Deepfakes and identity: detection methods in 2026

2025 was a tipping point. The Sumsub Identity Fraud Report 2025 documented an unprecedented surge in deepfakes applied to identity fraud: +700% in deepfake video scams over the year, 8 million deepfakes online at the end of 2025 versus 500,000 in 2023, and +2,665% in virtual-camera attacks on biometric onboarding flows. If you steer compliance at a bank, a fintech, a crypto platform, or an iGaming operator, the question is no longer "how do we stop deepfakes?" but "how do we build an anti-fraud framework that stays resilient when biometrics become attackable?". We see it across our engagements: rethinking eIDV (electronic identity verification) as a multi-layer system, with transactional data taking center stage, is no longer optional.

The documented surge in deepfakes

The numbers speak for themselves. The table below compiles the 2024-2025 statistics published by the main players in identity fraud prevention.

IndicatorMeasurementSource
Deepfake growth+4× (2023 → 2024)Sumsub Identity Fraud 2024
Deepfake video scams 2025+700% (159,378 cases in Q4)ScamWatch HQ 2025
Deepfakes online end of 20258M (vs 500k in 2023)Cyble 2025
Fintech: deepfake growth+533%Sumsub 2024
Crypto: deepfake growth+217%Sumsub 2024
iGaming: deepfake growth+1,520%Sumsub 2024
Face-swap on IDV+704% (since 2023)iProov 2025
Virtual camera (stream attack)+2,665%iProov 2025
Vishing (deepfake voice)+442%CrowdStrike 2025
Bank contact centers+1,300% deepfakePindrop 2025
Projected AI fraud losses 2027USD 40 billionDeloitte

The Arup case (February 2024) remains the headline example: a Hong Kong-based employee transferred USD 25.6 million across 15 wire transfers after a video conference in which the CFO and several colleagues were real-time deepfakes. What was an experimental attack in 2023 has become an industrialized attack in 2025.

::: callout-info In brief Deepfake-based identity fraud is no longer a fringe phenomenon. It accounts for between 5% and 10% of fraud attempts on B2C eIDV (electronic identity verification) services in 2025, with a sharp sector concentration on fintech, crypto, and iGaming. The 2027 projection (Deloitte) estimates annual losses at USD 40 billion. :::

Why biometrics alone are no longer enough

For a decade, biometric verification with active or passive liveness check was the standard of modern eIDV. The captured selfie of the customer was matched against the ID document photo, and a physical-presence test (blinks, head movements, texture analysis) guaranteed that the user was neither a recorded video nor a printed photo.

This architecture was designed to withstand classic presentation attacks. It was not designed to withstand 2025-grade generative AI. The gap is now measurable.

Real-time face-swap. Open-source models (DeepFaceLab, FaceFusion) have been producing live face swaps at 30 frames per second with photographic fidelity since 2024. On a standard webcam stream, the output passes uncertified passive PAD (Presentation Attack Detection) without difficulty. iProov measures +704% face-swap since 2023.

Virtual camera. Rather than attacking the PAD, fraudsters hijack the stream. A virtual camera (OBS Studio + plugin) injects a synthetic video prepared in advance or a live face-swap stream. The eIDV app's software module cannot, by default, distinguish a physical webcam stream from a software stream. iProov measures +2,665% on this technique.

Voice cloning. ElevenLabs, Resemble, and Coqui models produce convincing voice clones from 30-second samples. On bank contact centers, Pindrop measures +1,300% deepfake voice attacks. CrowdStrike measures +442% on vishing (voice phishing).

Synthetic documents. Beyond biometrics, ID documents themselves are being generated: diffusion-model ID photo, coherent biographical data, simulated background and holograms. Onfido/Entrust measures that 2% of fake documents in online KYC (Know Your Customer — customer identity verification) are now AI-generated.

Three lines of defense on the biometric side:

1. ISO/IEC 30107-3 Level 2 certified PAD (iBeta): resistance to 3D attacks, masks, calibrated deepfakes. Necessary but not sufficient alone. 2. Channel detection: webcam stream fingerprint vs virtual camera, software module signature, environment attestation (App Attest, Play Integrity). Eventually vulnerable to attacks against the attestation itself. 3. Model detection: statistical fingerprints typical of generative model outputs (spectral artifacts, temporal coherence). A permanent arms race between attackers and defenders.

ENISA, in its 2025 guidelines on AI threats, explicitly concludes that liveness detection is insufficient against advanced generative AI. Biometrics remain useful, but they can no longer carry the burden of identity verification alone.

Biometrics without external corroboration are today a castle with a wooden front door.

Why transactional data remains resilient

This is where transactional data changes the nature of the problem. An attacker can generate a face in seconds. An attacker can print a fake passport for a few hundred euros. An attacker cannot generate at scale:

  • 18 months of Carrefour, Amazon, or FNAC purchase history at a coherent address
  • 3 years of Orange, SFR, or Bouygues subscription on a non-recycled phone number
  • A tax notice issued by the French DGFiP (tax administration) that cross-references the declared employer's data
  • A SEPA transfer history on an IBAN active for more than 24 months
  • A Sephora loyalty account with recurring purchases and coherent delivery addresses

Each of these footprints is, taken in isolation, falsifiable with effort. Their convergence is statistically unfalsifiable at scale. To fabricate 100 synthetic identities with these characteristics, an attacker would have to coordinate a fraud at nation-state level. Deepfakes excel in one-shot attacks (Arup case, USD 25.6M across 15 wire transfers). They fail at scale.

