TL;DR: Deepfakes have become easier to create and harder to distinguish from real users, with one 2023 study cited by Prove reporting that 66% of cybersecurity professionals encountered deepfake attacks and finance security leaders showing 92% concern. The core problem is that selfie-based onboarding assumes visual identity signals remain trustworthy, and that assumption is breaking.
At a glance
What this is: This is an analysis of how deepfakes are undermining digital onboarding and why visual verification is no longer a reliable control for identity proofing.
Why it matters: It matters because IAM, fraud, and customer onboarding teams need verification methods that can resist synthetic media without creating avoidable friction for real users.
By the numbers:
- 66% of cybersecurity professionals reported encountering deepfake attacks within their organizations.
- 92% of finance security leaders expressing deep concern about the impact of deepfakes.
- 10 times globally between 2022 and 2023.
- North America experienced a 1740% increase in deepfake fraud.
👉 Read Prove Identity's analysis of deepfake fraud and onboarding risk
Context
Deepfake fraud is a user identity problem that now sits directly inside digital onboarding. The control failure is not just that synthetic media exists, but that many onboarding flows still trust faces, voices, and urgent human prompts more than stronger possession and network signals.
For identity teams, the issue is the gap between frictionless acquisition and trustworthy proofing. When organisations optimise for speed first, they often preserve attack paths that deepfakes are specifically designed to exploit, especially in customer onboarding and financial approval workflows.
Key questions
Q: How should security teams handle deepfake risk in identity workflows?
A: Security teams should treat deepfakes as a trust and verification problem inside identity workflows. The right response is to require out-of-band verification for high-risk actions, separate request initiation from approval, and harden help-desk and finance procedures so a convincing voice or video cannot authorize access on its own.
Q: Why do deepfakes create more risk than ordinary identity fraud?
A: Deepfakes compress the time needed to impersonate a real person and make the attack look legitimate at the exact moment trust is granted. That means controls built for post-event review or manual judgment often react too late, especially in onboarding, recovery, and high-risk approvals.
Q: What do organisations get wrong about liveness detection?
A: Organisations often treat liveness detection as proof of identity when it only addresses one part of the problem. A system can recognise a real face and still be fooled by injected video, tampered endpoints, or replayed streams. The mistake is assuming a single biometric check covers the whole assurance chain.
Q: Who should own fraud controls when IAM and fraud teams overlap?
A: Ownership should sit with the team accountable for the decision point, while IAM, fraud, and compliance all contribute the signals and policy. If one group owns alerts and another owns action, attackers exploit the gap. Shared governance matters more than shared tooling.
Technical breakdown
Why selfie-based identity proofing fails against deepfakes
Selfie capture and liveness checks were built to distinguish a present human from a static image or replayed recording. Deepfakes change the threat model because they can generate realistic motion, speech, and facial cues that satisfy superficial checks without proving the person is genuine. The weakness is not only in image quality, but in the assumption that visual proof can stand alone as an identity signal. In fraud operations, that creates a brittle trust layer that attackers can target at scale.
Practical implication: treat visual verification as one signal in a broader proofing chain, not as the sole trust gate for onboarding.
Phone-centric verification as a stronger possession signal
Phone-centric verification shifts trust from appearance to device ownership and correlated telemetry. By using network signals, device attributes, and behavioural context, it ties identity proofing to something harder to forge than a synthetic face or voice. This is not the same as making onboarding slower. The mechanism improves assurance because the attacker must now compromise multiple layers of evidence, not just generate convincing media. That changes the economics of fraud attempts.
Practical implication: move high-risk onboarding decisions toward possession-based and telemetry-based checks where visual proof has become unreliable.
Deepfake fraud and synthetic identity attacks
Deepfakes are increasingly being used inside broader synthetic identity fraud, business email compromise, impersonation, and extortion campaigns. The common pattern is that attackers blend real and fabricated attributes to defeat trust decisions that were never designed to validate consistency across channels. Once fraud teams allow a single persuasive interaction to override weaker controls, deepfakes become an accelerant for many identity abuse paths. The problem is not isolated to one channel, but to the trust model behind onboarding itself.
Practical implication: re-evaluate which onboarding decisions can be made on single-channel evidence and which require cross-signal verification.
Threat narrative
Attacker objective: The attacker wants to convince the organisation that a fabricated identity is real enough to pass onboarding or trigger an authorised action.
- Entry occurs when a fraudster introduces synthetic audio, video, or mixed-media identity evidence into onboarding or approval workflows.
- Escalation follows when the organisation trusts the deepfake enough to issue access, open an account, or approve a financial transfer.
- Impact is realised through account creation, payment diversion, impersonation, or broader fraud that damages revenue and customer trust.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Visual identity proofing is now an exposed assumption, not a sufficient control. Deepfakes do not merely make onboarding harder to operate, they break the premise that a face, voice, or short video can reliably represent a legitimate user. That premise was already weak for high-risk workflows, and synthetic media makes it structurally unreliable. Practitioners should treat this as a proofing architecture problem, not a usability trade-off.
