AI-powered fraud is outpacing identity verification controls

At a glance

What this is: This is SumSub’s analysis of a rapidly changing fraud landscape, where fewer attempts are becoming far more sophisticated and multi-vector.

Why it matters: It matters because IAM, fraud, and identity governance teams need controls that can handle synthetic identity risk, verification bypass, and telemetry manipulation across human and non-human trust paths.

By the numbers:

• Overall fraud attempts have dropped by 50% year over year.
• ID cards account for 72% of fraudulent documents in the report’s findings.

👉 Read SumSub's annual identity fraud report on AI-powered fraud tactics

Context

Identity fraud now looks less like isolated impersonation and more like coordinated abuse of the full verification stack. The primary problem is not simply more fraud, but fraud that is more adaptive, more automated, and more willing to attack the checks themselves rather than only the person being verified.

For IAM and fraud teams, that changes the control question. Static document checks, single-point liveness checks, and narrow anomaly rules are easier to study, simulate, and bypass when attackers can combine synthetic identities, deepfakes, and telemetry tampering in one campaign.

The article’s central message is that verification programmes need to account for adversaries who invest in the same operational discipline as defenders. That is a typical failure mode for mature digital onboarding and recovery flows, not an edge case.

Key questions

Q: How should security teams respond when synthetic identities pass verification checks?

A: They should treat the pass event as the start of a governance review, not proof of legitimacy. The next step is to examine what evidence was reused, whether the identity can be reused elsewhere, and whether downstream privileges were granted on the basis of a single check. Verification success should not equal broad trust.

Q: Why do deepfakes and liveness bypasses create such high fraud risk?

A: Because they undermine the evidence used to establish that a real person is present. Once that evidence is compromised, attackers can open accounts, reset credentials, or pass higher-trust checks without needing to defeat every control in the journey. The risk is cumulative, not isolated.

Q: What do identity teams get wrong about telemetry-based fraud detection?

A: They often assume telemetry is neutral input rather than a target. In practice, device and session signals can be altered, replayed, or engineered to make fraud look legitimate. If the programme does not validate signal integrity, the fraud model can be trained and steered by the attacker.

Q: How can organisations reduce fraud without creating excessive user friction?

A: By moving from single-check trust to layered evidence and risk-based escalation. Low-risk journeys can stay fast, but higher-risk actions should require stronger proof, additional context, or step-up review. That reduces blanket friction while making the most valuable trust decisions harder to fake.

Technical breakdown

Synthetic identities and deepfakes in identity fraud

Synthetic identity fraud blends fabricated identity attributes with real or semi-real data so that a profile can survive basic validation. Deepfakes raise the bar further by allowing attackers to imitate faces or voices well enough to challenge liveness checks and human review. The technical issue is not just spoofing a control, but creating identities that look internally consistent across multiple evidence sources. Once those identities are accepted, they can be reused across onboarding, account recovery, and payment abuse paths.

Practical implication: teams need verification steps that cross-check evidence sources instead of trusting any single document or biometric signal.

Telemetry tampering against verification systems

Telemetry tampering targets the data the verification system uses to decide whether a session, device, or transaction looks legitimate. That can include altering device signals, session patterns, or other metadata so the fraud attempt appears low risk. This is especially dangerous because it attacks the detection layer itself, not only the identity proofing step. When telemetry can be shaped or replayed, risk engines lose the behavioural context they rely on to distinguish genuine applicants from coordinated fraud operations.

Practical implication: protect the integrity of signals feeding fraud engines and validate that telemetry cannot be easily spoofed or replayed.

Why multi-vector fraud beats single-control defences

The report points to a shift from amateur fraud to professional operations that combine several techniques at once. A deepfake may get past one check, a synthetic identity may satisfy another, and telemetry manipulation may suppress a risk score enough to complete the journey. The failure is architectural: controls are often evaluated one by one, while attackers move as a chain. Defenders that only optimise isolated checkpoints create gaps between them, and those gaps become the exploitable path.

Practical implication: assess fraud controls as an end-to-end attack chain, not as independent point solutions.

Threat narrative

Attacker objective: The attacker’s objective is to obtain trusted identity footholds that can be reused for fraud, account abuse, and financial gain at scale.

