By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: Oz ForensicsPublished September 9, 2025

TL;DR: Deepfake fraud attempts rose more than 1,300% in 2024, while the Wall Street Journal reported over $200 million in deepfake scam losses in the first quarter of 2025, according to Oz Forensics and cited sources in its analysis. The identity lesson is that onboarding controls must prove presence, not just likeness, because fraud has industrialised.


At a glance

What this is: This is an analysis of how deepfake-enabled fraud is reshaping digital onboarding, with liveness detection presented as the control that separates real-time presence from replayed or manipulated identity proof.

Why it matters: It matters because IAM, KYC, and fraud teams now need controls that address synthetic media, account takeover, and onboarding abuse without assuming that visual identity evidence is trustworthy.

By the numbers:

👉 Read Oz Forensics' analysis of deepfake fraud and liveness detection


Context

Deepfake fraud is no longer a novelty attack. It is a scalable identity abuse problem that undermines onboarding, transaction approval, and account recovery when organisations treat images, voice, or video as if they were inherently trustworthy.

For IAM and fraud teams, the issue is not only detection quality but trust architecture. Liveness checks, biometric verification, and anti-spoofing controls now sit at the boundary between human identity proofing and automated fraud workflows, where attackers are increasingly buying capabilities as a service.


Key questions

Q: How should security teams handle deepfake risk in digital onboarding?

A: Start by treating liveness as a mandatory trust step, not an optional enhancement. If an onboarding process accepts biometric likeness without proving real-time presence, it can be bypassed with replayed or generated media. Teams should add anti-spoofing checks, step-up review for risky enrollments, and clear controls on when identity issuance is allowed.

Q: Why do deepfakes create such a large fraud problem for IAM teams?

A: Deepfakes undermine the assumption that a captured face, voice, or video is evidence of a live person. That breaks onboarding, recovery, and remote verification flows because the system may trust the media instead of the person. IAM teams have to govern assurance, not just authentication, when identity evidence can be synthetically produced.

Q: What breaks when liveness detection is missing from onboarding flows?

A: Without liveness detection, replay attacks and synthetic media can pass as legitimate identity evidence. That can lead to fraudulent account creation, recovery abuse, and later privilege misuse. The failure is not only technical detection; it is a broken assurance boundary between what is shown and what is actually present.

Q: Who is accountable when deepfake-enabled onboarding fraud succeeds?

A: Accountability sits with the team that owns identity proofing, fraud controls, and downstream access decisions. If a system accepts spoofed media and then issues trusted access, that is a governance failure, not just a user deception event. Clear ownership is needed across IAM, fraud operations, and risk management.


Technical breakdown

Why replayed media defeats traditional identity proofing

Traditional onboarding checks often assume that a captured face or voice sample reflects a live person in the moment of verification. Deepfakes break that assumption by letting an attacker present pre-recorded, generated, or modified media that matches expected visual patterns but not actual presence. The failure is not simply poor image quality. It is a trust model that accepts appearance as evidence without testing for liveness, timing, or interaction cues. In practice, that means a system can approve a synthetic identity or an impersonator using recycled media unless it has explicit anti-spoofing logic built into the proofing flow.

Practical implication: Treat any verification flow that accepts static media as incomplete unless it also tests for real-time presence and replay resistance.

How liveness detection changes the trust decision

Liveness detection adds a proof-of-life step to facial authentication. Rather than asking only whether a face matches a reference image, it checks whether the submission was captured live, in context, and with signals that are difficult to fake at scale. That can include motion, challenge-response behaviour, texture analysis, and contextual consistency across the capture session. The important identity point is that this is not just another biometric feature. It is the control that distinguishes an asserted identity from an actively present one, which matters most when fraud is mediated through digital onboarding or remote verification.

Practical implication: Insert liveness as a gating control before identity creation, credential issuance, or high-risk account recovery.

Fraud-as-a-service makes deepfake abuse repeatable

Deepfake attacks scale because they are increasingly packaged inside fraud-as-a-service ecosystems. That means the barrier to entry is no longer specialised expertise, but access to ready-made tooling, phishing workflows, and AI-assisted impersonation methods. Once the attack is productised, the defender is no longer facing one-off ingenuity. They are facing repeatable playbooks that can be tuned by sector, geography, and target type. This changes how identity programmes should think about risk: the adversary can industrialise both initial enrollment fraud and later account takeover attempts using the same synthetic identity assets.

Practical implication: Assume deepfake abuse will recur as a patterned control problem, not as an isolated incident.


Threat narrative

Attacker objective: The attacker wants to create or hijack a trusted digital identity that can be used for fraud, account access, or financial theft.

  1. entry: The attacker reaches onboarding or transaction flows with generated or replayed facial media designed to mimic a real applicant or account holder.
  2. credential_harvested: The attacker uses synthetic identity evidence to pass proofing checks and obtain an approved identity record, account, or recovery path.
  3. escalation: The attacker leverages that trusted identity to bypass additional verification and access higher-value services or transactions.
  4. impact: The organisation suffers fraud losses, account compromise, or onboarding abuse that appears legitimate in logs and approvals.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Proof of presence is now a core identity control: Digital identity programmes cannot treat face matching or voice matching as sufficient evidence of a real person. Deepfakes break the assumption that appearance implies presence, which means onboarding controls now have to verify liveliness as well as likeness. For practitioners, this shifts biometric assurance from a convenience feature to a governance boundary.

