These AI-manufactured identities can fool your verification systems and disappear with massive transactions
In early 2024, a finance employee at a UK engineering giant, Arup, transferred $25 million to criminals during a video conference featuring multiple AI-generated ‘executives’—each a convincing deepfake.
In the grand scheme of things, synthetic identity fraud losses topped £300 million in the UK alone during 2024 and these attacks are accelerating across Europe as AI makes fake identities virtually undetectable.
In this article, we explore how fraudsters construct these fabricated identities, why they bypass traditional detection methods and which layered defence strategies—built for EU compliance requirements—protect your payment operations before synthetic accounts mature into catastrophic losses.
What is Synthetic Identity Fraud?
Synthetic identity fraud involves piecing together fragments of real personal data with fabricated details to create a brand-new persona that passes surface-level checks. Unlike classic identity theft, you rarely have an aggrieved customer calling to report misuse because the “victim” never truly exists.
That absence of a complainant buys fraudsters time to open accounts, build credit histories and quietly transact before draining funds or triggering chargebacks.
This tactic has exploded across Europe. AI-generated IDs, deepfake selfies and doctored documents drove a 378% year-on-year surge in synthetic fraud attempts, with Germany recording 567% growth and France 281% growth in one recent study.
The hardest-hit sectors include crypto exchanges, online trading platforms, fintech lenders, iGaming operators and transportation marketplaces. Fraud rings favour these verticals because fast digital onboarding and instant payouts create ideal conditions for synthetic profiles to act authentically, gain trust, then disappear.
How Synthetic ID Fraud Works
Fraudsters follow a predictable playbook that exploits gaps in one-time KYC processes and GDPR-driven data silos. The attack unfolds across five calculated stages:
- Data harvesting – scrape breaches, buy leaked credentials or coax individuals to sell legitimate information on underground markets.
- Identity assembly – blend real elements (national insurance number, address) with invented data (email, phone) to create a plausible but non-existent person.
- Account creation – use AI-forged documents or deepfake biometrics to pass automated onboarding.
- Trust building – transact modestly, repay small credit lines and interact like a model customer for six to twelve months.
- Monetisation – escalate limits, request large withdrawals or orchestrate chargeback-prone purchases before abandoning the account.
Because part of the profile is genuine, database look-ups often confirm authenticity. Meanwhile, the fabricated portions prevent any real consumer from noticing misuse. GDPR’s emphasis on collecting only necessary data can help these identities slip through—your team sees fewer signals to cross-check and privacy rules restrict data sharing across institutions.
Methods of Synthetic Identity Fraud
Fraud rings keep innovating, but several techniques dominate today’s EU threat landscape:
- AI-generated documents and IDs create passports, driving licences and utility bills so lifelike that manual reviewers struggle to spot flaws..
- Deepfakes and biometric spoofing produce video callers who blink, turn and speak on cue, yet the face is entirely synthetic.
- Fraud-as-a-Service kits offer turnkey platforms selling ready-made synthetic profiles, complete with device fingerprints and usage scripts. This lowers the technical barrier for would-be scammers.
- “Frankenstein” identities combine data points from different people into one profile, complicating traditional rule-based matching systems.
- Sleeper accounts maintain impeccable behaviour for months, building credit and transaction histories before executing a high-value cash-out.
These tactics make synthetic customers appear more reliable than many genuine newcomers. That’s why static onboarding controls alone no longer suffice—you need continuous monitoring throughout the customer relationship.
The Hidden Cost of Synthetic Identity Fraud for EU Merchants
Synthetic identity fraud can impact operations from the first hit to long after settlement. Direct losses morph into chargebacks, complex investigations and regulatory exposure under GDPR and PSD2.
Once a synthetic identity surfaces, disputed transactions hit your ledger in waves. The average per-case losses are near €15,000, with up to 20% of all transactions tagged as suspicious during an outbreak. Each reversal forces you to absorb fees, replenish inventory and reconcile shrinking revenue.
