Lip Sync Attacks in Video Interviews: Detection Runbook
A lip-sync attack is not a "weird video call." It is an identity and integrity failure that creates mis-hire risk, SLA drag, and defensibility gaps unless you instrument the interview workflow.
A/V sync anomalies are not "bad video." They are identity-risk events that need owners, SLAs, and evidence packs.Back to all posts
Real Hiring Problem
Recommendation: Treat lip-sync suspicion as an integrity incident with SLAs and evidence, not a subjective interview note. When a candidate's mouth movement and audio drift out of sync, the immediate operational risk is not "awkwardness." It is that you may be evaluating the wrong person or an injected audio track. If you advance them without controls, you risk a mis-hire and later cannot prove who you interviewed. If you stop the line for ad hoc review, you introduce SLA breaches. Time-to-offer delays cluster at moments where identity is unverified, and fraud actors exploit those gaps by pushing for urgency. Industry signals indicate this is a recurring problem. Checkr reports 31% of hiring managers say they have interviewed someone who later turned out to be using a false identity, and Pindrop reports 1 in 6 applicants to remote roles showed signs of fraud in one real-world pipeline.
No one owns the decision to pause or step-up verify, so the queue ages silently.
Interviewers flag "something off" but cannot produce audit-ready evidence.
Recruiting Ops starts the offer clock while integrity is unresolved, creating pressure to override controls.
WHY LEGACY TOOLS FAIL
Recommendation: Stop relying on sequential point solutions for a cross-signal fraud problem. Most ATS, background checks, and coding challenge tools operate as separate stages with separate data stores. Lip-sync attacks live inside the interview session and must be correlated with identity assertions and downstream telemetry. Sequential checks slow cycle-time and still miss patterns because no system owns the end-to-end event log. Legacy stacks typically lack unified evidence packs, review-bound SLAs, and standardized rubric storage. The result is shadow workflows in spreadsheets and chat, which are integrity liabilities. If it is not logged, it is not defensible.
Waterfall workflows that delay action until after the interview is over.
No immutable event log tying interview artifacts to identity verification results.
Manual review without evidence creates audit liabilities and inconsistent outcomes.
OWNERSHIP & ACCOUNTABILITY MATRIX
Recommendation: Assign owners by control type and make sources of truth explicit. Recruiting Ops owns workflow orchestration, SLAs, and queue health. Security owns the identity and fraud policy, including what constitutes a step-up event and what evidence is required for adverse action. Hiring Managers own scoring discipline and rubric completion. Analytics owns segmented risk dashboards and time-to-event reporting. Automation should generate consistent events and capture artifacts. Humans should adjudicate with a documented decision tree to control false positives.
Recruiting Ops: routing, review queues, offer gate enforcement, ATS write-backs.
Security: thresholds, reviewer training, exception policy, audit requests.
Hiring Manager: structured rubric, timely submission, performance decision input.
Analytics: dashboards for time-to-flag, time-in-review, and exception rates.
MODERN OPERATING MODEL
Recommendation: Instrument the interview workflow like access management: identity gate before access, then continuous integrity checks. A/V synchronization analysis is most effective when it is part of defense in depth. Use it to trigger step-up verification and evidence capture, not to make an immediate decision. Combine it with identity verification, device and session telemetry, and standardized rubrics. Run the funnel as event-based orchestration: every integrity event creates a timestamped record, an owner, and an SLA. Your goal is to preserve time-to-offer while keeping a tamper-resistant chain-of-custody.
Risk-tiered funnel with step-up verification for anomalies.
ATS-anchored audit trails and immutable evidence packs.
Standardized rubrics stored with timestamps and reviewer identity.
Dashboards that segment risk signals by role, region, and interviewer.
WHERE INTEGRITYLENS FITS
IntegrityLens supports an operational model where lip-sync anomalies are handled as logged events with step-up verification and a controlled offer gate. It enables identity gating using biometric verification with liveness, face matching, and document authentication, typically completed in 2-3 minutes. It also supports fraud prevention signals like deepfake and proxy interview detection, behavioral telemetry, and continuous re-authentication so you can correlate anomalies across stages. Recruiting Ops can keep candidates moving with 24/7 AI screening interviews and structured rubrics, while maintaining ATS-anchored audit trails and immutable evidence packs for defensibility.
