Deepfake onboarding fraud: are your KYC controls keeping up?

TL;DR: A 34-year-old suspect used stolen IDs, deepfakes, and ABN AMRO’s mobile onboarding flow to open 46 fraudulent bank accounts, according to iProov, exposing how selfie-to-ID checks can be defeated when liveness is weak. Static KYC verification no longer matches the scale or accessibility of synthetic identity attacks.

NHIMG editorial — based on content published by iProov covering deepfake-enabled bank account fraud: an analysis of the ABN AMRO case and the limits of selfie-to-ID checks

By the numbers:

• In the first half of 2025 alone, regulators levied $1.23 billion in financial penalties, a 417% increase year-over-year.
• iProov’s 2026 Threat Intelligence Report documented a 1,151% year-over-year increase in iOS injection attacks in the second half of 2025.

Questions worth separating out

Q: What breaks when selfie-to-ID verification is used without liveness detection?

A: Selfie-to-ID verification without liveness detection can approve synthetic faces that only appear to match the identity document.

Q: Why do deepfakes create a bigger risk for mobile KYC than traditional document fraud?

A: Deepfakes let an attacker keep the document authentic while fabricating the person presenting it.

Q: How can security teams tell if biometric onboarding controls are actually working?

A: They should test whether the control detects presentation, replay, and injection attacks under realistic conditions, not just whether it matches two images.

Practitioner guidance

• Add liveness as a mandatory control for high-risk onboarding Require passive or active liveness testing on any mobile onboarding path that accepts identity documents and selfies.
• Separate document authenticity from applicant authenticity Design the workflow so a valid passport or national ID does not by itself complete proofing.
• Reassess automated approval thresholds for low-friction onboarding Review every flow that can approve accounts with no human checkpoint.

What's in the full article

iProov's full blog post covers the operational detail this analysis intentionally leaves for the source:

• A step-by-step explanation of how the deepfake fraud was uncovered during investigation.
• The bank-specific onboarding flow and how the selfie-to-ID comparison failed in practice.
• The liveness detection mechanisms the vendor says are designed to detect injection, replay, and presentation attacks.
• The referenced benchmark standards and what they mean for biometric assurance testing.

👉 Read iProov's analysis of the ABN AMRO deepfake KYC fraud case →

Deepfake onboarding fraud: are your KYC controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →