Digital identity fraud is shifting to deepfakes and fraud-as-a-service

At a glance

What this is: Sumsub’s 2024 Identity Fraud Report shows fraud is becoming cheaper, more automated, and more persistent across the identity lifecycle.

Why it matters: IAM, fraud, and security teams need to treat identity risk as a continuous control problem, not just a verification problem at sign-up.

By the numbers:

• Three-quarters (76%) of fraud occurs during ongoing account use, highlighting the need for continuous checks apart from KYC.
• The global average identity fraud rate more than doubled over three years, growing from 1.1% of all verifications in 2021 to 2.6% in 2024.
• Account takeover (ATO) attacks have become one of the most damaging forms of fraud, and ATO cases surged by 250% YoY.
• In 2024, deepfakes detected worldwide increased 4x from 2023 to 2024.

👉 Read Sumsub’s 2024 Identity Fraud Report on deepfakes and fraud-as-a-service

Context

Digital identity fraud is no longer confined to the onboarding moment. The report shows that attacks now combine forged documents, account takeover, deepfakes, and fraudulent networks, which means identity assurance has to extend through the full session and account lifecycle, not just the first verification checkpoint.

For IAM and fraud teams, this shifts the problem from point-in-time identity proofing to continuous identity trust. The report’s own numbers show why programmes built around one-time KYC checks, static risk scoring, and delayed review cycles struggle when fraud is happening after access is already granted.

Key questions

Q: How should security teams handle identity fraud after onboarding is complete?

A: They should treat onboarding as only the first control point and move fraud detection into the active account lifecycle. That means monitoring login patterns, recovery events, payment changes, and behavioural drift. If fraud controls stop at verification, attackers can exploit trusted sessions long after the original check has passed.

Q: Why do deepfakes make identity verification less reliable?

A: Deepfakes weaken the assumption that visual or voice-based cues reliably prove who is on the other side of the screen. They can be combined with stolen data, scripted responses, and fake documents to pass controls that were built for human-originated signals. Identity assurance has to add provenance and liveness checks.

Q: When should organisations move from KYC to continuous identity monitoring?

A: They should do it whenever the business depends on account activity after sign-up, especially in financial services, marketplaces, gaming, and digital media. If the risk appears during ongoing use rather than at enrolment, KYC alone is structurally incomplete. Continuous monitoring becomes the main control boundary.

Q: Who is accountable when account takeover and synthetic identity fraud occur?

A: Accountability usually sits across fraud, IAM, security, and product teams because the failure spans onboarding, session trust, and action-level controls. In practice, the owner should be the team that can change the decision point where abuse becomes possible. Shared risk does not mean shared inaction.

Technical breakdown

Fraud-as-a-service turns identity abuse into a scalable supply chain

Fraud-as-a-service describes the outsourcing of parts of a fraud operation, such as document creation, account seeding, proxy infrastructure, or callback handling, to specialists. That changes fraud from a single actor problem into a distributed service model with role separation and repeatable workflows. Defenders then face modular abuse patterns rather than isolated bad sign-ups. The operational challenge is that each layer may look benign on its own, but together they create a persistent fraud pipeline that can be reused across platforms and regions.

Practical implication: Map fraud controls to the full abuse chain, not just to front-door verification.

Deepfakes extend identity impersonation beyond documents

Deepfakes are synthetic images, voice, or video used to impersonate a real or fabricated identity. They matter because they undermine controls that assume visual, biometric, or conversational cues are trustworthy. As generation quality improves, the attacker no longer needs perfect documents alone. They can blend synthetic media with stolen personal data and scripted interaction to pass checkpoints that were designed for human behavior, not machine-generated deception.

Practical implication: Add liveness, provenance, and cross-channel verification where identity confidence matters most.

Continuous account abuse beats one-time verification

The report’s strongest operational signal is that most fraud occurs during ongoing account use. That means the attacker has already passed the initial gate and is now exploiting session trust, recovery flows, payment actions, or behavioural drift. In identity terms, the risky state is not just account creation, but persistence. Continuous monitoring becomes necessary because the real abuse window opens after onboarding and often after normal controls have stopped watching.

Practical implication: Extend fraud detection, step-up checks, and behavioural monitoring into active sessions and high-risk actions.

Threat narrative

Attacker objective: The attacker wants to convert a seemingly verified identity into repeatable monetisation across accounts, payments, or platform abuse.

1. Entry begins with forged documents, deepfakes, or synthetic identities that get the attacker through onboarding and initial verification.
2. Escalation happens during ongoing account use when the fraudster leverages account takeover, recovery abuse, or trusted-session activity to bypass weaker checks.
3. Impact lands as repeated fraudulent transactions, network abuse, and scaled monetisation through fraud-as-a-service operations.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous identity trust is now the real control boundary. The report shows that 76% of fraud occurs during ongoing account use, which means the decisive failure is not just weak onboarding but weak post-verification governance. KYC can prove a person or account existed at one moment, but it does not preserve trust across sessions, recovery paths, or account actions. Practitioners should treat fraud as a lifecycle problem, not a sign-in problem.