1. Entry begins when attackers present synthetic identities, stolen personal data, or AI-generated deepfakes to enter onboarding or verification flows.
2. Credential access or abuse follows when liveness checks, document checks, or telemetry-based scoring are fooled enough to create trusted access paths or account footholds.
3. Escalation occurs as the same operation reuses validated identity artefacts across account recovery, payment abuse, or additional enrolments while staying below detection thresholds.
4. Impact is mass fraud at scale, including account takeover, false onboarding, financial loss, and degraded trust in verification systems.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Professional fraud has become a systems problem, not a single-check problem. The report’s strongest signal is that attackers are no longer trying one weak point at a time. They combine synthetic identities, deepfakes, and telemetry manipulation to move across the verification stack as a coordinated chain. That means identity teams should stop thinking in terms of isolated control wins and start thinking in terms of attack-path resilience.

Identity verification is now part of fraud operations, and fraud operations are now part of identity governance. When onboarding, recovery, and transaction trust are linked, failures in one area become reusable trust artefacts in another. This is where IAM and fraud prevention converge: the same identity proof can be weaponised across multiple business flows if provenance and reuse are not governed. Practitioners should treat identity evidence as a governed asset, not a one-time check.

Telemetry tampering is a governance gap because it attacks the evidentiary layer beneath decisioning. Risk engines depend on signal quality, but that quality is often assumed rather than continuously verified. When attackers can shape telemetry, the programme is no longer just making a bad decision, it is being fed compromised evidence. Teams need to recognise that the control boundary now includes the integrity of the signals themselves.

Anthropomorphic fraud tells us that human trust signals are easier to counterfeit than many teams assume. Deepfakes, emotional manipulation, and synthetic identities work because verification programmes still rely on human-perceptible cues at critical points. The implication is not that humans should be removed from review, but that human judgement alone cannot carry trust decisions once the attacker is professionally organised. Practitioners should harden the evidence chain, not just the review queue.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• For the broader identity governance context, review 52 NHI Breaches Analysis to connect exposure patterns to real attack paths.

What this signals

Identity fraud teams should expect the control surface to keep expanding. As attackers blend synthetic identities, deepfakes, and telemetry manipulation, the practical response is to evaluate whether every signal feeding a trust decision can be forged, replayed, or chained into the next step. The governance question is no longer only whether a check works, but whether it remains trustworthy when an organised adversary is optimizing against it.

Signal integrity is becoming a first-class security requirement. If the data that drives risk scoring can be manipulated, then the decision engine is only as reliable as its weakest evidence source. That is why fraud programmes need to align more closely with identity governance, data integrity, and verification assurance, rather than treating fraud review as a separate operational queue.

For practitioners

• Map the fraud kill chain end to end Trace how synthetic identity creation, liveness bypass, telemetry shaping, and downstream reuse connect across onboarding, recovery, and payments. Prioritise the join points where one accepted signal unlocks the next trust step.
• Harden the integrity of verification telemetry Validate the provenance of device, session, and behavioural signals before they reach risk scoring. Treat those signals as security-relevant inputs and look for replayable or easily spoofed fields.
• Separate document trust from identity trust Do not let a single successful document check or biometric pass create broad downstream trust. Require additional context before account recovery, payment enrolment, or profile changes can proceed.
• Review the reuse of verified identity artefacts Find where a single verified identity can be reused across products, channels, or regions without revalidation. Tighten controls around high-value actions so the same artefact cannot unlock multiple fraud paths.

Key takeaways

• Fraud is shifting from volume-driven abuse to coordinated attacks that combine synthetic identities, deepfakes, and signal tampering.
• The report shows that sophisticated attacks are nearly three times more common even as total attempts fall by half, which is a clear maturity signal for attackers.
• Practitioners should govern verification as an attack chain, with stronger evidence validation at every step that can create downstream trust.

Key terms

• Synthetic Identity: A synthetic identity is a fabricated profile built from a mix of real and invented attributes. In fraud programmes, it can survive basic checks because each component looks plausible, even though the overall identity does not correspond to a genuine person or legitimate entity.
• Liveness Check: A liveness check is a verification step intended to confirm that a live person is present during onboarding or authentication. In practice, it is one signal among many, and its value drops quickly when attackers can use deepfakes, replay, or presentation attacks to imitate a real user.
• Telemetry Tampering: Telemetry tampering is the manipulation of the signals a system uses to judge risk, such as device, session, or behavioural data. The attack matters because decision engines often assume those inputs are trustworthy, which allows fraudsters to shape the score instead of merely avoiding it.

Deepen your knowledge

Identity fraud, synthetic identity detection, and evidence-driven verification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is being forced to defend both human and machine trust paths, it is worth exploring.

This post draws on content published by SumSub: an episode discussing findings from its annual Identity Fraud Report on AI-powered fraud and verification bypass. Read the original.