By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: SiftPublished September 16, 2025

TL;DR: UK businesses lost over £1.2 billion to fraud in 2024 as attackers used device manipulation, synthetic identities, behavioural mimicry, and social engineering to bypass static controls, according to Sift. Fraud detection now depends on layered monitoring across the customer journey, because legacy rule sets cannot keep pace with identity-led attack patterns.


At a glance

What this is: This is a fraud-detection guide that argues modern digital fraud is increasingly driven by behavioural, device, and identity signals rather than simple transaction thresholds.

Why it matters: It matters to IAM and identity-verification practitioners because fraud controls now intersect with account lifecycle, authentication, KYC, and step-up verification decisions.

By the numbers:

👉 Read Sift's guide to fraud detection best practices for UK businesses


Context

Fraud detection has moved beyond simple rules that flag an unusually large payment or an obvious mismatch. Attackers now blend device spoofing, behavioural mimicry, synthetic identities, and social engineering to look legitimate long enough to trigger loss.

For IAM, identity verification, and NHI-adjacent programmes, the key issue is that trust signals are being used across the full customer journey, not only at sign-up. That means authentication, account recovery, risk scoring, and step-up checks all become part of fraud governance rather than isolated controls.


Key questions

Q: How should organisations layer fraud controls across the customer journey?

A: They should combine identity proofing, device intelligence, behavioural analytics, velocity checks, and ongoing monitoring instead of relying on onboarding alone. The key is to place different controls at different decision points, such as sign-up, login, profile change, and payment. That reduces the chance that one bypass gives the attacker a clean path through the whole journey.

Q: Why do synthetic identities create such persistent fraud risk?

A: Synthetic identities can pass early checks because they are built to look consistent enough for first-line verification. Once opened, they can age, build trust, and later be used for account takeover or fraud monetisation. The risk is persistent because the account may look legitimate until the attacker decides to act.

Q: What signals show that fraud controls are missing real abuse patterns?

A: Look for repeated logins, rapid profile edits, unusual transaction bursts, device reuse across many accounts, and users who appear new but behave with scripted consistency. If these patterns are frequent but rarely challenge the attacker, your signals are not being converted into effective action. Detection must change decisions, not just produce alerts.

Q: How should fraud teams and IAM teams share responsibility for step-up decisions?

A: Fraud teams should own the risk evidence and IAM teams should own the policy action, with both sides agreeing on when a user is challenged, blocked, or routed for review. Shared ownership prevents gaps where suspicious behaviour is detected but no access control changes follow. This is especially important for account recovery and payment workflows.


Technical breakdown

How behavioural analytics and velocity checks expose fraud rings

Behavioural analytics look at interaction patterns such as typing cadence, session flow, navigation speed, and device handling to detect activity that is difficult for a human or bot farm to imitate consistently. Velocity checks add a temporal lens by spotting repeated logins, rapid profile edits, or bursts of payments that exceed normal customer behaviour. Together, these controls help identify automation, session hijacking, and coordinated fraud operations before losses materialise. Their value increases when they are correlated with device intelligence and account history, because any single signal can be ambiguous.

Practical implication: combine behavioural data with device and account signals before triggering step-up verification or manual review.

Why synthetic identities and deepfake IDs defeat static onboarding rules

Synthetic identity fraud works because the fraudster can assemble a profile that is internally consistent enough to pass first-line checks, often by blending real and fabricated data. Deepfake or AI-generated documents raise the same problem for document verification: a visual match is not the same as verified trust. Once such identities are opened, they can be left dormant, build credibility, and later be used for account takeover or bust-out fraud. Static onboarding rules struggle here because they only inspect the first interaction, not the long-tail behaviour that reveals fraud intent.

Practical implication: treat onboarding as the start of identity assurance, not the end, and continue monitoring dormant and low-activity accounts.

How risk-based authentication links fraud detection to identity governance

Fraud detection becomes materially stronger when it informs authentication decisions, account recovery, and customer verification flows. Risk-based authentication uses context such as device reputation, geolocation anomalies, and behavioural deviation to decide whether to allow access, challenge the user, or escalate to stronger proofing. That creates an identity governance bridge: the organisation is not only detecting suspicious behaviour, it is also deciding how much trust to grant in the moment. This matters because fraud teams and IAM teams often operate on different signals, even though the same session can expose both account compromise and payment risk.

Practical implication: align fraud telemetry with IAM policy so access challenges reflect real-time risk rather than fixed thresholds.


Threat narrative

Attacker objective: The attacker aims to convert a believable digital identity into financial gain while staying below behavioural and device-based detection thresholds.

  1. Entry occurs through synthetic accounts, stolen credentials, or AI-generated identity artefacts that pass weak onboarding checks.
  2. Credential or trust abuse follows when the attacker uses device farms, proxies, or behavioural mimicry to avoid detection and gain session confidence.
  3. Impact arrives through account takeover, fraudulent payments, authorised push payment scams, or coordinated bust-out activity.