The FATF (Financial Action Task Force), in its behavioral analytics & transaction monitoring guidelines, explicitly recommends a convergent approach combining identity signals + behavioral signals + transactional signals. That is exactly the trade we have been practicing for 45 years.

::: callout-info The anti-deepfake mantra

  • Today, everything can be forged — except real life and what people actually buy.
  • A deepfake fabricates a face. It does not fabricate 18 months of Carrefour purchases.
  • Three converging transactional sources are worth one Level-2 certified biometric.
  • The biometrics + data combination is more resilient than the sum of its parts.

:::

Multi-layer detection strategies

An eIDV architecture resilient to deepfakes in 2026 is organized into five complementary layers.

Before the selfie itself, observe the channel: device type, browser fingerprint, IP address, OS attestation (App Attest on iOS, Play Integrity on Android), absence of a virtual camera. This layer rejects 20% to 30% of attempts at near-zero cost. Industrialized attacks always leave traces on the channel.

Does the declared individual exist in real life, at this address, under this name, since this date? eIDV by transactional data queries 4,000 worldwide sources and 197 countries. Convergence across purchases + telecom + government sources guarantees real existence. For a file with strong convergence, biometric friction can be lightened. For a doubtful file, we harden the next layer.

For doubtful files or for operations at the eIDAS 2.0 (the EU electronic ID regulation) substantial/high assurance level, biometric face match + ISO/IEC 30107-3 Level 2 certified liveness PAD + virtual-camera detection + software module signing. The goal is not perfection: it is to harden enough so the attack costs more than the benefit.

OCR (optical character recognition) + pixel-level analysis + AI-generated document detection + NFC (Near Field Communication — contactless chip reading) on compatible documents (passport, the French electronic ID card known as CNIe). NFC reading is today the most reliable barrier against synthetic documents: the cryptographic signature of the ICAO chip cannot be forged without access to the issuing country's private key.

An identity that passes onboarding but starts behaving atypically (urgent transfers, inconsistent geolocation, suspicious account linkages) should raise an alert within 90 days of account opening. Dynamic KYC fueled by transactional signals catches what slips past the first barrier.

::: callout-info Euroleads recommendation: target architecture 2026 1. Channel pre-filtering (20-30% free rejects) 2. eIDV by transactional data as the first barrier (60-70% auto-validated) 3. Level-2 certified biometrics + virtual camera detection on doubtful slice (10-20%) 4. Document verification with NFC reading for high eIDAS requirement 5. 90-day continuous monitoring post-onboarding :::

The cost of a biometrics-only approach in 2026

It is tempting to keep hardening biometrics indefinitely. That is an economically losing strategy. Each additional PAD layer adds friction, increases customer abandonment, and costs conversion points. The unfavorable economic calculus shows up from 5,000 onboardings/month: the loss of legitimate customers due to biometric false positives exceeds the marginal gain of avoided fraud.

Conversely, offloading biometrics from the first barrier and relying on eIDV by data allows you to:

  • Reserve biometric friction for genuine zones of uncertainty
  • Maintain a higher overall security level (deepfake resilience)
  • Reduce customer abandonment from 25% to 5% (measured on an online-banking case)
  • Reach a measured 220:1 ROI

Regulatory framework to know

Three texts shape the deepfake response in 2026:

  • AI Act (EU Regulation 2024/1689): imposes traceability and watermarking of AI-generated content, but is not enough on its own to protect eIDV.
  • eIDAS 2.0: maintains and tightens the assurance levels for electronic identity. The high level is gradually becoming the norm for online banking and sensitive financial services.
  • AMLD6 (the 6th EU Anti-Money Laundering Directive, part of the EU rules against fraud and money laundering): tightens CDD (Customer Due Diligence — standard client checks) and EDD (Enhanced Due Diligence — reinforced checks on high-risk profiles) requirements, and mandates documenting the reliability of the verification methods used. Biometrics without corroboration no longer pass an ACPR audit on sensitive profiles.

ENISA and the EBA published explicit recommendations in 2025 to combine behavioral analytics, transaction monitoring, and identity verification into a resilient architecture. That is precisely the value of transactional data applied to eIDV.

Key takeaways

::: callout-info Remember

  • +700% deepfake scams in 2025, 8 million deepfakes online at the end of 2025
  • By sector: fintech +533%, crypto +217%, iGaming +1,520%
  • Biometrics alone, even certified, are no longer enough against generative AI
  • Transactional data is nearly unfalsifiable at scale: it is the most resilient layer
  • The 2026 target architecture combines 5 layers: channel → data → biometrics → document → continuous monitoring
  • 220:1 ROI on online banking with abandonment reduced from 25% to 5%

:::

To understand how to combine these layers in a concrete project, read our eIDV vs biometrics vs document verification comparison and Transactional data sources: why they change the game. On AI applied to fraud prevention, see AI and fraud detection: state of the art 2026. For regulatory foundations, consult the eIDV: electronic identity verification pillar and the banking KYC page. The European timeline is detailed in eIDAS 2.0 and the EUDI Wallet.

Measuring your exposure to deepfake risk today? We have been verifying identity for 45 years by cross-referencing verified purchase transactions, government, telecom, and media sources. Together we build the resilient architecture suited to your volumes and your regulatory requirements.

::: cta Assess your anti-deepfake architecture with our experts? Discuss your project :::