TL;DR: Identity fraud is becoming easier to execute at scale, with the report pointing to rising tactics, vulnerable industries, forged documents, deepfakes, and the growing regulatory response, according to SumSub. The practical challenge is that trust, verification, and fraud controls now have to keep pace with rapidly changing attack methods.
NHIMG editorial — based on content published by Sumsub: Identity Fraud Report 2024-2025
Questions worth separating out
Q: How should security teams reduce identity fraud without blocking legitimate users?
A: Use layered decisioning instead of single-step checks.
Q: Why do identity fraud controls fail when they rely on one strong signal?
A: Because attackers adapt to the strongest visible control and then reuse the same trusted identity across recovery, login, and support flows.
Q: What do security teams get wrong about deepfake-enabled fraud?
A: They often treat deepfakes as a novelty problem instead of a verification economics problem.
Practitioner guidance
- Layer verification signals across the identity journey Combine document checks, device intelligence, velocity controls, and recovery risk scoring so no single signal determines trust on its own.
- Review manual escalation thresholds for fraud operations Set trigger points for human review based on repeated exceptions, unusual recovery patterns, and high-risk jurisdictions so queues do not become the bottleneck.
- Harden recovery flows as primary fraud targets Treat password reset, account recovery, and support-assisted changes as high-risk identity events and apply stronger verification than standard login flows.
What's in the full analysis
Sumsub's full report covers the operational detail this post intentionally leaves for the source:
- Identity fraud rates by region and the underlying breakdown behind the report’s regional comparison
- The top five identity fraud types and how each category is trending in practice
- Industry-specific vulnerability patterns that help fraud and IAM teams prioritise controls
- Deepfake, regulation, and protection strategy sections that go deeper than this editorial summary
👉 Read Sumsub's Identity Fraud Report 2024-2025 →
Identity fraud in 2024-2025: what should IAM teams change now?
Explore further
Identity fraud is now an assurance problem, not just a verification problem. Once forged identity evidence can pass initial checks, the real control question becomes whether the programme can sustain trust across recovery, reauthentication, and lifecycle events. That shifts identity work from point-in-time validation to continuous confidence management. Practitioners should treat fraud resilience as part of IAM architecture, not as a separate operational lane.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when identity fraud succeeds through weak verification?
A: Accountability usually sits across fraud, IAM, customer operations, and compliance because the failure often spans onboarding, recovery, and access governance. Organisations should define ownership for each stage so no team assumes another one is watching the same trust boundary.
👉 Read our full editorial: Identity fraud in 2024-2025 is accelerating beyond current controls