NHI Mgmt Group analysis

Fraud detection is now an identity governance problem, not just a scoring problem. The article shows that account trust is being shaped by device, behaviour, and proofing signals across the journey. That pushes fraud teams closer to IAM, because the real decision is how much identity confidence to grant at each step. Practitioners should treat fraud telemetry as part of access governance, not a separate after-the-fact control.

Identity verification alone does not defeat modern fraud because the attacker is testing the boundary between proofing and persistence. Synthetic identities and AI-generated documents can look credible at onboarding, then age into trusted accounts. That creates a verification trust gap where the organisation validates the front door but not the continuing legitimacy of the account. Practitioners should assume that ongoing trust decay is a normal fraud pattern.

Behavioural analytics is becoming the control that distinguishes human intent from fraud automation. The article’s emphasis on device farms, emulators, and velocity spikes reflects a broader market shift away from static rules. In practice, this is where fraud detection starts to overlap with bot management, access risk, and session assurance. Practitioners should prioritise signals that are hard to replay at scale.

Risk-based authentication is the clearest bridge between fraud prevention and IAM policy. If risk scores do not change whether a user is challenged, stepped up, or blocked, detection is informational rather than operational. The mature model is policy-driven: detection evidence changes the trust decision in real time. Practitioners should align fraud thresholds with authentication policy and recovery workflows.

Layered defence is the only defensible model because no single signal can separate legitimate customers from organised fraud. Device intelligence, behavioural analytics, shared fraud records, and ML models each fail in different ways. The strategic lesson is governance, not tool accumulation: teams need to know which control owns which decision. Practitioners should document decision rights across fraud, IAM, and customer operations.

What this signals

Fraud programmes are moving closer to identity governance because the decision is no longer simply whether an account looks risky. The real question is whether the organisation can continue trusting a session after the first successful proofing event, especially when attackers can manufacture clean-looking identities at scale.

Verification trust gap: this is the widening space between initial identity proofing and sustained account legitimacy. Teams that only optimise onboarding will miss the later-stage behaviours that expose synthetic identities, account takeovers, and authorised fraud. Aligning fraud telemetry with IAM policy is becoming a core programme design choice, not a specialist add-on.


For practitioners

  • Implement layered fraud signals across the journey Combine device fingerprinting, behavioural analytics, IP reputation, and velocity checks at onboarding, login, profile change, and payment stages so a single bypass does not clear the full journey.
  • Tie fraud scores to access decisions Use risk evidence to drive step-up authentication, transaction holds, or recovery friction instead of treating fraud detection as a reporting-only function.
  • Monitor dormant accounts and low-activity users Review accounts that appear clean but have little recent activity, because synthetic identities often age quietly before monetisation or account takeover.
  • Tune review thresholds to reduce false positives Measure abandonment, manual review volume, and customer complaint rates so stronger controls do not create avoidable churn or push users into unsupported channels.

Key takeaways

  • UK fraud loss is being driven by identity-led attacks that blend behavioural mimicry, device manipulation, and synthetic identities.
  • Static rules and one-time onboarding checks are no longer enough because fraud now unfolds across the full customer journey.
  • The practical response is tighter alignment between fraud signals, authentication policy, and ongoing identity assurance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing is central to synthetic identity and onboarding risk.
NIST CSF 2.0PR.AA-01Authentication and access assurance underpin fraud-resistant account control.
GDPRArt.32Identity and fraud signals often involve personal data processing and security safeguards.

Map fraud-triggered step-up actions to authentication policy and review access decisions after anomalies.


Key terms

  • Synthetic Identity Fraud: Synthetic identity fraud is the creation of a false identity using a blend of real and fabricated data. The profile may look legitimate enough to pass onboarding checks, then age over time until it is used for account takeover, lending abuse, or payment fraud.
  • Behavioural Analytics: Behavioural analytics is the analysis of how a user interacts with a device, session, or application to spot patterns that deviate from normal human behaviour. It is used to detect bots, impersonators, and scripted fraud that can evade static rules.
  • Velocity Check: A velocity check measures how fast repeated actions occur, such as logins, profile updates, or payments. High-speed repetition can indicate automation, account abuse, or coordinated fraud, especially when combined with device and identity signals.

What's in the full article

Sift's full post covers the operational detail this post intentionally leaves for the source:

  • A practical breakdown of the fraud detection stack, including where device fingerprinting, behavioural analytics, and velocity checks fit in production workflows.
  • Examples of emerging fraud tactics such as device emulation, deepfake IDs, mobile app fraud, proxy obfuscation, and fraud-as-a-service operations.
  • A feature-by-feature explanation of how to balance false positives, abandonment rates, and real-time risk decisions without overblocking legitimate users.
  • Implementation guidance on linking fraud evidence to Strong Customer Authentication and reporting suspicious activity.

👉 Sift's full article covers the detection layers, emerging attack types, and balancing controls with user experience.

Deepen your knowledge

NHI Mgmt Group covers identity security, NHI governance, and agentic AI through independent research, practitioner guides, and the NHI Foundation Level course, the industry's only accredited NHI security programme. Explore the course if your role spans access governance, identity assurance, or machine identity risk.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org