By NHI Mgmt Group Editorial TeamPublished 2026-01-20Domain: Identity Beyond IAMSource: Oz Forensics

TL;DR: Fraud in 2026 is shifting from manual social engineering to automated deepfakes, injection attacks, and agentic AI that can bypass identity checks at scale, according to Oz Forensics. Visual trust and one-time biometric verification are no longer enough when attackers can industrialize fraud across thousands of sessions.


At a glance

What this is: This analysis argues that fraud is becoming industrialized through deepfakes, agentic AI, and injection attacks that target biometric and onboarding controls.

Why it matters: It matters to identity and security teams because verification now has to withstand adversarial automation, not just compare a person to a document or camera feed.

By the numbers:

👉 Read Oz Forensics' analysis of industrialized fraud, deepfakes, and injection attacks


Context

Fraud prevention is moving beyond document checks and live selfie comparisons into a contest with automated adversaries that can mimic people, manipulate video streams, and scale attacks across onboarding flows. In this environment, the primary governance problem is not just proving that a user exists, but proving that the signal used for verification has not been injected, replayed, or synthetic from the start.

That shift creates a direct boundary issue for identity teams. Identity verification, IAM, and fraud controls now overlap at the point where a digital identity becomes a session, and a session becomes an account with access. For banks, fintechs, and any organisation using biometric onboarding, the starting position described in this article is becoming increasingly typical rather than exceptional.


Key questions

Q: What breaks when identity verification only checks whether a face looks real?

A: The control fails when attackers can inject synthetic video, automate retries, or combine real personal data with AI-generated media. A face that looks real is not enough if the capture path itself is compromised. Teams need to validate signal integrity, device trust, and decision telemetry, not just visual plausibility.

Q: Why do deepfakes and agentic AI make onboarding risk harder to control?

A: Deepfakes supply convincing content, while agentic AI supplies speed and persistence. Together they let attackers scale impersonation, adapt to challenge-response steps, and create fraudulent accounts faster than manual review can keep up. That turns onboarding into a machine-speed adversarial workflow.

Q: How do security teams know whether liveness detection is actually working?

A: They should test for replay, injection, emulator, and virtual camera scenarios, then measure whether the system blocks those inputs consistently across devices and app versions. Strong liveness is not a single score. It is evidence that the full biometric pipeline resists manipulation under realistic attacker conditions.

Q: Who is accountable when synthetic identity fraud passes onboarding controls?

A: Accountability should sit jointly with identity verification, fraud, IAM, and application owners because the failure crosses multiple control domains. If a fraudulent account becomes an access path, the organisation has a lifecycle governance problem as much as a fraud problem. Control ownership must extend beyond the first approval step.


Technical breakdown

Deepfakes and synthetic identities change the attack surface for identity verification

Deepfake fraud no longer depends on a convincing one-off impersonation. Attackers can combine real personal data, AI-generated imagery, and scripted interaction to produce synthetic identities that survive basic onboarding checks. That means the control target shifts from identity appearance to signal integrity. In practice, biometric and document verification must assume the adversary can generate plausible face, voice, and document artefacts at machine speed. The result is an industrialised fraud pipeline, not an isolated spoof attempt.

Practical implication: treat onboarding signals as adversarial inputs and test them against synthetic media, replay, and injection scenarios.

Injection attacks bypass liveness by attacking the biometric pipeline

An injection attack does not need to fool the camera or the human reviewer directly. Instead, malware or an emulator inserts a fabricated video stream into the application pipeline, so the system believes it is seeing a live person. This is materially different from a static spoof because the compromise sits between capture and analysis. Passive liveness, metadata inspection, and server-side forensic checks are designed to detect this class of manipulation, but only if the full capture path is instrumented and monitored.

Practical implication: validate the entire biometric data path, not just the image presented to the user.

Agentic AI turns identity fraud into a machine-speed workflow

Agentic AI changes fraud from content generation into execution. A sufficiently capable agent can navigate onboarding forms, answer security prompts, retry failed steps, and adapt to verification friction without human intervention. That creates a machine-vs-machine contest where the slowest control becomes the bottleneck. This has consequences for fraud models, identity proofing, and step-up verification because the attacker can iterate continuously, gather telemetry, and adjust tactics faster than human-driven teams can review cases.

Practical implication: build detection and decisioning that can keep pace with automated retries, not just single-pass abuse.


Threat narrative

Attacker objective: The attacker aims to create fraudulent accounts, bypass onboarding controls, and monetise access through financial theft or mule activity.

  1. Entry begins with AI-generated synthetic identities, deepfakes, or injected video streams used to enter onboarding or verification workflows.
  2. Escalation occurs when attackers automate retries and adapt to challenge-response steps, allowing them to bypass controls at scale and create mule or fraudulent accounts.
  3. Impact is realised through financial fraud, identity abuse, and erosion of trust in biometric and document verification programmes.

NHI Mgmt Group analysis

Visual trust is no longer a governance control. The article correctly shows that human-eye verification collapses once attackers can synthesize faces, voices, and video in real time. That is an identity governance problem, not just a fraud problem, because many programmes still treat manual review as a backstop for trust. Practitioners should reclassify visual confirmation as a weak signal and move to layered verification that assumes adversarial media.

Biometric injection is the more important failure mode than deepfake realism. A convincing fake matters less than the ability to inject that fake into the trusted capture path. This is the kind of control gap that slips through programmes focused only on liveness scoring or document quality. The field should name this more precisely as biometric pipeline compromise, because that framing forces ownership across mobile security, fraud, and identity teams.

