Lip-Sync Attack Detection for Live Video Interviews

An operator briefing for People Analytics leaders on turning audio-visual synchronization into an audit-ready control: detect lip-sync fraud without slowing time-to-offer.

If legal asked you to prove who approved this candidate, can you retrieve it with timestamps, thresholds, and an evidence pack?
Back to all posts

The lip-sync incident that becomes an audit problem

Assume this scenario: you ran a high-volume remote screening day. A week later, Security flags that a new hire is failing basic access hygiene and appears to be operating from an unexpected geography. Legal asks a simple question: "Who did we interview, and can you prove it?" If your only artifacts are a calendar invite, a recording, and subjective notes, you have a defensibility failure. Lip-sync attacks exploit that gap. The candidate video looks plausible, but audio-visual timing is manipulated so the speaker is not the person on screen, or the on-screen face is synthetic. Operationally, this creates four immediate costs: - Audit liability: A decision without evidence is not audit-ready. If you cannot retrieve time-stamped integrity signals and reviewer actions, you are left with opinion. - SLA damage: Teams pause the funnel when suspicion arises. Time delays cluster at moments where identity is unverified, pushing time-to-offer and increasing offer-to-start fallout. - Legal exposure: If challenged, you need a repeatable policy: what you checked, what you logged, and why you escalated or cleared the session. - Mis-hire cost: SHRM cites replacement cost estimates of 50-200% of annual salary depending on role. A single integrity miss can consume your quarterly hiring capacity in rework.

  • It can produce a "clean" recording that is hard to challenge without instrumentation.

  • It often appears intermittently, so reviewers argue about subjectivity instead of referencing logged signals.

  • It can be paired with proxy interviewing, where the person answering is not the verified identity.

WHY LEGACY TOOLS FAIL: The market optimized for throughput, not integrity

Most hiring stacks failed to solve lip-sync attacks because the workflow is fragmented across systems that do not share a single source of truth. The common failure mode looks like this: identity checks happen once (if at all), then interviews run as a separate system, then assessments run elsewhere, then background checks happen at the end. This sequential design slows everything down and still leaves gaps because the checks are not correlated to the live session. Operationally, legacy tooling tends to create: - Sequential checks that force waterfall workflows instead of parallelized checks, increasing cycle-time variance. - No immutable event log across the interview session. You have a video file, not a time-series of integrity signals. - No unified evidence packs. Notes live in one place, recordings in another, identity artifacts in a third. - No review-bound SLAs. Suspicious sessions sit in inboxes, and accountability becomes informal. - Shadow workflows and silos. Reviewers download clips, share them in chat, and create untracked decisions. Shadow workflows are integrity liabilities.

  • You are asked to "measure fraud" but your systems only measure stage durations and pass rates.

  • You are asked to "prove consistency" but rubrics are not standardized or stored with timestamps.

  • You are asked to "move fast" but every suspicion triggers an ad hoc war room.

OWNERSHIP & ACCOUNTABILITY MATRIX: Who owns what when AV-sync flags fire?

Before you deploy any detection, assign ownership and define what is automated vs manually reviewed. Otherwise, alerts become noise and review becomes discretionary. Recommended accountability model: - Recruiting Ops owns workflow design, stage SLAs, and candidate communications. They do not adjudicate fraud based on gut feel. - Security owns fraud policy thresholds, escalation rules, access control, and audit policy. They approve what constitutes sufficient evidence. - Hiring Managers own rubric discipline and scoring consistency. They are consumers of integrity signals, not sole arbiters of identity. - People Analytics owns segmented risk dashboards, time-to-event analytics, and weekly integrity reporting tied to funnel health. Sources of truth: - ATS is the system of record for stage transitions, reviewer identity, and decision timestamps. - Verification service is the system of record for biometric checks and document authentication events. - Interview layer is the system of record for AV-sync signals and session telemetry, but it must write back to the ATS to avoid silos.

Live panel interview
  • Automate: AV-sync scoring, anomaly flagging, evidence pack creation, step-up verification triggers.

  • Manual: adjudication for high-risk sessions, remediation for likely false positives, final disposition logging with rationale.

MODERN OPERATING MODEL: Instrumented interviews with identity gates and evidence packs

Recommendation: treat the interview as a controlled access event. Identity verification should occur before access, and integrity signals should be captured continuously during the session. An instrumented workflow for lip-sync defense has five parts:

  1. Identity gate before access: verify document authenticity, liveness, and face match before the interview link grants entry. For higher-risk roles, require step-up verification at interview start.

  2. Event-based triggers: compute AV synchronization metrics in near real time and trigger actions based on thresholds. Do not wait for a post-mortem after the candidate advances.

  3. Automated evidence capture: store the minimum defensible artifacts in an evidence pack: timestamps, metric values, device and network telemetry summaries, and reviewer actions. If it is not logged, it is not defensible.