Fraud-as-a-service creates an industrialised identity abuse model. The market has moved from opportunistic fraud to reusable service chains that specialise in document forgery, synthetic media, proxying, and account exploitation. That changes the defender’s job from blocking single events to disrupting repeatable fraud infrastructure. NHI and IAM teams should recognise the same structural pattern they see in secrets abuse and credential stuffing: the attack surface becomes a service economy.

Deepfake detection alone is not a sufficient trust model. A fourfold rise in deepfakes does not just add a new input to existing fraud screens. It breaks the assumption that identity signals are stable, human-originated, and easy to attribute. The named concept here is post-verification identity drift: the point at which an identity that looked valid at enrolment becomes untrustworthy during use. Security teams need to measure whether trust decays after the first check, not just whether sign-up was clean.

Fraud and IAM are converging on the same governance questions. The report’s findings about account takeover, continuous use, and synthetic impersonation make identity fraud a broader identity governance issue, not a narrow fraud-team concern. Access, assurance, and monitoring are now linked across human identity, device signals, and machine-assisted abuse. Practitioners should stop separating fraud controls from identity architecture, because the attack patterns already do not respect that boundary.

The economics matter because scale has collapsed the attacker cost curve. If a fraudster can turn a relatively small investment into large monthly losses, the control problem is no longer about raising individual attack cost alone. It is about making reuse, automation, and operational scale unprofitable. That is why identity programmes need stronger lifecycle controls, not just stronger checkpoints, and why continuous enforcement is now a board-level risk issue.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
• For adjacent guidance on lifecycle enforcement, see the NHI Lifecycle Management Guide, which covers provisioning, rotation, and offboarding across identity types.

What this signals

Post-verification identity drift will become a more useful operating concept for fraud and IAM teams than traditional onboarding-centric assurance. When most abuse occurs after the initial check, programme owners need controls that watch identity quality decay across sessions, not just trust at creation.

The strongest signal for practitioners is that fraud and identity governance are converging operationally. If your environment still treats verification, access, and fraud response as separate disciplines, the gaps now show up in account takeover, synthetic identity abuse, and recovery-flow exploitation rather than at the login screen.

Teams should expect higher pressure to instrument continuous trust checks across the lifecycle, especially where a single account can move money, impersonate a user, or trigger sensitive workflows. That makes account monitoring, step-up policy, and lifecycle governance part of the same control design, not separate programmes.

For practitioners

• Extend fraud controls beyond onboarding Treat verification as the first gate, then add monitoring for login behaviour, recovery events, payment changes, and high-risk account actions.
• Add provenance checks for synthetic media Require stronger liveness and source validation where documents, selfie checks, voice, or video materially affect trust decisions.
• Tune step-up controls to active sessions Trigger re-authentication or additional verification when account behaviour changes, especially during transfers, profile edits, and recovery flows.
• Separate fraud signals from static identity proofing Review which signals only help at signup and which remain useful during the account lifecycle, then align them to the correct control point.

Key takeaways

• Identity fraud is shifting from one-time onboarding failures to continuous account abuse, which makes lifecycle controls more important than static verification alone.
• Deepfakes and fraud-as-a-service reduce attacker cost and increase scale, so identity programmes now need layered detection across documents, media, sessions, and recovery flows.
• Practitioners should align fraud, IAM, and security controls around post-verification trust, because the abuse window increasingly opens after access has already been granted.

Key terms

• Fraud-as-a-service: A criminal operating model where fraud capabilities are packaged and sold like a service, such as fake documents, bot infrastructure, or account access tooling. It lowers the barrier to scale because attackers can specialise, outsource, and reuse parts of the fraud chain instead of building everything themselves.
• Deepfake: Synthetic audio, image, or video content generated to imitate a real person or fabricate a believable identity signal. In identity and fraud contexts, deepfakes matter because they can defeat human judgment and weaken controls that assume the person, face, or voice presented during verification is genuine.
• Account takeover: A form of identity abuse where an attacker gains control of an existing account and acts as the legitimate user. The risk is often greater than new account fraud because the attacker inherits trust, history, and sometimes recovery paths, which can delay detection and enable repeated abuse.
• Continuous identity monitoring: A control approach that evaluates identity trust after initial verification, during active sessions and high-risk actions. It is designed for environments where the meaningful risk occurs after onboarding, so trust must be rechecked as behaviour, context, or transaction patterns change.

Deepen your knowledge

NHI governance, agentic AI identity, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: Rise of Fraud-as-a-Service, deepfakes surging 4x and more 2024 digital fraud trends uncovered in 4th annual Identity Fraud Report. Read the original.