Online fraud trends for 2026 show AI is reshaping verification

At a glance

What this is: Veriff’s fraud trends for 2026 show impersonation, AiTM, emulator, and injection attacks increasingly overlap with AI-enabled deception.

Why it matters: IAM and identity verification teams need to treat fraud trends as governance signals because the same identity trust assumptions that underpin human login and onboarding are now being exploited at scale.

By the numbers:

• Impersonation fraud accounted for over 85% of all fraud attacks in 2025.
• Both physical and digital AiTM attacks saw significant declines in 2025, with physical attacks dropping by 34% and digital attacks by 66%.
• E-commerce platforms experienced a net fraud rate of 19.2% in 2025, nearly five times the global average.

👉 Read Veriff’s 2026 fraud trends analysis for identity verification and fraud prevention

Context

Online fraud is no longer a single attack type. It now combines impersonation, session interception, device emulation, and injected media, which means identity verification has to distinguish real users from synthetic behaviour and manipulated evidence.

For identity programmes, the issue is broader than fraud operations. The same controls used for customer identity, access assurance, and risk scoring must now account for AI-generated deception, credential replay, and faster attacker adaptation across onboarding and login.

Veriff’s analysis is useful because it shows a familiar pattern: the strongest attack methods are not disappearing, but they are becoming more targeted and more automated. That is typical of a mature fraud ecosystem, not an edge case.

Key questions

Q: How should security teams reduce fraud when attackers use deepfakes and synthetic identities?

A: They should combine document validation, liveness detection, behavioural analytics, and risk-based step-up checks rather than relying on a single identity proofing event. Deepfakes and synthetic identities are strongest when a programme trusts one signal too much. The goal is to make spoofed evidence fail across multiple independent checks before approval.

Q: Why do AiTM attacks still matter if organisations already use MFA?

A: AiTM attacks matter because MFA can still be bypassed when an attacker relays the user’s authentication flow and steals the resulting session cookie. In that case, the problem is not password strength but session integrity. Phishing-resistant authentication and tighter token controls reduce the chance that a successful login becomes immediate takeover.

Q: What breaks when organisations trust documents or devices too much in verification flows?

A: Proofing breaks when documents, devices, or captured media are treated as inherently reliable. Attackers can fake documents, emulate devices, or inject synthetic video into the verification path, which creates false acceptance and contaminates identity records. The remedy is to require corroborating signals rather than a single point of trust.

Q: How should teams prioritise fraud controls when identity risk spans onboarding and login?

A: They should prioritise controls that protect the highest-value trust decisions first, especially account creation, recovery, and access to payment or support functions. Those are the points where one successful deception can create persistent downstream exposure. Governance should follow the value of the identity outcome, not just the volume of attempts.

Technical breakdown

Why impersonation fraud now beats static verification

Impersonation fraud succeeds when identity proofing relies on documents or images that can be copied, altered, or generated. Deepfakes, synthetic identities, and document manipulation reduce the reliability of one-time checks because the attacker can present convincing but false evidence at scale. Behavioural analytics and liveness checks matter here because they assess whether the interaction looks human and consistent over time, not just whether the document format appears valid. The operational challenge is that identity assurance now has to span both onboarding and ongoing interaction, rather than ending at the first approval.

Practical implication: combine document validation with biometric and behavioural controls, and treat onboarding as a risk decision, not a form check.

How AiTM attacks bypass MFA and session controls

Adversary-in-the-Middle attacks work by relaying a victim’s authentication flow through a malicious proxy so the attacker captures credentials and session cookies in real time. That lets the attacker inherit an authenticated session without needing to defeat the password or MFA step directly. This is why conventional MFA can still fail when the session token becomes the real prize. Phishing-resistant methods such as certificate-based authentication bind the login process to the legitimate domain, making relay attacks much harder to execute successfully.

Practical implication: prioritise phishing-resistant authentication for high-risk user populations and limit the value of session tokens wherever possible.

Emulator and injection attacks as device trust failures

Emulator attacks spoof the device environment, while injection attacks insert manipulated video or image streams into the verification process. Both attack the assumption that device posture and captured media are inherently trustworthy. Once that assumption breaks, device fingerprinting alone is no longer enough because the attacker can mimic hardware or feed synthetic inputs through the verification path. Stronger defences use multiple signals together, including interaction timing, biometric liveness, device integrity, and network context, to decide whether the subject and the device are authentic enough for the action being taken.

Practical implication: verify device and media integrity as separate signals, then require multiple consistent indicators before approving higher-risk transactions.

Threat narrative

Attacker objective: The attacker’s objective is to obtain trusted access that can be monetised through account takeover, fraudulent transactions, or persistence inside identity flows.

