Window Capture and select the browser window running
localhost:3000.
OBS Studio - Set Text On A Scene
OBS Studio - Set macOS Screen Capture On A Scene
OBS Studio - Select Localhost Browser Tab
2. Get a Decart AI API key
Go to https://platform.decart.ai/ and register.
In the left sidebar, open API Key, create one, and store it somewhere safe, you'll paste it into the custom app.
The free tier includes ~1,000 credits, enough for short real-time sessions. Longer demos need the paid top-up.
Decart AI - Create API Key
3. Run the custom application
Download the code from the Github project repository .
This app is the integration layer to Decart's real-time API. It captures your live video, streams it to Decart, and renders the manipulated output back in your browser. Your API key and the uploaded target image stay between your browser and Decart, they're not sent to any other third-party server.
Navigate into the project folder.
Make sure Node.js and npm are installed.
node --versionandnpm --versionshould each return a version number. (If you're comfortable with a VS Code dev container / Docker, that works too, but plain Node is simpler.)Run
npm installfrom inside the project folder to pull dependencies.Start the server with
node server.js. The app should now be live at http://localhost:3000/.Go to https://thispersondoesnotexist.com/ and download one face. Every image there is AI-generated, the person doesn't exist, so you're not impersonating anyone real. Use this as your target image.
In the app at
localhost:3000, paste your Decart API key and upload the target image.Make sure the final rendered video opens in its own independent browser tab/window, this makes it much easier for OBS to capture the correct source properly.
Sample application should look like snapshot below.
4. Adjust the OBS scene
Back in OBS, select the macOS Screen Capture source in the sidebar.
Select the browser-tab capture on the scene and drag the bounding-box corners so only the central rendered face is visible inside the scene.
Confirm your educational-purpose label is still visible below the video.
Bottom-right of OBS, click Start Virtual Camera.
5. Set up Zoom
Start a Zoom meeting.
Click the arrow next to the Video icon (bottom-left) → Video Settings.
Set Camera: OBS Virtual Camera.
Zoom should immediately show the OBS scene, your real-time deepfake, with the label underneath.
Keep the custom app's browser tab running the whole time. That tab is where the deepfake is actually rendered, OBS just relays it, and Zoom just displays whatever OBS sends.
Send the meeting link to your internal participants and have everyone join.
Run the demo. Swapping the target image mid-call is a powerful moment, it shows how quickly and convincingly the "person" on the other end can change.
Zoom - With OBS Studio Virtual Camera
Custom App Rendering Realtime Deepfake
Zoom Call - This how a deepfake person looks on a zoom call
Running the session
A few choices determine whether this lands as a powerful lesson or just a novelty:
Time the reveal intentionally: Let the moment sit for a second during the meeting, then walk them through what they saw and how little effort it took to create this deepfake call.
Shift quickly to the real takeaway: The point isn’t just that deepfakes are possible, it’s that seeing someone on video is no longer proof of identity. Reinforce the correct response: verify any high-risk request through a separate, trusted channel (e.g., a known phone number, internal system, or pre-agreed code), never within the same call.
Highlight the warning signs carefully: Today’s real-time deepfakes can still slip up with fast head movements, partial face obstruction, or unusual lighting. Show these, but make it clear they’re temporary weaknesses. As the technology improves, these tells will fade away, so process, not perception, has to be the defense. Also experienced fraudsters are well equipped technically to make it look as real as possible.
Turn insight into policy: Close with concrete actions: how approvals (like wire transfers) should work going forward, what “out-of-band verification” means in your organization, and exactly who to contact when something doesn’t feel right.
Conclusion
People will remember a convincing fake face far longer than any policy document, use that to your advantage. The goal isn’t to create fear, but to replace a flawed instinct (“I saw them, so it must be them”) with a stronger habit: “I verified it through a channel that can’t be spoofed.”
You can see the final output and a quick walkthrough of the setup here: YouTube demo video
Note: If you run into any issues while setting this up, feel free to reach out via the “Book a Call” option on https://www.deepfakefinance.com/, or just send me an email( [email protected] ) or message me on LinkedIn, I’m happy to help. I haven’t tested this on a Windows machine yet, so it would be great if someone could try it out and let me know whether it works 🙂