Winning these disputes becomes challenging since no genuine cardholder exists to confirm fraud. Under PSD2 liability rules, you shoulder the chargeback unless strong customer authentication is provable.
Five Strategies for Payment Operations Leaders to Combat Synthetic Identity Fraud
You can no longer rely on point-in-time KYC or a single fraud tool to spot these carefully nurtured personas. A layered defence—spanning onboarding, real-time monitoring and structured incident response—keeps your payment flow moving while meeting GDPR and PSD2 obligations.
Here are five practical moves you can adapt to your own risk appetite and tech stack.
Implement Multi-Source Identity Verification Beyond Basic Checks
Some KYC implementations validate each datapoint in isolation, which synthetic profiles exploit. Also, know that synthetic rings thrive on fragmented oversight. A profile declined by one lender can walk straight into another storefront when systems don’t communicate.
You can use consortium databases that pool anonymised identity hashes across banks, fintechs and marketplaces to strengthen your evidence web without storing raw personal data, preserving GDPR compliance. Joining an identity consortium lets you share hashed identifiers—email, phone, device, IBAN—without exchanging raw PII.
For example, if three members flag the same phone-passport pair inside a week, your onboarding flow gains the signal it needs to block or escalate.
When a birth date appears in three registries, yet the supporting address shows up nowhere, you have an early warning to step up verification before onboarding that account.
Deploy Behavioural Analytics That Detect Non-Human Patterns
Deepfake webcams and perfectly forged documents fool visual checks, but they struggle to mimic messy human behaviour. Behavioural analytics watches how an applicant types, swipes and navigates your checkout.
Uniform keystroke intervals, flawless mouse arcs or logins that never deviate from a single IP block all hint at automation rather than a living customer.
These subtle cues now sit alongside device fingerprinting and network telemetry, giving you a behavioural baseline that adapts over time. Under GDPR, organisations are required to minimise data collection and keep only what is necessary for purposes such as fraud prevention.
Quick reviews on high-risk scores keep friction low for genuine clients while pushing suspicious sessions into enhanced screening.
Automate Continuous Identity Validation Throughout Customer Lifecycle
Fraudsters play the long game. Many synthetic identities build impeccable payment histories for six months before cashing out. Treating verification as a one-off exercise leaves you exposed to this patient approach.
Scheduled re-checks of document validity, address consistency and device hygiene reveal dormant fraudsters who quietly mutate their details over time.
Machine-learning models can now flag sudden shifts—new shipping destinations, midnight login spikes, fresh devices with zero browsing history. Because GDPR champions data minimisation, organisations may set retention periods informed by risk assessments.
However, GDPR does not mandate tying retention periods to risk scores or the selective purging of low-risk data while retaining high-risk profiles.
Create Rapid Response Protocols for Suspected Synthetic Identity Cases
When a synthetic ring finally trips your defences, minutes matter. Draft a playbook covering evidence preservation, regulatory disclosure, chargeback contestation and, where relevant, law-enforcement liaison.
List the internal owners for each action, so approval bottlenecks don’t stall a freeze on high-value payouts.
PSD2 requires prompt incident reporting. Automating ticket creation inside your case-management system channels disputed transactions, device logs and customer communications into one workspace, shaving hours off your resolution timeline.
A structured response plan turns a potential avalanche of chargebacks into a contained operational event.
Protect with the Right Infrastructure and Platform
The urgency to act against these evolving threats is real. Start by reviewing your identity verification protocols—are they robust enough to detect inconsistencies in synthetic identities? Consider how often you update your KYC procedures and whether you’ve integrated multi-factor authentication beyond basic checks.
Mere checklist compliance won’t suffice in this environment. Advanced payment infrastructures with built-in fraud detection and cross-platform identity consortiums provide real-time threat intelligence that can make the difference between containment and catastrophic loss.