Identity gate before access with logged timestamps.
Parallelized checks instead of waterfall workflows.
Evidence packs for audit requests and candidate disputes.
Structured rubrics and tamper-resistant feedback.
Risk dashboards that tie integrity signals to funnel progression.
ANTI-PATTERNS THAT MAKE FRAUD WORSE
Recommendation: Remove these failure modes before tuning detection thresholds.
Handle suspected lip-sync cases in DMs or side spreadsheets. That breaks audit trails and reviewer accountability.
Auto-reject on a single A/V sync flag. Use step-up verification to manage false positives and reduce legal exposure.
Start offer approvals before integrity is cleared or an exception is logged. Time pressure is how controls get bypassed.
IMPLEMENTATION RUNBOOK
Recommendation: Build a two-lane workflow: default progression plus an SLA-bound integrity lane that triggers step-up verification. Set explicit SLAs to prevent review queues from becoming hidden time-to-offer killers. Every step should write to an immutable event log: what happened, when it happened, who reviewed it, and what action was taken. Make the offer gate binary: cleared, or cleared with documented exception. A decision without evidence is not audit-ready.
Policy definition (Security + Recruiting Ops): versioned thresholds, approvers, effective date. Update weekly.
Pre-interview identity gate (Recruiting Ops): verification completed before interview credit. Log start-end timestamps and results.
Live session monitoring (Recruiting Ops + Security): log A/V sync anomalies with timestamps, device fingerprint, network changes.
Auto-routing (Recruiting Ops): create review ticket within 60 seconds of flag, assign reviewer, set SLA timers.
Triage (Security reviewer or trained Fraud Triage lead): 4 business hour initial decision with rationale and artifacts viewed.
Step-up re-auth (Recruiting Ops executes, Security defines): candidate completes within 24 hours; reviewer closes within 4 business hours.
Rubric discipline (Hiring Manager): submit standardized rubric within 24 hours; store tamper-resistant notes.
Offer gate (Recruiting Ops): block offer until integrity cleared or exception approved and logged.
SOURCES
Checkr (2025): 31% of hiring managers report interviewing someone using a false identity. https://checkr.com/resources/articles/hiring-hoax-manager-survey-2025 Pindrop: 1 in 6 applicants to remote roles showed signs of fraud in one real-world pipeline. https://www.pindrop.com/article/why-your-hiring-process-now-cybersecurity-vulnerability/ SHRM: replacement cost estimates can range from 50-200% of annual salary depending on role. https://www.shrm.org/in/topics-tools/news/blogs/why-ignoring-exit-data-is-costing-you-talent
Use them to justify review capacity and SLAs, not to set auto-reject thresholds.
Tie integrity control ROI to avoided replacement-cost exposure and reduced cycle-time waste.
CLOSE: Implementation Checklist
Recommendation: Implement control points tomorrow, then tune thresholds with data. Business outcome target: keep time-to-offer predictable while making integrity decisions retrievable, attributable, and evidence-backed.
Create an "A/V Sync Anomaly" event and route to a review queue with a 4 business hour triage SLA.
Add a step-up verification action that can be completed within 24 hours and logged to the candidate record.
Make the offer stage contingent on integrity status: cleared or exception-with-approver.
Separate performance scoring from integrity adjudication, then merge both into a single evidence pack at offer gate.
Report weekly: time-to-flag, time-in-review, queue age percentiles, exception rate, and offer delays attributable to integrity checks.
Retire shadow workflows by requiring all reviewer notes and artifacts be stored in the ATS-anchored audit trail.
Related Resources
Key takeaways
- Treat audio-visual synchronization as an identity-gate control, not a subjective "vibe check."
- Instrument the interview flow with timestamps: when the risk flag fired, who reviewed it, what step-up was triggered, and what evidence was retained.