  4. Standardized rubrics: store interview scoring with structured fields and tie it to the session ID. Tamper-resistant feedback reduces backfilled narratives.

  5. Segmented risk dashboards: People Analytics tracks AV-sync flag rate by role, geography, device class, and vendor channel, plus downstream correlation to offer fallout and early attrition.

  • Mouth movement timing drift relative to phoneme energy in audio.

  • Inconsistent delay patterns that do not match normal network jitter (for example, repeated fixed offsets).

  • Voice and face continuity breaks across the session, especially around sensitive questions.

WHERE INTEGRITYLENS FITS

IntegrityLens AI is used as the ATS-anchored control plane so AV-sync risk signals become actionable and auditable instead of subjective. - Gate interview access with biometric identity verification: liveness, document authentication, and face matching, completed in a typical 2-3 minutes before the interview starts. - Continuously monitor for fraud signals during interviews, including deepfake detection, proxy interview detection, behavioral signals, and device fingerprinting, with step-up verification when risk thresholds are crossed. - Run AI-powered screening interviews 24/7 with structured rubrics so scoring is evidence-based and consistent across reviewers. - Create immutable evidence packs and compliance-ready audit trails so Legal and Security can retrieve who approved what, when, and based on which signals. - Keep People Analytics in control with segmented risk dashboards that tie integrity signals to time-to-event and funnel leakage.

ANTI-PATTERNS THAT MAKE FRAUD WORSE

  • Recording-only forensics: relying on humans to "review the video later" without capturing time-stamped AV-sync metrics and decision logs. Manual review without evidence creates audit liabilities. - One-threshold-to-rule-them-all: using a single strict cutoff that forces false positives and trains teams to ignore alerts. Fraud defense must be risk-tiered with remediation paths. - Off-platform sharing: downloading clips to chat or email for consensus. This creates shadow workflows, breaks chain of custody, and makes your decisions non-defensible.

IMPLEMENTATION RUNBOOK: Real-time AV-sync detection with SLA-bound review

1

Define risk tiers (People Analytics + Security, SLA: 5 business days to publish policy) - Output: thresholds for Low, Medium, High AV-sync risk; remediation steps; termination criteria. - Logged: policy version, approvers, effective date in the ATS policy registry.

2

Pre-interview identity gate (Recruiting Ops owns workflow, Security owns policy, SLA: complete before interview start) - Action: document auth + liveness + face match. - Logged: verification start and end timestamps, result, and evidence pack ID.

3

Start-of-interview step-up (conditional) (Security owns triggers, SLA: under 3 minutes) - Trigger: role is privileged, location anomaly, device change, or prior medium risk. - Logged: step-up reason code, result, timestamps.

4

Real-time AV-sync scoring during interview (Automated, Security owns thresholds, SLA: continuous) - Action: compute AV-sync drift score and stability pattern; watch for continuity breaks. - Logged: time-series summary (not raw biometrics), threshold crossings, and session integrity score.

5

Automated routing to review queue (Recruiting Ops owns queue ops, SLA: Medium risk reviewed within 4 business hours; High risk within 30 minutes) - Medium risk: allow interview to continue, but block advancement until review completes. - High risk: pause the interview, require step-up verification or reschedule to a controlled session. - Logged: queue entry time, reviewer assignment, SLA timer, reviewer actions.

6

Manual adjudication and remediation (Security reviewer + Hiring Manager for rubric context, SLA: decision within SLA above) - Allowed remediation: re-run liveness, request candidate to repeat a short prompted phrase, confirm device change, reschedule in controlled environment. - Prohibited: accusations without evidence, ad hoc disqualification. - Logged: decision (clear, step-up pass, step-up fail, reschedule), rationale codes, artifacts referenced.

7

ATS write-back and stage control (ATS is source of truth, Recruiting Ops owns) - Action: enforce stage gating. No offer stage transition unless integrity status is "cleared" with evidence pack attached. - Logged: stage transition blocked or allowed, who approved, timestamp, evidence pack link.

8

Weekly analytics and tuning (People Analytics owns, SLA: weekly) - Metrics: AV-sync flag rate by segment, review SLA adherence, step-up pass rate, false positive rate proxy (reschedule then clear), and impact on time-to-offer distribution. - Logged: dashboard snapshot, threshold change log, and policy version updates.

