Synthetic identity fraud exposes the limits of onboarding checks

At a glance

What this is: Synthetic identity fraud is the creation of a fictional person from stolen and fabricated data, and the key finding is that it defeats traditional detection because no real victim exists to raise the alarm.

Why it matters: It matters to IAM practitioners because onboarding controls, proofing, and lifecycle governance have to stop fabricated identities before they become durable accounts, privileges, or workforce access paths.

By the numbers:

• Synthetic identity fraud costs businesses an estimated $20-40 billion globally per year.
• U.S. lenders faced $3.3 billion in exposure from synthetic identities tied to new accounts through 2024.
• 44% of organizations now rank synthetic identity fraud as their top-tracked fraud type.

👉 Read iProov's analysis of synthetic identity fraud and onboarding controls

Context

Synthetic identity fraud is what happens when an organisation accepts a fabricated person as real during onboarding. The key governance gap is that identity proofing often assumes the person already exists in a verifiable form, when the attacker is constructing that identity from fragments of legitimate and false data. For IAM teams, that means the control problem begins before account creation, not after.

The article frames synthetic identity fraud as a lifecycle issue, not just a fraud pattern. Once a fabricated identity gets through onboarding, it can be nurtured, given credit, and later cashed out or used for workforce access. That makes the starting point atypical only in appearance. In practice, it is a familiar failure mode in customer identity and remote hiring programmes alike.

Key questions

Q: What fails when synthetic identity fraud gets past onboarding?

A: The core failure is that the system has already accepted a fabricated person as real, so every downstream control starts from a false identity. Behavioural monitoring, credit checks, and complaint-based detection become weak because there is no real victim to surface the fraud. The right response is to strengthen proofing before account creation, especially where access or financial value can be built over time.

Q: Why do synthetic identities bypass so many fraud controls?

A: They bypass controls because each piece of data can look legitimate on its own, even when the identity as a whole is fictional. A real identifier, a plausible address, and a convincing name can satisfy field-level checks while still being an invented person. Teams should measure whether their controls validate identity coherence, not just data quality.

Q: How should organisations verify that a new user is real?

A: Organisations should require real-time genuine presence verification during onboarding for high-risk use cases. The control should confirm that the user matches the identity document, is physically present, and is interacting live rather than through a replay, photo, mask, or deepfake. That is what closes the gap that synthetic identities exploit.

Q: What is the difference between identity theft and synthetic identity fraud?

A: Identity theft steals and impersonates a real person, while synthetic identity fraud creates a new person from mixed real and fabricated data. The practical difference is that identity theft usually has a victim who notices and reports it, but synthetic fraud often has no victim at all, which lets it persist longer and makes proofing far more important than recovery.

Technical breakdown

Identity fabrication, manipulation and compilation

Synthetic identity fraud is not one technique but three. Identity fabrication uses entirely fake details, identity manipulation tweaks real data just enough to pass validation, and identity compilation blends real and fake fragments into one apparently plausible person. The most dangerous form is compilation because each element can look valid in isolation, which defeats controls that validate fields one by one instead of assessing the identity as a whole. In IAM terms, this is a proofing failure, not an authentication failure. Once the fabricated identity is admitted, downstream controls inherit the mistake.

Practical implication: move proofing from field validation to identity-level verification before account creation.

Why victimless fraud bypasses behavioural detection

Traditional fraud detection depends on a victim noticing and reporting something wrong. Synthetic identity fraud removes that feedback loop entirely because the identity has no real owner monitoring transactions or account activity. That means anomaly-based monitoring often sees the synthetic profile as normal, because it has no historical baseline and no contradictory human behaviour to compare against. This is why the article argues that detection must happen at onboarding. If the fabricated identity is allowed into the system, the fraud can mature for months or years without a trigger.

Practical implication: treat absence of complaints as a weak signal and place stronger controls at enrolment.

Genuine presence verification and liveness

A selfie match alone does not stop synthetic identity fraud. A fraudster can pair a matching image with a deepfake, a replayed session, or an identity mule who completes the check and then hands the account over. Genuine presence verification adds the missing conditions: the user must match the document, be physically present, and be present in real time. That combination makes the control materially different from static facial comparison. It is a stronger answer because a fictional identity cannot provide a live human behind it when the system asks for proof of presence.

Practical implication: require real-time liveness and injection-resistant proofing for high-risk onboarding flows.

Threat narrative

Attacker objective: The attacker’s objective is to convert a fabricated identity into an account that can be cultivated, monetised, and abandoned as unrecoverable loss.

1. Entry occurs when attackers assemble a synthetic person from real identifiers, stolen data, and fabricated attributes and pass it through onboarding.
2. Escalation occurs when the fabricated identity is nurtured with small accounts, authorized-user additions, and credit-building behaviour until it looks trustworthy.
3. Impact occurs when the fraudster busts out, maxes accounts, takes loans or drains value, and disappears with no real person left to pursue.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Victimless fraud is really proofing failure in disguise: Synthetic identity fraud works because onboarding controls assume a real person exists behind the application. That assumption collapses when the attacker manufactures the person from fragments of legitimate and fabricated data. The implication is that identity governance has to move upstream to proofing, because post-enrolment monitoring never gets a genuine victim signal to work with.