- Use defense in depth: A/V sync signals should trigger step-up verification, not immediate rejection, to control false positives.
- Build review-bound SLAs so suspected fraud does not stall time-to-offer or create unowned queues.
- Make every decision retrievable in an ATS-anchored audit trail: if it is not logged, it is not defensible.
Use this policy as a starting point for routing audio-visual sync anomalies into a review queue without auto-rejecting candidates.
This is designed to manage false positives: one signal triggers step-up verification, not a final decision.
Store policy versions in your ATS-anchored audit trail so you can prove what rules were in effect on the interview date.
version: "2026-02-23"
policy_name: "av-sync-anomaly-triage"
scope:
stages:
- screening_interview
- hiring_manager_interview
applies_to:
- real_time_video_sessions
event_types:
- id: "AV_SYNC_ANOMALY"
description: "Detected mismatch between mouth movement and audio timing beyond configured threshold"
routing:
on_event: "AV_SYNC_ANOMALY"
create_review_ticket: true
queue: "fraud-triage"
assign_role: "fraud_reviewer"
sla:
triage_within_business_hours: 4
candidate_step_up_complete_within_hours: 24
final_disposition_within_business_hours: 8
actions:
default_action: "STEP_UP_VERIFICATION"
step_up_methods:
- "liveness"
- "face_match"
- "document_auth"
allow_interview_to_continue_if:
- "identity_gate_passed_pre_interview == true"
- "anomaly_count <= 1"
pause_stage_progression_if:
- "anomaly_count >= 2"
- "device_fingerprint_changed == true"
- "network_changed_mid_session == true"
false_positive_handling:
permitted_remediations:
- "retest_on_alternate_device"
- "retest_on_stable_network"
- "reschedule_with_proctored_step_up"
prohibited_outcomes:
- "auto_reject_on_single_signal"
evidence_requirements:
must_log:
- "event_timestamp"
- "session_id"
- "candidate_id"
- "reviewer_id"
- "artifacts_viewed"
- "triage_rationale"
- "step_up_results"
- "final_disposition"
retention_note: "Store minimum necessary artifacts; prefer zero-retention biometrics where policy allows."
offer_gate:
require_integrity_status: true
allowed_status:
- "cleared"
- "cleared_with_exception"
exception_requires:
approver_roles:
- "security"
- "recruiting_ops"Outcome proof: What changes
Before
Lip-sync suspicions were handled via interviewer comments and Slack threads. Reviews had no SLA, and offer approvals sometimes progressed while integrity questions were unresolved. Evidence for disputes was scattered across systems.
After
A/V sync anomalies were treated as events that triggered step-up verification and a review-bound queue. Decisions were stored as ATS-anchored audit trails with immutable evidence packs and documented exceptions.
Implementation checklist
- Define what constitutes an A/V sync anomaly and what triggers step-up verification
- Set SLAs for triage and candidate re-verification
- Require immutable evidence packs for any adverse action or candidate dispute
- Create a false-positive path (re-test, alternate device, alternate network)
- Report weekly on time-to-event and queue age for fraud reviews
Questions we hear from teams
- What is a lip-sync attack in a hiring interview?
- A lip-sync attack is an interview fraud tactic where the audio track is manipulated or injected so it does not naturally align with the candidate's mouth movements, often to enable proxy interviewing or scripted responses while appearing on camera.
- Should we reject candidates when we detect audio-visual desynchronization?
- No. Treat A/V desync as a step-up verification trigger. Auto-rejecting on a single signal increases false positives and legal exposure. Require re-authentication and a documented reviewer decision before disposition.
- What evidence should we retain for audit readiness?
- Retain event timestamps, session identifiers, reviewer identity, triage rationale, and step-up verification results in an immutable event log. Link these to the candidate record so you can retrieve who approved progression and why.
- How do we keep time-to-offer from slipping when we add integrity checks?
- Use review-bound SLAs and event-based routing. The goal is to route anomalies to a dedicated triage queue within minutes, complete step-up verification within 24 hours, and block offers only at the integrity gate with documented exceptions.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