Agentic fraud creates a new verification trust gap. Autonomous systems change the tempo of attack, which means identity verification has to govern not only what is presented but how fast and how often verification can be abused. That intersects with IAM and access governance because fraudulent onboarding can become the first step in account lifecycle compromise. The practical conclusion is that identity proofing must be treated as a runtime control boundary, not a one-time checkpoint.

Fraud operations and IAM can no longer be separated at the onboarding edge. When attackers use synthetic identities to create accounts, the fraud problem becomes an access governance problem immediately after issuance. That means lifecycle controls, step-up policies, and account provenance need to be aligned from the first verification event. Organisations should treat onboarding as the start of identity governance, not the end of it.

Industrialized fraud should be measured as a resilience issue, not only a detection issue. The article points to scalable automation on the attacker side, which means programme success cannot be judged only by blocking obvious spoof attempts. Detection, review capacity, and recovery time all matter once fraud becomes repeatable and machine-speed. The practitioner conclusion is to test whether the verification stack can absorb repeated adversarial load without degrading decision quality.

What this signals

Signal gap: identity verification programmes that stop at presentation checks will miss the control failure that matters most, which is whether the capture path itself can be trusted. That is why biometric governance now needs to align more closely with device trust, application integrity, and fraud telemetry than with static identity proofing alone. For teams mapping this to standards work, the relevant conversation sits alongside MITRE ATT&CK Enterprise Matrix and Anthropic , first AI-orchestrated cyber espionage campaign report when automation becomes the attacker advantage.

Verification trust gap: the more easily attackers can synthesize identity signals, the more programme value shifts to controls that detect manipulation early and degrade gracefully under repeated abuse. The practical question for practitioners is whether onboarding, step-up, and post-issuance monitoring can still distinguish a real applicant from an automated workflow that is actively learning from each rejection. The scale problem is structural, not cosmetic.

If your fraud and IAM teams operate separately, industrialised fraud will exploit the seam. Account issuance, access provisioning, and ongoing behavioural checks need a common governance model so a synthetic identity does not become a durable access path after one successful verification event.


For practitioners

  • Instrument the full biometric capture path Monitor the application pipeline for emulator hooks, virtual camera artefacts, and injected video streams so the control does not depend solely on what the camera appears to see. Validate both client and server telemetry before a biometric decision is trusted.
  • Add adversarial testing for synthetic identities Red-team onboarding flows with deepfakes, face swaps, replayed video, and scripted agent behaviour to find which signals still pass when the attacker can iterate automatically. Include mobile app and browser paths because injection often lands where teams least expect it.
  • Align fraud and IAM ownership at account creation Define who owns account issuance, step-up review, and post-verification monitoring when synthetic identities bypass initial checks. Link identity proofing outcomes to lifecycle controls so suspicious accounts do not become durable access paths.
  • Use passive and server-side verification together Combine passive liveness, metadata inspection, and server-side forensic analysis so one compromised layer does not decide the outcome alone. This reduces the chance that client-side manipulation determines account acceptance.

Key takeaways

  • Industrialized fraud now targets the trust signals behind identity verification, not just the person being verified.
  • The scale signal is clear: attackers can automate impersonation, injection, and retry logic faster than manual review can keep up.
  • The control answer is governance across the full verification pipeline, from capture integrity to lifecycle ownership after issuance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the technical controls, and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing and onboarding are central to the fraud patterns described.
NIST CSF 2.0PR.AC-1Access control begins with trustworthy identity proofing and issuance.
NIST AI RMFMANAGEAgentic fraud is an AI-enabled risk that requires managed detection and response.
MITRE ATT&CKTA0006 , Credential Access; TA0009 , CollectionAttackers harvest identity signals and abuse them to gain account access.
GDPRArt.32Biometric identity verification processes handle sensitive personal data and need security controls.

Apply Art.32 safeguards to the verification pipeline, especially where biometric data and identity documents are processed.


Key terms

  • Injection Attack: An injection attack in biometric verification occurs when an attacker feeds fabricated video or sensor data into the trusted application pipeline. The system may think it is seeing a live user even though the capture source is virtual, manipulated, or replayed. This is a control-path compromise, not just a spoofed appearance.
  • Passive Liveness: Passive liveness is a verification method that checks whether a biometric sample appears to come from a live human without requiring the user to perform actions. It reduces friction, but it still depends on the integrity of the capture and analysis path. If that path is manipulated, passive liveness alone will not protect the decision.
  • Agentic AI: Agentic AI is an AI system that can perceive context, decide on actions, and execute multi-step workflows with little or no human supervision. In fraud scenarios, that means the attacker can automate onboarding, retry logic, and adaptation. The security challenge is not just generated content, but autonomous execution at scale.
  • Synthetic Identity: A synthetic identity is a constructed identity that combines real and fabricated personal data into a profile designed to pass verification and open accounts. It may look legitimate enough for initial checks while still being false in substance. These identities are often used to create durable fraud accounts and mule infrastructure.

What's in the full report

Oz Forensics' full article covers the operational detail this post intentionally leaves for the source:

  • The article breaks down the financial fraud projection model behind the 2026 threat outlook.
  • It explains the injection attack mechanism and how malware manipulates the biometric capture pipeline.
  • It outlines the specific biometric stack components Oz Forensics says counter virtual camera and emulator abuse.
  • It describes the CEN/TS 18099 testing context and the passive liveness approach discussed in the source.

👉 The full Oz Forensics article covers the threat model, attack mechanisms, and biometric defence stack in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in the context of modern identity programmes. It helps practitioners connect verification, lifecycle, and access controls across human and non-human identities.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org