Related Resources

Key takeaways

  • Treat live interviews as a privileged access event and require identity continuity, not just a scheduled meeting link.
  • Audio-visual (AV) synchronization anomalies are a high-leverage signal, but only defensible when logged with timestamps, thresholds, and reviewer actions.
  • Use a risk-tiered funnel: most candidates flow through with automated checks, a small percentage get step-up verification and SLA-bound review.
  • False positive management is a policy problem. Define thresholds, escalation paths, and allowed remediation steps before you accuse anyone.
  • If it is not logged, it is not defensible. Every fraud decision needs an ATS-anchored evidence pack.
AV-Sync Lip-Sync Detection Policy (Interview Control)YAML policy

Use this policy to operationalize AV-sync alerts into step-up verification, SLA-bound review, and ATS gating. Tune thresholds with People Analytics after you establish baseline jitter by segment.

version: "1.0"
policy_id: "interview-avsync-lipsync"
owners:
  recruiting_ops: "workflow + candidate comms"
  security: "thresholds + adjudication + audit policy"
  hiring_manager: "rubric scoring discipline"
  people_analytics: "dashboards + segmentation + tuning"
slas:
  pre_interview_identity_gate: "complete-before-session"
  medium_risk_review: "4h"
  high_risk_review: "30m"
  evidence_pack_writeback: "15m"
inputs:
  role_risk_tier: ["standard", "privileged"]
  prior_integrity_flags: ["none", "medium", "high"]
  device_fingerprint_change: [true, false]
  geo_anomaly: [true, false]
  avsync_drift_ms_p95: "number"
  avsync_stability: ["stable", "variable", "fixed_offset"]
  face_voice_continuity_break: [true, false]
decision_tree:
  - when:
      any:
        - face_voice_continuity_break: true
        - avsync_stability: "fixed_offset"
        - avsync_drift_ms_p95: ">= 450"
    risk: "high"
    action:
      - "pause-interview"
      - "require-step-up-verification"
      - "route-to-security-review"
    advancement_gate: "blocked"
  - when:
      all:
        - avsync_drift_ms_p95: ">= 250"
        - avsync_drift_ms_p95: "< 450"
    risk: "medium"
    action:
      - "allow-interview-continue"
      - "route-to-review-queue"
    advancement_gate: "blocked-until-reviewed"
  - when:
      any:
        - device_fingerprint_change: true
        - geo_anomaly: true
        - prior_integrity_flags: "medium"
    risk: "medium"
    action:
      - "trigger-step-up-verification"
      - "route-to-review-queue"
    advancement_gate: "blocked-until-reviewed"
  - when: {}
    risk: "low"
    action:
      - "no-interruption"
    advancement_gate: "allowed"
evidence_pack_requirements:
  must_log:
    - "session_id"
    - "candidate_id"
    - "policy_id"
    - "policy_version"
    - "threshold_crossings_with_timestamps"
    - "device_fingerprint_summary"
    - "reviewer_id_and_decision_timestamp"
    - "rationale_code"
  data_minimization:
    biometrics: "zero-retention"
    store: "derived-metrics-and-hashes-only"

Outcome proof: What changes

Before

Interview fraud suspicions were handled ad hoc. Reviewers relied on subjective notes and downloaded clips shared in chat. Stage gating was inconsistent, and Legal had no repeatable way to retrieve who approved exceptions.

After

The team implemented AV-sync risk tiers, step-up verification for privileged roles, and ATS-anchored evidence packs with review SLAs. Most candidates flowed without interruption; only threshold crossings created review work.

Governance Notes: Security and Legal signed off because the workflow minimizes data (stores derived AV-sync metrics and decision logs instead of raw biometric media), enforces consistent thresholds via versioned policy, and preserves chain-of-custody with immutable, ATS-anchored audit trails and reviewer accountability.

Implementation checklist

  • Define AV-sync risk tiers and thresholds (warn, step-up, terminate).
  • Set SLAs for automated decisioning and manual review queues.
  • Ensure every interview session writes immutable event logs back to the ATS.
  • Create a remediation path for likely false positives (network jitter, Bluetooth delay).
  • Report weekly: rate of AV-sync flags, step-up pass rate, review SLA adherence, and downstream quality signals.

Questions we hear from teams

What is audio-visual synchronization analysis in interviews?
Audio-visual synchronization analysis measures whether mouth movement timing aligns with spoken audio patterns and whether that alignment is stable throughout the session. In hiring operations, it is used as a risk signal that can trigger step-up verification and manual review with logged evidence.
How do you avoid false accusations when AV-sync flags fire?
Use risk tiers and remediation steps. Medium risk should route to review without disqualification, and reviewers should have approved remediation actions such as re-running liveness, prompted phrase replay, or controlled reschedule. Always log rationale codes and the policy version used.
Where should lip-sync controls live: in the interview tool or the ATS?
Signals can be computed at the interview layer, but the ATS must remain the system of record for stage gating, reviewer accountability, and audit trails. If the integrity decision is not written back to the ATS, you will create a shadow workflow that is hard to defend.
What should People Analytics report weekly?
Report AV-sync flag rate by segment, review SLA adherence, step-up verification pass rate, proportion of candidates blocked from advancement, and impact on time-to-offer distribution. Tie any threshold changes to policy versions and effective dates.

Ready to secure your hiring pipeline?

Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.

Try it free Book a demo

Watch IntegrityLens in action

See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.

Related resources