1. Entry begins with impersonation, AiTM relay, or injected media that allows the attacker to present a believable identity or hijack an existing session.
2. Escalation follows when the attacker captures session cookies, defeats conventional MFA, or reuses synthetic identity evidence to pass subsequent checks.
3. Impact occurs when fraudulent access enables account takeover, transaction abuse, or broader trust degradation in onboarding and payment flows.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fraud is now an identity governance problem, not only a detection problem. When impersonation fraud dominates and verification can be manipulated with AI-generated evidence, the boundary between fraud operations and identity assurance collapses. That means security teams need to govern how identity is proven, not just whether a transaction looks suspicious. The practitioner implication is that verification policy now belongs in IAM, not only in fraud tooling.

AiTM attacks show that authentication strength is not the same as session integrity. A user can pass MFA and still lose control of the session if an attacker captures cookies in real time. That exposes a control gap in programmes that treat login success as the end of the security decision. The practitioner implication is to evaluate session binding, token lifetime, and phishing resistance as one control surface.

Document fraud and synthetic identity are converging into one trust problem. A counterfeit document, a deepfake face, and a manipulated onboarding flow all aim at the same weak point: overreliance on a single proofing event. The result is not just false acceptance, but polluted identity records that can be reused later. The practitioner implication is to treat proofing artefacts as governed inputs with lifecycle oversight.

Emulator and injection attacks create a device trust debt. Once device authenticity is assumed rather than continuously validated, verification systems accumulate hidden exposure to spoofed endpoints and synthetic media. That exposure does not stay isolated to onboarding because the same device and interaction signals often feed downstream risk decisions. The practitioner implication is to align device assurance with the transaction risk being approved.

AI is turning fraud into an adaptive identity pressure test. The key change is not that attackers use more technology, but that they can tune deception faster than static rules can adapt. This makes identity programmes brittle when they depend on fixed thresholds or single-modal verification. The practitioner implication is to manage fraud as an ongoing governance cycle, not a one-time control deployment.

From our research:

• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, which shows how quickly identity exposure becomes recurring rather than isolated.
• For broader breach pattern context, see The 52 NHI breaches Report for case studies that show how identity failures compound across environments.

What this signals

Identity fraud programmes will increasingly need governance language, not only detection language. Once AI-generated deception can mimic valid users, the question becomes which signals are authoritative enough to drive trust decisions. With 72% of organisations having experienced or suspecting a breach of non-human identities according to our 2024 ESG report, the operational lesson is that trust collapse is already a programme-level issue, not a niche fraud event.

Fraud, IAM, and PAM teams will need to coordinate on the same trust boundary. The control that stops onboarding fraud is often the same one that reduces later account takeover impact. That is why identity verification, session assurance, and privileged access governance now need to share signal quality, escalation rules, and review outcomes.

Verification architecture should be designed for adversarial adaptation. Static rules age quickly when attackers can rotate between impersonation, AiTM, emulator abuse, and injection. Teams that want durable control need to align controls to the identity outcome being protected, then revisit those controls as attacker behaviour changes.

For practitioners

• Raise assurance for high-risk onboarding paths Use stronger verification for accounts or transactions that create outsized downstream trust, especially where documents, faces, and device signals can be manipulated together. Separate low-risk sign-up flows from privileged or payment-enabled journeys.
• Adopt phishing-resistant authentication for exposed user groups Move targeted populations such as administrators, finance users, and support staff to certificate-based or similarly phishing-resistant methods so session relay becomes materially harder.
• Treat session tokens as high-value assets Shorten token usefulness where possible, monitor replay patterns, and bind sessions more tightly to context so a captured cookie does not behave like a durable credential.
• Use multiple fraud signals before approval Require consistency across behavioural analytics, device authenticity, biometric liveness, and timing before approving actions that move money, create accounts, or recover access.

Key takeaways

• Impersonation, AiTM, and injection attacks are converging into a single identity trust problem that static verification cannot solve alone.
• The scale is already material, with impersonation fraud dominating attacks and e-commerce showing a 19.2% net fraud rate in 2025.
• Teams should raise assurance at the most valuable trust points, then connect authentication, proofing, and session controls into one governance model.

Key terms

• Impersonation Fraud: A fraud method that uses stolen, falsified, or generated identity evidence to pose as a real person. It often combines fake documents, synthetic identities, and deepfakes to pass verification checks and gain trust during onboarding, recovery, or transaction approval.
• Adversary-in-the-Middle Attack: An interception attack where the fraudster relays a live authentication session between the user and the legitimate service. The goal is to capture credentials or session tokens in real time, which can defeat MFA if the programme relies on login success rather than session integrity.
• Injection Attack: A verification attack that inserts manipulated images, video, or device signals into an identity flow. It aims to make synthetic or replayed content look like a live person or a legitimate device, forcing systems to distinguish authentic interaction from staged input.
• Session Token: A short-lived credential that proves an authenticated session is still valid after login. In identity security, the token can become more valuable than the password because stealing it can allow direct reuse of the session without repeating the full authentication process.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Veriff: Six key online fraud trends to watch in 2026. Read the original.