TL;DR: Three rising identity fraud patterns are emerging in 2025: generative AI video reenactments, serial fraud through reused biometrics and PII, and organised account takeover using the same devices across sessions, according to Incode. The finding underscores that verification systems need cross-session analysis, device intelligence, and real-time correlation, not one-step checks alone.
At a glance
What this is: This is Incode’s analysis of three 2025 fraud patterns, with AI-generated video reenactments, serial identity reuse, and device-linked account takeover emerging as the main risks.
Why it matters: It matters because identity and fraud teams need controls that detect cross-session abuse, repeated device use, and biometric reuse across onboarding, authentication, and recovery flows.
By the numbers:
- Fraud in the USA has seen growth by 0.8%, which was contributed by this emerging type of attack.
- A single phone was used to create 10 or more accounts within a short timeframe.
👉 Read Incode’s analysis of 2025 identity fraud trends and detection signals
Context
Identity fraud is moving from isolated spoofing attempts to repeatable abuse patterns that span onboarding, verification, and account recovery. Static review controls break down when the same device, biometric, or credential fragment can be reused across multiple sessions, especially when generative tools can fabricate more convincing liveness signals.
The article sits squarely in identity verification and fraud governance, with a clear intersection to IAM where recovered credentials, account takeover, and onboarding trust decisions feed later access decisions. That makes the operational question less about whether fraud exists and more about whether the verification layer can correlate identity behaviour over time.
Key questions
Q: What breaks when identity verification only evaluates one session at a time?
A: Single-session verification misses repeated biometrics, reused documents, and device continuity. That lets organised fraud look like separate legitimate attempts instead of a linked pattern. The result is false trust at onboarding, followed by account takeover or repeat registrations. Teams need correlation across sessions so the system can recognise when apparently valid submissions are part of the same fraud graph.
Q: Why do reused devices and biometrics increase fraud risk in onboarding flows?
A: Reused devices and biometrics are strong indicators that multiple applications may be controlled by the same actor or fraud ring. If each attempt is assessed independently, the pattern remains hidden and the attacker benefits from accumulated trust. This is especially dangerous when a trusted onboarding event later becomes the basis for recovery or login access.
Q: How can identity teams tell whether liveness checks are actually working?
A: Look for adversarial cases that still pass when motion is synthetic, partial, or replayed from a static image. Effective programmes test whether liveness outcomes remain stable when the same applicant reappears with different devices, names, or document data. If the control only succeeds in clean test conditions, it is not robust against fraud reuse.
Q: Who is accountable when fraudulent onboarding becomes account takeover later?
A: Accountability sits across identity verification, fraud operations, and IAM because the original trust decision can propagate into access. If onboarding accepts a compromised identity, later authentication and recovery processes inherit that risk. Governance should assign clear ownership for proofing, detection, and lifecycle reassessment so no stage can claim the problem belongs elsewhere.
Technical breakdown
Generative video reenactment and liveness spoofing
Video reenactment attacks use generative systems to turn still images into responsive face motion, which can defeat basic liveness checks. The technical shift matters because the spoof is no longer a flat replay or mask, but a dynamic presentation designed to imitate the timing and movement signals that verification tools often inspect. Passive liveness alone becomes weaker when the attacker can synthesize movement cues in real time. Defences need to compare facial motion, camera integrity, and session consistency rather than trusting a single liveness result.
Practical implication: teams should treat liveness as one signal in a multi-factor fraud decision, not as a standalone pass or fail gate.
Serial fraud through biometric and PII reuse
Serial fraud appears when the same face, selfie, name, or document number is recycled across multiple attempts to look like distinct people. The key technical problem is session isolation: if each onboarding event is judged independently, the platform may not see that the biometric or identity attributes are being reused in a coordinated pattern. Cross-session clustering and entity resolution are what expose the reuse. This is especially relevant when attackers mix real and synthetic attributes to pass government or bureau validation checks.
Practical implication: identity teams should build cross-session correlation rules that link repeated biometrics, documents, and user attributes across attempts.
Device reuse as a fraud graph signal
Device reuse is valuable to fraud rings because it lets them move many accounts through the same physical endpoint while varying the identity details. From a detection perspective, device fingerprinting, behavioral telemetry, and submission timing can reveal a fraud graph that isolated events hide. A single device generating many accounts in a short period is not just an anomaly, it is often an indicator of an organised onboarding operation with downstream account takeover risk. Once the device is trusted, the fraud chain can continue into credential reuse and recovery abuse.
Practical implication: instrument device reputation and link analysis so repeated device patterns trigger step-up review or case management.
Threat narrative
Attacker objective: The attacker objective is to create, take over, and reuse accounts while passing verification controls that only evaluate each session in isolation.
- Entry begins with AI-generated reenactments, reused biometrics, or assisted onboarding that makes an identity submission look legitimate.
- Escalation occurs when the same identity material, credential, or device is reused across multiple sessions, allowing fraudsters to bypass single-session verification logic.
- Impact is account creation, credential takeover, and reuse of trusted identity assets at scale across onboarding and recovery flows.