Presence, not just identity matching, is the decisive control: A document photo and a face comparison can both be genuine-looking while still admitting a synthetic identity. The article’s core lesson is that the control boundary is not “does this image match?” but “is a living human physically present right now?” For IAM and fraud teams, that makes genuine presence verification part of onboarding trust, not an optional UX enhancement.

Credit cultivation is a lifecycle problem, not a single event: Synthetic identities are nurtured into legitimacy over time through small accounts, credit increases, and authorised-user additions. That pattern mirrors broader lifecycle drift in identity governance, where an account looks safe because it has aged into familiarity. Practitioners should treat slow-building legitimacy as a risk signal, not evidence of trust.

Synthetic identity assembly creates an identity blast radius: Once a fabricated person is accepted, every downstream process that depends on the initial proofing decision inherits that mistake. That includes lending, account recovery, step-up verification, and even workforce onboarding when the same identity patterns are reused. The practitioner conclusion is simple: if onboarding is weak, every later control is forced to compensate for a false origin.

Remote hiring is now part of the same identity fraud surface: The article shows that fabricated identities are no longer limited to consumer finance. Workforce onboarding can be compromised by the same proofing weaknesses, especially when remote hiring and account recovery rely on document-only checks. The governance question is no longer whether customer and workforce identity share lessons, but how quickly teams can align them.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to State of Secrets in AppSec.
• The same research found that only 44% of developers follow security best practices for secrets management, which shows how often confidence outruns actual control.
• For a broader control lens, the Ultimate Guide to NHIs explains why lifecycle governance and proofing discipline matter before identity is trusted.

What this signals

Identity proofing is becoming a shared control plane for customer and workforce onboarding. As synthetic identities spread from lending into remote hiring, teams can no longer treat customer identity assurance and employee identity assurance as separate design problems. The operational signal is that document-only checks will keep failing wherever the business needs scale, speed, and remote access at the same time.

Biometric liveness is now a governance issue, not just a security feature. If organisations allow a static selfie match to stand in for real presence, they are effectively accepting a weak trust anchor for the rest of the identity lifecycle. Teams should align enrolment policy with zero trust thinking and use the OWASP Non-Human Identity Top 10 as a reminder that weak origin controls create lasting downstream risk.

The named concept here is identity blast radius: the downstream exposure created when a false identity origin is allowed to propagate into credit, recovery, and access decisions. Practitioners should expect fraud controls, IAM recovery paths, and onboarding policies to converge, because the attack surface now crosses them all.

For practitioners

• Move proofing upstream to enrolment Require genuine presence verification before an account is created, not after suspicious activity begins. Use controls that confirm document match, live presence, and real-time interaction together.
• Treat thin-file and newly built identities as high-risk Flag applications built from sparse histories, rapid credit-building, or unusual authorised-user patterns for enhanced review. Synthetic identities often look clean precisely because they have been carefully staged.
• Separate selfie match from liveness assurance Do not rely on static face comparison for high-value onboarding flows. Add injection-resistant liveness checks so deepfakes, replayed video, and mule-assisted verification cannot satisfy the control.
• Extend proofing controls into workforce onboarding Apply the same identity proofing standard to remote hiring, account recovery, and shared-device access. The same fabricated-identity playbook is now being used across customer and employee onboarding paths.

Key takeaways

• Synthetic identity fraud succeeds because onboarding accepts a fabricated person as real, which defeats every downstream control that assumes a genuine origin.
• The article cites $20-40 billion in annual global cost and $3.3 billion in U.S. lender exposure, showing that synthetic fraud is a scaled governance problem, not an edge case.
• Teams should prioritise real-time presence verification and stronger proofing at enrolment, because recovery after the fact rarely exists when the victim is fictional.

Key terms

• Synthetic Identity Fraud: Synthetic identity fraud is the creation of a new person using a mix of real, stolen, and fabricated data. The identity is not impersonating a real victim. Instead, it is engineered to pass onboarding checks, build trust over time, and later monetise access or credit before disappearing.
• Genuine Presence Verification: Genuine presence verification is a biometric control that checks that a real human is physically present during the session, not a replay, photo, mask, or deepfake. It adds a live assurance layer to identity proofing, which is especially important when the person being enrolled may not exist at all.
• Identity Proofing: Identity proofing is the process of determining whether an applicant is who they claim to be before an account is created. In practice, it combines document checks, data validation, and live verification to reduce the chance of admitting fabricated or misrepresented identities into downstream systems.
• Identity Blast Radius: Identity blast radius is the downstream damage created when an initial trust decision is wrong. If a false identity origin is accepted at onboarding, every later decision that depends on that origin can inherit the error, expanding fraud, recovery, and access risk across the lifecycle.

Deepen your knowledge

Synthetic identity fraud and genuine presence verification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building onboarding controls for customer identity or workforce access, the course is a useful next step.

This post draws on content published by iProov: synthetic identity fraud and the limits of onboarding verification. Read the original.