Phone-centric verification reflects a more durable trust model because it binds identity to possession and context. Device ownership, network metadata, and behavioural signals are harder to counterfeit together than visual cues alone. This shifts onboarding away from a single persuasive artifact and toward evidence that can be correlated across channels. For IAM and fraud teams, that is the real control change: the trust decision becomes harder to spoof without becoming unusable for legitimate users.
Deepfake fraud is converging with broader identity attack paths, which makes onboarding a control boundary. Business email compromise, synthetic identity fraud, and extortion all benefit when early-stage verification is too permissive. The named concept here is onboarding trust collapse: when the organisation cannot reliably distinguish a real user from a fabricated one, every downstream access decision inherits that uncertainty. The implication is that onboarding now functions as a security control surface, not only a conversion funnel.
Frictionless experience remains important, but it cannot be the primary design constraint for high-assurance identity proofing. The article reflects a broader pattern across IAM and fraud operations: when speed dominates design, attackers target the weakest signal that still satisfies the workflow. Identity programmes should separate low-risk convenience paths from high-risk assurance paths. That distinction is becoming essential for consumer identity, financial onboarding, and any workflow where impersonation can produce irreversible impact.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to our Ultimate Guide to NHIs.
- For a broader control baseline, review Ultimate Guide to NHIs , Key Challenges and Risks for the governance gaps that compound identity exposure.
What this signals
Onboarding trust collapse: deepfakes are forcing identity programmes to separate visual persuasion from real assurance. Teams that still rely on selfie checks or voice prompts as primary proof points will keep inheriting fraud risk into account opening, recovery, and approval flows.
The next control question is not whether deepfakes exist, but which journeys still let one channel decide too much. That is where fraud, IAM, and customer operations need shared policy, shared telemetry, and a clearer risk tiering model for identity proofing.
For a baseline on non-human identity exposure and the wider identity control problem, the governance lesson from Ultimate Guide to NHIs , Why NHI Security Matters Now remains relevant: identity risk compounds when the organisation cannot verify what it is trusting.
For practitioners
- Replace visual-only proofing for high-risk flows Move onboarding decisions for higher-risk users or transactions away from selfie or video dependence and toward device ownership, network signals, and behavioural context.
- Tier verification by transaction risk Use stronger identity proofing only where the account opening, payment, or approval consequence justifies it, and keep lower-friction checks for lower-risk journeys.
- Cross-check identity evidence across channels Require consistency between device, network, and user behaviour before accepting identity claims in onboarding or account recovery.
- Train fraud and IAM teams on synthetic media failure modes Update playbooks so reviewers understand how deepfake audio and video can mimic urgency, authority, and legitimacy in real workflows.
- Map deepfake exposure to onboarding controls Review where identity proofing still depends on visual cues and identify the steps where a fabricated face or voice could trigger irreversible access or payment actions.
Key takeaways
- Deepfakes turn visual onboarding signals into unreliable trust inputs, which weakens common identity proofing patterns.
- The article cites 66% of cybersecurity professionals encountering deepfake attacks and 92% of finance security leaders expressing concern, showing the problem is already operational.
- Teams should shift high-risk verification toward possession, telemetry, and cross-channel evidence before synthetic media becomes a routine fraud path.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to onboarding trust decisions. |
| NIST SP 800-53 Rev 5 | IA-2 | Identity verification before account creation maps directly to authenticator and proofing controls. |
| NIST Zero Trust (SP 800-207) | Zero trust relies on continuous verification, which deepfakes pressure at the identity boundary. | |
| GDPR | Art.32 | Where onboarding involves personal data, security of processing and proofing integrity are relevant. |
Review IA-2 implementations to ensure strong proofing for high-risk onboarding and recovery flows.
Key terms
- Deepfake: Synthetic or altered media created with AI or machine learning so that a person appears to say or do something they never did. In security terms, deepfakes are trust attacks that can distort identity verification, approval workflows, and fraud detection.
- Identity Proofing: Identity proofing is the process of establishing that a person, account holder, or applicant is who they claim to be before access is granted. In digital onboarding, it must combine evidence sources strong enough to resist impersonation and synthetic media.
- Phone-Centric Verification: Phone-centric verification is an identity verification approach that relies on device ownership, network signals, and correlated user context instead of visual cues. It increases assurance by binding the identity claim to harder-to-forge evidence.
- Synthetic Identity Fraud: Synthetic identity fraud combines real and fabricated attributes to create a convincing false identity that can pass weak verification steps. It often uses multiple channels, including deepfakes, to make fraudulent onboarding appear legitimate.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- A practical explanation of why phone-centric verification changes onboarding assurance compared with selfie-based checks
- Examples of how device ownership and network data support identity verification in real workflows
- The fraud scenarios where synthetic media most often defeats traditional visual proofing
- The source article's own framing of customer experience trade-offs when moving away from face-based onboarding
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org