NHI Mgmt Group analysis
Biometric fraud has become a cross-session governance problem, not a point-in-time verification problem. The article shows that repeated faces, reused documents, and device continuity are now part of organised fraud tradecraft. That means the control objective is entity linkage over time, not just one-off identity proofing. Practitioners should treat reuse detection as a core trust function, not a back-office tuning exercise.
AI reenactment changes the trust boundary for identity verification. Once generative tools can create believable motion, the gap between passive liveness and adversarial presentation becomes material. This is where identity verification, fraud prevention, and IAM intersect, because a successful onboarding event often becomes the basis for later access. Teams should align proofing controls with downstream account lifecycle risk.
Device-linked onboarding abuse is a fraud ring signal that traditional identity checks miss. A single endpoint can support dozens of attempts while each individual submission appears plausible. That creates what we would call device trust leakage: confidence gained in one session is improperly reused in the next. Practitioners should build controls that preserve suspicion across sessions until the pattern is clearly resolved.
Identity fraud programmes now need correlation depth, not just model accuracy. The article’s core lesson is that better detection depends on linking biometric, device, and behavioural signals into a single fraud graph. That is the governance shift. The question is no longer whether a single check works, but whether the control stack can recognise repeated abuse across the full identity journey.
The IAM consequence is account legitimacy cannot be assumed after onboarding. When fraudsters later seize control of legitimate users or reuse the same device, the access layer inherits a compromised trust decision. That means identity proofing, account recovery, and authentication telemetry must be reviewed together. Practitioners should treat fraud signals as part of identity lifecycle governance, not a separate workflow.
What this signals
Device trust leakage: fraud teams should treat repeated device use as a persistence signal, not just an anomaly score. Once the same endpoint can support many onboarding attempts, the programme needs stronger link analysis and case escalation before trust is converted into access.
The broader signal is that identity programmes are converging with fraud operations. As verification becomes more automated, governance has to preserve context across sessions, devices, and lifecycle events so attackers cannot reset suspicion by simply changing names or images.
For teams managing both human identity and IAM, the lesson is clear: onboarding trust must be revisited after recovery, privilege change, and re-authentication. Controls that stop at initial proofing leave a gap that fraud rings are already exploiting.
For practitioners
- Deploy cross-session biometric correlation Link faces, documents, names, and device fingerprints across attempts so repeated identity material is surfaced even when each session looks valid on its own.
- Raise step-up scrutiny for repeated devices Flag devices that create multiple accounts, especially when the timing, location, or behavioral pattern suggests assisted onboarding or organised abuse.
- Blend liveness with behavioural telemetry Use camera, motion, submission cadence, and device trust together so generative reenactments do not rely on a single acceptance signal.
- Tie fraud signals to account lifecycle controls Route suspicious onboarding and takeover patterns into identity recovery, re-verification, and access review so compromised trust does not persist into production access.
Key takeaways
- AI-generated reenactments, reused identity data, and repeated devices show that fraud is now a lifecycle problem, not a single-step verification failure.
- Incode says fraud in the USA has increased by 0.8%, and a single phone was linked to 10 or more accounts in short succession.
- Cross-session correlation, device intelligence, and lifecycle-aware review are the controls most likely to disrupt these fraud patterns.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63A | Identity proofing and verification are central to the article's fraud patterns. |
| NIST CSF 2.0 | PR.AC-7 | Authentication and access decisions depend on trustworthy identity signals. |
| GDPR | Art.32 | Biometric and identity data processing raises security and privacy obligations. |
Protect biometric and identity data under Art.32 with strong access control, retention limits, and integrity checks.
Key terms
- Liveness Spoofing: Liveness spoofing is an attempt to trick biometric verification into believing a presentation is a live person rather than a replay, mask, or synthetic image. Modern attacks use generated motion, video reenactment, or camera manipulation to imitate natural human response and bypass weak proofing checks.
- Serial Fraud: Serial fraud is repeated abuse of identity attributes across multiple onboarding or verification attempts. The same face, document, device, or credential fragment is reused with small changes so each attempt appears unique, even though the underlying actor or fraud ring is the same.
- Cross-Session Correlation: Cross-session correlation is the practice of linking identity signals over time so repeated behaviour can be recognised as a pattern. It is essential for fraud detection because isolated events often look legitimate, while the combined trail reveals reuse, takeover, or coordinated abuse.
- Device Fingerprinting: Device fingerprinting identifies a device using a combination of technical attributes such as hardware, browser, network, and behavioural markers. In fraud workflows, it helps detect repeated use of the same endpoint across multiple accounts, which can indicate organised abuse or account takeover.
What's in the full article
Incode’s full blog covers the operational fraud signals this post intentionally leaves at a higher level:
- Detailed examples of video reenactment and liveness spoofing patterns observed by the Fraud Lab
- The multi-signal detection logic used to combine biometric, device, and behaviour trust
- Operational distinctions between serial fraud, assisted onboarding, and account takeover
- How the team uses cross-frame video analysis to distinguish legitimate motion from spoofing
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It helps practitioners connect proofing, access, and lifecycle controls across identity programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org