Identity fraud in 2024-2025 is accelerating beyond current controls

At a glance

What this is: A Sumsub report on identity fraud trends in 2024-2025, with emphasis on tactics, vulnerable sectors, forged documents, deepfakes, and regulatory pressure.

Why it matters: It matters because fraud pressure increasingly intersects with IAM, verification, and lifecycle controls, forcing security teams to treat identity assurance as an operational control rather than a one-time check.

👉 Read Sumsub's Identity Fraud Report 2024-2025

Context

Identity fraud is a governance problem as much as a detection problem. When forged documents, synthetic media, and weak verification processes can be combined into a repeatable attack path, identity teams have to think about assurance across onboarding, account recovery, and access decisions, not just fraud review after the fact.

Sumsub’s report frames 2024-2025 as a period in which fraud is more accessible and more varied, which is exactly why the issue matters to IAM, fraud prevention, and compliance teams together. The operational question is no longer whether identity checks exist, but whether they are resilient enough to withstand low-friction, high-volume abuse.

Key questions

Q: How should security teams reduce identity fraud without blocking legitimate users?

A: Use layered decisioning instead of single-step checks. Combine document verification, behavioural signals, device intelligence, and recovery risk scoring so trust is assessed across the full journey. The goal is not to stop every suspicious event at the first gate, but to make fraud expensive enough that repeated abuse no longer scales.

Q: Why do identity fraud controls fail when they rely on one strong signal?

A: Because attackers adapt to the strongest visible control and then reuse the same trusted identity across recovery, login, and support flows. A single signal can be bypassed, copied, or overloaded. Reliable programmes need multiple signals that can fail independently without collapsing the whole trust decision.

Q: What do security teams get wrong about deepfake-enabled fraud?

A: They often treat deepfakes as a novelty problem instead of a verification economics problem. The real challenge is that synthetic content increases the volume of credible attempts, which drains manual review capacity and makes exception handling less reliable. Controls need to account for scale, not just realism.

Q: Who is accountable when identity fraud succeeds through weak verification?

A: Accountability usually sits across fraud, IAM, customer operations, and compliance because the failure often spans onboarding, recovery, and access governance. Organisations should define ownership for each stage so no team assumes another one is watching the same trust boundary.

Technical breakdown

Identity fraud now blends document abuse, verification bypass, and synthetic media

Modern identity fraud is rarely a single-step event. Attackers can combine forged or altered documents, account takeover, deepfake-enabled impersonation, and weak recovery flows to bypass controls that were designed for simpler threat models. The result is a trust chain that looks valid at the point of check but fails under repeated abuse across onboarding, login, and support interactions. For security teams, the important distinction is between identity proofing and identity assurance over time. Practical implication: reassess verification controls as a lifecycle problem, not a one-time gate.

Practical implication: reassess verification controls as a lifecycle problem, not a one-time gate.

Fraud controls fail when they rely on static signals instead of behavioural context

Static checks, such as document image validation alone, are increasingly easy to pressure with automation, laundering tactics, or synthetic inputs. Fraud operations need signal layering, where device patterns, velocity, prior account history, jurisdictional risk, and recovery behaviour all contribute to the decision. This is especially important in environments where legitimate users and bad actors use the same digital pathways, because one failed assumption can open a broad abuse window. Practical implication: build decisioning that can adapt when a single signal is no longer trustworthy.

Practical implication: build decisioning that can adapt when a single signal is no longer trustworthy.

AI changes the economics of identity fraud, not just its appearance

Deepfake generation, text synthesis, and automated impersonation reduce the cost of producing convincing fraud attempts. That does not mean every AI-assisted attack is advanced, only that the volume and variability of attempts increase while human review capacity stays fixed. The practical effect is a wider attack surface for verification teams, especially where manual review is still the final fallback. Practical implication: treat AI-enabled fraud as a scaling problem that demands stronger detection thresholds and escalation logic.

Practical implication: treat AI-enabled fraud as a scaling problem that demands stronger detection thresholds and escalation logic.

Threat narrative

Attacker objective: The objective is to obtain trusted identity status so the attacker can move through verification, account creation, and monetisation paths as if legitimate.

