TL;DR: Deepfake incidents in Asia-Pacific increased by over 1,500% in a single year, while Vietnam recorded a 25.3% jump in deepfake-related fraud incidents, according to Oz Forensics, as fraudsters used cloned faces, voices, and synthetic identities to bypass eKYC and biometric checks. Legacy onboarding controls are now being tested against industrialised impersonation, not just document fraud.
At a glance
What this is: This analysis shows how deepfake-driven identity fraud is eroding trust in digital onboarding, biometric verification, and remote identity checks across Southeast Asia.
Why it matters: It matters because IAM, fraud, and identity teams now have to harden assurance models for both human identities and the systems that verify them, especially where biometrics and remote onboarding are central.
By the numbers:
- The Asia-Pacific saw a 1,530% increase in deepfake cases between 2022 and 2023.
- 25.3%.
👉 Read Oz Forensics’ analysis of deepfake identity fraud in Southeast Asia
Context
Deepfake identity fraud is a digital identity problem, not just a media authenticity problem. When attackers can synthesise faces, voices, and video at scale, the trust assumptions behind remote onboarding, biometric eKYC, and call-centre verification begin to fail.
In Southeast Asia, rapid digital adoption has expanded the number of identity checkpoints that fraudsters can target. The article’s core point is that stronger digital ID programmes can raise assurance, but they also create a high-value attack surface when liveness, injection resistance, and behavioural verification lag behind fraud methods.
Key questions
Q: How should organisations defend biometric onboarding against deepfake fraud?
A: Use layered verification that separates document checks, liveness detection, injection resistance, and behavioural signals. Biometric matching alone is not enough because attackers can present synthetic faces or replayed media that look legitimate. The control objective is to prove a live human is present and that the capture path has not been manipulated.
Q: Why do deepfakes weaken eKYC and remote identity proofing?
A: Deepfakes weaken eKYC because many onboarding flows assume a camera image or voice sample represents a live person. Once synthetic media can be generated convincingly, attackers can pass surface-level checks while hiding identity fabrication behind valid-looking signals. That turns proofing into an adversarial problem, not a compliance checkbox.
Q: What do security teams get wrong about voice and video verification?
A: Teams often treat voice and video as inherently trustworthy because they feel familiar to users and operators. In fraud conditions, they are simply another signal that can be cloned, replayed, or injected. Effective programmes treat them as one factor in a broader trust decision, not as proof on their own.
Q: Who should be accountable when deepfake fraud bypasses onboarding controls?
A: Accountability should sit with the identity, fraud, and governance owners together, because the failure spans proofing, detection, policy, and exception handling. If a programme allows synthetic identities to survive onboarding, the issue is not just a bad transaction. It is a control design gap that should be traced to ownership and oversight.
Technical breakdown
Deepfake fraud against biometric onboarding
Deepfake fraud succeeds when the verification flow treats a face, voice, or video feed as proof of presence without checking whether the signal is live, replayed, or synthetically generated. In remote onboarding, attackers can combine stolen personal data, face-swapped selfies, and injected media to satisfy weak identity proofing steps. Biometric matching alone does not solve this, because matching asks whether the presented face resembles a template, not whether a real person is present. Liveness detection, device integrity, and injection detection exist to close that gap, but they must be designed for adversarial misuse, not routine UX.
Practical implication: Practitioners should treat biometric matching and liveness as separate controls, not a single assurance step.
Synthetic identities and eKYC abuse
Synthetic identity fraud blends real and fabricated data to create accounts that look plausible enough to pass onboarding checks. That pattern matters because eKYC often trusts document validity, database lookups, and face verification as independent signals when they can all be manipulated together. If attackers already possess leaked identity data, they can chain it into account opening, SIM registration, loan applications, or mule creation. The result is not just one failed check but a contaminated identity record that can persist across channels and services.
Practical implication: Identity teams should correlate onboarding signals across channels instead of evaluating each verification step in isolation.
Why voice and video scams bypass traditional identity controls
Voice cloning and deepfake video change the threat from account compromise to real-time impersonation. A fraudster no longer needs to steal a password if they can convince a customer, employee, or operator that the caller is a trusted person. That weakens controls built around recognition, familiarity, and urgency. In practice, the attacker exploits human trust at the point where identity verification is most procedural and least adversarial. This is why behavioural analytics, step-up checks, and out-of-band confirmation remain relevant even when biometric signals are in use.
Practical implication: Security teams should add fraud-resistant escalation paths for high-risk interactions, especially payments and account recovery.
Threat narrative
Attacker objective: The attacker aims to convert synthetic identity into financial fraud, fraudulent account creation, or trusted-channel access.
- Entry occurs when attackers obtain leaked personal data, public footage, or recorded voice samples that can be repurposed into synthetic identity assets.
- Escalation happens when the attacker uses deepfake video, voice cloning, or face-swapped media to satisfy onboarding, customer service, or executive impersonation checks.
- Impact follows when the forged identity is used to open accounts, trigger fraudulent transfers, register SIM cards, or launder access through trusted channels.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Deepfake identity fraud is now an assurance failure, not a fraud edge case. The article shows that attackers are no longer limited to stolen credentials or forged documents. They can manufacture the identity signal itself, which means the real control question is whether onboarding can still distinguish a live subject from a synthetic presentation. Practitioners should treat this as a core identity governance issue, not a niche fraud anomaly.
