The Deepfake Fire Drill Every Family Needs (And Why Your Family Posts Are Now Training Data)
What every household needs to know about voice cloning, deepfake scams, and the plan that works.
I built a free eight-minute tool for this: the Deepfake Family Drill. Runs in your browser, no signup, nothing leaves your device. The rest of this post is why.
Open Instagram right now and scroll for ninety seconds. What do you see?
A toddler sounding out her first sentence with clean audio. A six-year-old giving a birthday speech to an iPhone held steady. A teenager with twenty-seven seconds of unbroken speech. A grandmother reading a book over FaceTime, recorded by the son so he could save it.
None of these people are doing anything wrong. They’re doing what every platform and every parenting expert has told families to do for fifteen years. Capture the moments. Keep the grandparents in the loop. This is the architecture of modern family memory.
Here is the other thing those videos are now. They are training data.
Under two minutes of clean audio is enough to clone a voice well enough to fool the person’s own mother. The first-birthday video, the graduation speech, the read-aloud saved to an iCloud album that got backed up to a drive that got breached. All of it is material now, for a technology that didn’t exist when any of it was recorded.
This isn’t a post about whether you should stop sharing. The same culture that taught every family to build a rich digital archive did not teach them what to do when an attacker uses that archive against them.
The archives exist. The tools to misuse them are free. Most families have no plan.
What actually happens
AA mother in Arizona answered her phone one afternoon in 2023. The voice on the line was her fifteen-year-old daughter, crying, saying she’d been kidnapped. A man came on demanding money. It took an hour for her to figure out the voice was a clone and her daughter was safe at a ski race.
She testified before the Senate later that year. The detail she kept returning to: it wasn’t just the voice. It was the crying. The specific way her daughter cried. Reproduced well enough from source material she had no idea was source material.
When she contacted Scottsdale police afterward, they told her it amounted to a “prank call.” No money had changed hands. There was no crime to investigate.
The FBI’s Internet Crime Complaint Center logged 22,364 AI-related fraud complaints in 2025, with reported losses of $893 million, the first year AI got tracked as its own category in the report’s twenty-five-year history. That’s only what got reported.
The people who are most aware of this risk, the people who read the research and watch the threat actors and write the policy frameworks, have mostly not translated any of it into something a grandmother could use.
Why no other layer will save you
The (US) law doesn’t cover this. The TAKE IT DOWN Act, signed in May 2025, criminalizes non-consensual intimate deepfakes. It does not address voice cloning for fraud. Most state deepfake laws are the same story.
The police arrive after the fact. Like the department that responded to DeStefano, most treat attempted voice-cloning fraud as a prank until money actually moves.
Once money moves, you have a narrow window. The FBI’s Financial Fraud Kill Chain can sometimes recall fraudulent wire transfers, but only at or above $50,000, only on international transfers, only within 72 hours. Below that threshold or after that window, the money is gone.
The misuse is social, and the defense has to be social too.
There is no model-level fix for this. The model doesn’t know it’s being misused.
What a defense looks like
The defense is unglamorous. It’s a word.
If someone calls claiming to be family and asks for money or to pick up a child, you ask them a word only your family knows. If they hesitate, it’s not them. A nine-year-old can learn this. It works at 2am in a way no technical solution will, because the attacker doesn’t have the word and can’t get it.
If the word doesn’t come under pressure, you ask about something no attacker could have found online. Not the dog’s name. Not your childhood street. Something specific and mundane that was never posted. What did we eat the night before Thanksgiving. Real family answers instantly. A scammer stalls.
If you want to test whether the person is reading from a script, introduce something that didn’t happen. Did you like the pasta at Aunt Karen’s yesterday? (No pasta. No Aunt Karen.) A scammer agrees, because scammers optimize to keep the story going. Real family says what are you talking about.
And if the request is for money through any unusual channel, you wait. An hour, a day, whatever your family agrees on. Real requests survive the wait. Scams escalate during it, and the escalation itself is your answer.
None of this is sophisticated. The false-detail trick is borrowed from counterintelligence, but a child can learn it in thirty seconds. That’s what I find hardest to sit with. How simple the defense is, and how little we’ve bothered to teach anyone.
The household layer
So I built a drill.
Eight minutes. Five realistic scenarios (a voicemail from the school, a wire request from a boss, a pickup change, a text from “mom,” a teen extortion attempt). At the end you build a protocol: a safe word, a callback rule, a financial delay, a pickup rule, a freeze word for the kids. Print the card. Tape it to the fridge. Run the drill again in six months because the kids forget.
The drill is an argument. AI safety is going to live in households. Not in research papers. Not in regulatory frameworks. In kitchens. At dinner tables. In the ten minutes on a Sunday when a family agrees on a word.
Labs aren’t going to build this. Regulators aren’t going to build this. It’s a civic practice in software form, and civic practices have always come from communities, not corporations and not statutes.
The videos are going to keep getting posted. They should. The vulnerability isn’t the sharing. The vulnerability is the sharing without a plan.
Now you can build the plan.
For the AI security and policy folks reading: what attack class did I miss? What defense fails in ways I didn't consider? The piece argues no other layer will save you, which is a strong claim. Where does it fail?"
It’s possible to develop a script that allows an attacker to induce someone in the family to reveal the word. And then use the word against another member of the family.