1. Entry occurs when an attacker uses forged documents, synthetic media, or manipulated identity evidence to pass an onboarding or verification step.
2. Escalation follows when the same identity is reused across recovery, login, or account opening flows, allowing fraud to compound across systems.
3. Impact emerges when fraudulent identities obtain financial access, evade controls, or create downstream losses through chargebacks, account abuse, or compliance exposure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity fraud is now an assurance problem, not just a verification problem. Once forged identity evidence can pass initial checks, the real control question becomes whether the programme can sustain trust across recovery, reauthentication, and lifecycle events. That shifts identity work from point-in-time validation to continuous confidence management. Practitioners should treat fraud resilience as part of IAM architecture, not as a separate operational lane.

Fraud scale exposes a verification stack that was built for lower-volume abuse. AI-assisted impersonation and document manipulation increase the number of plausible attempts, which means manual review queues, exception handling, and rule tuning become bottlenecks. The failure mode is not only bad detection, but overload of the human process around detection. Teams should assume that the old review model will be the first control to saturate.

Identity assurance has become a lifecycle discipline across onboarding, recovery, and access. Fraud is no longer isolated to first login or initial KYC. It now follows the user journey into support interactions, credential recovery, and account reuse, where weaker controls often live. That makes lifecycle governance and fraud operations converge in practice, and security leaders should organise accordingly.

Deepfake-enabled fraud creates a named concept: identity trust erosion at scale. The issue is not merely that synthetic content looks real, but that each successful bypass reduces confidence in adjacent controls, making every subsequent review more expensive. Over time, the programme spends more effort proving legitimacy than preventing abuse. Practitioners should measure how much of their identity flow depends on signals that can be cheaply imitated.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For lifecycle and offboarding implications, see NHI Lifecycle Management Guide for the governance controls that reduce lingering identity risk.

What this signals

Identity fraud is converging with IAM governance because the same trust assumptions that support onboarding also shape recovery and reauthentication. When verification becomes easier to evade, teams need tighter ownership of the full lifecycle, not just the front door.

Identity trust erosion at scale: when synthetic media and forged evidence become cheap to produce, every successful exception makes the next review harder. That is why identity programmes should track not only fraud rates, but the resilience of the verification process itself.

The strongest response is not to add more friction everywhere. It is to design graduated controls so high-risk paths receive stronger scrutiny while ordinary users still move through with minimal disruption.

For practitioners

• Layer verification signals across the identity journey Combine document checks, device intelligence, velocity controls, and recovery risk scoring so no single signal determines trust on its own.
• Review manual escalation thresholds for fraud operations Set trigger points for human review based on repeated exceptions, unusual recovery patterns, and high-risk jurisdictions so queues do not become the bottleneck.
• Harden recovery flows as primary fraud targets Treat password reset, account recovery, and support-assisted changes as high-risk identity events and apply stronger verification than standard login flows.
• Map fraud controls to IAM lifecycle stages Identify where onboarding, reauthentication, and account maintenance rely on trust assumptions that fraudsters can reuse, then tune controls by stage rather than by channel.

Key takeaways

• Identity fraud now reaches beyond onboarding and becomes a lifecycle governance issue across recovery and access.
• AI-assisted fraud increases the volume of credible attempts, which can overwhelm manual review even when individual controls still work.
• Security teams should use layered identity assurance, stronger recovery controls, and stage-specific governance to reduce fraud without breaking user experience.

Key terms

• Identity Assurance: Identity assurance is the confidence an organisation has that a digital identity is real, current, and being used by the right person. It goes beyond initial verification and includes ongoing checks during login, recovery, and account changes to reduce fraud risk.
• Identity Fraud: Identity fraud is the misuse of personal or account identity evidence to obtain unauthorised access, financial benefit, or trusted status. It often combines forged documents, impersonation, account recovery abuse, and automation to bypass controls that were designed for lower-volume threats.
• Verification Stack: A verification stack is the set of controls used to decide whether an identity can be trusted. In practice it may include document checks, device signals, behavioural analysis, and manual review, and its resilience depends on how well those controls work together under attack.
• Recovery Flow: A recovery flow is the process used to regain access to an account after credentials are lost or compromised. It is a high-risk identity path because attackers often target it once they know the primary login controls are harder to defeat.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Sumsub: Identity Fraud Report 2024-2025. Read the original.