Biometric verification without injection resistance creates a false sense of certainty. Face matching, voice recognition, and liveness checks are often deployed as if they were interchangeable layers of assurance. They are not. When fraudsters can inject synthetic media or replay captured identity artefacts, the control failure is not merely weak detection, but an overconfident trust model built around a single signal. Practitioners should re-evaluate where biometric confidence is being overstated in onboarding and recovery flows.
Synthetic identity fraud expands the identity blast radius across channels. Once fabricated identity data enters account opening, SIM registration, or lending workflows, the same identity can be reused across multiple services and jurisdictions. That makes this a lifecycle problem as much as an authentication problem, because the false identity can persist after the original verification moment. Teams should design for cross-channel identity correlation, not isolated checkpoint success.
Digital ID expansion increases the value of the verification perimeter. The article makes clear that national digital ID programmes and biometrics can improve assurance, but they also centralise attacker interest around the controls that gate access. That shifts the governance burden toward stronger standards for proofing, recovery, and exception handling. Practitioners should assume the verification perimeter will be probed continuously, not only at onboarding.
Identity governance for fraud now has to include human behaviour, not just system logic. Deepfake scams succeed because urgency, authority, and familiarity still override procedural checks in many customer and employee journeys. That means fraud-resistant identity design must connect technical verification with human decision points, especially where money movement or privileged approval is involved. Practitioners should align identity controls with the social engineering path, not only the technical one.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity blind spots persist even when governance appears mature.
- That visibility gap is one reason the 52 NHI Breaches Analysis remains relevant for teams mapping how weak identity control turns into operational loss.
What this signals
Synthetic identity attacks are converging with identity lifecycle gaps. When fraudsters can create believable people at scale, the challenge is no longer only proving who is real at onboarding. It is also maintaining confidence that the identity remains consistent across recovery, SIM swap, payment approval, and support interactions, which is where many programmes still fragment.
A useful lens here is the identity assurance perimeter. That perimeter now extends beyond the login screen into call centres, mobile apps, and exception workflows, and it fails wherever teams rely on a single high-confidence signal. Practitioners should prepare for more fraud attempts that blend biometric spoofing with social engineering and leaked data, rather than treat these as separate threat classes.
For practitioners
- Separate liveness from matching in onboarding flows Require independent liveness and injection checks before biometric matching is accepted as evidence of presence, especially for remote onboarding and high-value account recovery.
- Correlate identity signals across channels Compare onboarding, SIM registration, payment, and recovery events for the same identity attributes so synthetic identities cannot pass one channel and persist elsewhere.
- Harden escalation paths for high-risk requests Use out-of-band confirmation, step-up verification, and dual approval for transfers, credential resets, and executive impersonation scenarios.
- Review biometric governance at board level Document where biometrics are used, what threat models they cover, and where exception handling allows weaker assurance to override policy.
Key takeaways
- Deepfake identity fraud turns onboarding, recovery, and customer support into adversarial identity checkpoints.
- The regional scale is already material, with APAC deepfake incidents up 1,530% and Vietnam showing a 25.3% rise.
- Fraud-resistant identity programmes now need liveness, injection detection, behavioural analytics, and cross-channel correlation, not biometric matching alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access decisions are central to remote onboarding fraud. |
| NIST SP 800-53 Rev 5 | IA-2 | Biometric onboarding depends on reliable identification and authentication checks. |
| ISO/IEC 27001:2022 | A.5.17 | Authentication information governance applies where identity proofs can be manipulated. |
| GDPR | Art.9 | Biometric identity processing is sensitive personal data in many onboarding flows. |
Pair biometric checks with stronger identification and authentication controls for high-risk workflows.
Key terms
- Deepfake Identity Fraud: The use of synthetic face, voice, or video to impersonate a real person during identity verification or trust-based interactions. In identity programmes, the threat is not only misinformation, but the ability to fabricate presence and bypass verification controls that assume a live subject is on the other end.
- Liveness Detection: A control that checks whether a biometric sample comes from a live subject rather than a replay, photo, mask, or synthetic feed. Its value depends on being adversarially tested, because attackers increasingly target the capture path, not just the matching engine.
- Synthetic Identity: An identity assembled from real and fabricated attributes so it looks legitimate enough to pass onboarding or account creation checks. In fraud programmes, synthetic identities are dangerous because they can persist across channels, accumulate trust, and be reused long after the original verification event.
- Injection Detection: Controls that identify when media or sensor input has been inserted into a verification flow rather than captured directly from the live device. For identity teams, this is critical because sophisticated fraud often bypasses the user interface and attacks the data path beneath it.
What's in the full article
Oz Forensics' full article covers the incident detail and regional regulatory context this post intentionally leaves at a higher level:
- Country-by-country examples of deepfake fraud in Southeast Asia and the tactics used in each case.
- Discussion of biometric eKYC and SIM registration policy responses across Indonesia, Vietnam, Thailand, and Malaysia.
- Operational notes on liveness, behavioural analytics, and injection detection as anti-fraud controls.
- Source references and case citations for the incidents described in the article.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org