Deepfake fraud exposes a trust gap in remote onboarding: The problem is not only the sophistication of the media, but the fact that many onboarding flows still trust the capture surface before they trust the session. That creates a gap between identity proofing and identity issuance. Teams should recognise that the fraud decision is happening earlier than many control frameworks assume.

Fraud-as-a-service is turning identity impersonation into repeatable infrastructure: When attackers can buy tooling for phishing, deepfakes, and AI-assisted fraud, the threat no longer behaves like a bespoke social engineering case. It behaves like a scalable service model that can be reused across sectors and geographies. The implication is that identity controls must be measurable, repeatable, and designed for adversaries who iterate as quickly as defenders do.

Liveness detection is becoming a boundary control for IAM and fraud operations: In practice, liveness belongs at the point where identity evidence becomes an approved account, not as a decorative extra after the fact. That is especially true where onboarding feeds privileged access, payments, or recovery paths. Practitioners should treat the control as part of assurance governance, not as an optional UX layer.

Deepfake risk now spans human identity and downstream non-human access: A compromised onboarding decision can seed broader identity sprawl, because the same trusted record may later authorize bots, delegated services, or recovery workflows. That connects human proofing failures to NHI exposure. The security lesson is that weak identity proofing can become a machine-access problem later in the lifecycle.

From our research:

  • Organisations maintain an average of 6 distinct secrets manager instances, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, which helps explain why trust boundaries often erode faster than teams expect.
  • Deepfake detection should sit alongside lifecycle and secrets controls, as shown in NHI Lifecycle Management Guide, because weak identity proofing can cascade into downstream access risk.

What this signals

Proof-of-presence is becoming a governance signal, not just a biometric feature: As onboarding attacks get cheaper to produce, identity teams need measurable evidence that a session was live at the time of capture. The practical shift is toward assurance controls that can be audited, tuned, and tied to account issuance decisions rather than treated as UX embellishments.

The broader programme implication is that fraud controls, IAM, and lifecycle governance now overlap earlier in the identity journey. A weak proofing decision can become a lasting access problem, especially when the same identity later touches recovery, payments, or delegated services.

Identity proofing failures now have downstream NHI consequences: When a fraudulent human identity is admitted into the environment, it can seed non-human access paths through automation, API enrollment, or recovery workflows. That makes onboarding quality part of the broader identity perimeter, not a standalone fraud concern.


For practitioners

  • Place liveness before account creation Require a real-time liveness step before issuing a new identity record, recovery path, or high-risk enrollment approval. Do not allow static image or video comparison to be the final trust decision in remote onboarding.
  • Separate proofing from issuance Design onboarding so that a successful biometric match does not automatically create access. Add a second decision point for fraud review, step-up verification, or manual exception handling when risk signals cluster.
  • Test against replay and synthetic media Run controlled red-team exercises using replayed video, manipulated images, and voice cloning to measure where your current capture flow fails. Use the results to tune anti-spoofing thresholds and exception paths.
  • Map identity proofing to downstream privilege Trace every onboarding path into account recovery, payment approval, and delegated access. Where a weak proofing decision can lead to privileged action, add stronger verification and tighter approval rules.

Key takeaways

  • Deepfake fraud is overwhelming traditional onboarding assumptions because appearance no longer proves presence.
  • The scale of the problem is already measurable, with rapid growth in attempts and major financial losses reported in 2025.
  • Liveness detection should be treated as an identity governance control that protects issuance, recovery, and downstream access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and enrollment assurance are central to deepfake-resistant onboarding.
NIST CSF 2.0PR.AC-1The article centres on identity proofing as an access prerequisite.
NIST SP 800-53 Rev 5IA-4Authenticator and identity proofing controls align with this onboarding trust problem.
GDPRArt.32Biometric identity proofing can involve personal data and security of processing obligations.

Ensure biometric onboarding data is protected with appropriate security of processing controls.


Key terms

  • Liveness Detection: A control that checks whether a biometric capture came from a real person present at the moment of verification. In practice, it uses motion, challenge-response, and anti-spoofing signals to distinguish live capture from replayed, generated, or manipulated media.
  • Identity Proofing: The process of verifying that a person is who they claim to be before an account or credential is issued. For security teams, proofing is a governance decision point, not just a technical check, because its output can create lasting access rights.
  • Deepfake Fraud: Fraud that uses synthetic audio, image, or video to impersonate a real person or create a convincing false identity. It is especially dangerous in onboarding and recovery flows because the attacker can present fabricated evidence that looks operationally legitimate.
  • Proof Of Presence: Evidence that a person was live and participating during a capture or verification event. This matters because identity assurance depends not only on whether the media resembles someone, but whether the subject was actually present when the proof was collected.

What's in the full article

Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:

  • How its liveness detection flow validates real-time capture instead of pre-recorded or manipulated media
  • The specific biometric and machine-learning signals used to distinguish spoofing attempts from live users
  • The product positioning for onboarding and transaction checks across digital identity journeys
  • Examples of how the liveness check fits alongside facial comparison and ID verification

👉 Oz Forensics' full article covers the fraud patterns, liveness mechanics, and onboarding use cases in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org