How do companies stop scammers from opening accounts using stolen identities, before it's too late?

The moment a new account is created is the single most exposed point in any digital relationship. A fraudster who clears the onboarding gate inherits a clean record, a funding rail, and the institution's own credibility. To stop scammers from opening stolen identity accounts, security teams have to win the contest at that first interaction, because every control downstream is built on the assumption that the person who opened the account was who they claimed to be. Once that assumption is wrong, recovery becomes forensic cleanup rather than prevention. For CISO teams, identity platform providers, and government ID verification bodies, the account opening flow is no longer a convenience feature. It is the front line of financial crime defense.

U.S. lenders were exposed to more than $3.3 billion in potential losses from synthetic identities tied to newly opened accounts in 2024, with the share of synthetic identities among new accounts reaching an all-time high. - TransUnion research analysis, 2024

Why it is so hard to stop scammers from opening stolen identity accounts

The problem has shifted from stolen credentials to fabricated and hybrid identities. A scammer rarely needs to perfectly impersonate a real victim. Instead, they assemble a "synthetic" identity by combining a genuine but inactive Social Security number with a fabricated name, address, and date of birth, then nurse that profile through credit-building behavior until it qualifies for real products. Experian reported that synthetic identity fraud reached record levels in 2024, and analysts estimate that up to 80 percent of all new account fraud is now driven by synthetic identities. In the UK, synthetic identity fraud cases rose 60 percent in 2024 compared with 2023, accounting for nearly a third of all identity fraud cases.

Document-based and knowledge-based checks were designed for a world where forging a convincing identity was expensive and slow. That world is gone. Generative AI tools now let criminals fabricate plausible identity documents and selfie imagery at scale, and 62 percent of banks consider digital onboarding the single highest-risk point for synthetic identity exposure. The defensive question has moved from "does this document look real?" to "is there a real, present human behind this submission, and does that human match the claimed identity?"

That second question is where biometric liveness and presentation attack detection enter. A printed photo, a replayed video, a 3D mask, or an AI-generated face are all examples of presentation attacks, and each one is an attempt to satisfy a face-match check without a genuine live subject. Passive liveness detection answers the question without asking the user to blink, smile, or turn their head. It analyzes the natural signals already present in a single camera capture, which keeps the experience fast for legitimate users while removing the scripted cues that attackers rehearse against.

Comparing verification approaches at the point of account opening

Not every control performs equally against a determined fraudster armed with stolen data and synthetic assets. The table below compares common methods used during remote account opening.

Verification method	Stops stolen data reuse	Stops synthetic identity	Stops deepfake / replay	User friction
Knowledge-based questions	Low	Low	N/A	Medium
Document scan only	Medium	Low	Low	Medium
One-time passcode (SMS/email)	Low	Low	N/A	Low
Active liveness (blink, turn head)	Medium	Medium	Medium	High
Passive liveness + PAD	High	High	High	Low
Document + passive liveness + rPPG	High	High	High	Low

A few patterns stand out from how teams deploy these controls in practice:

• Knowledge-based questions and one-time passcodes verify possession of data or a device, not the presence of a person, so they fall quickly to stolen credentials and SIM-related abuse.
• Document checks confirm the artifact, but a fabricated or stolen document paired with a matching selfie still passes unless liveness confirms a live human.
• Active liveness improves assurance but introduces friction and predictable challenge prompts that attackers script against, raising abandonment among genuine applicants.
• Layering passive liveness with remote photoplethysmography (rPPG), which reads subtle blood-flow signals from the face, raises the cost of an attack while keeping the genuine user's path to a single glance.

Industry applications

Financial services and lending

Banks and lenders carry the heaviest exposure because a synthetic account can sit dormant, build credit, and then "bust out" with maximum drawdown. Embedding presentation attack detection at onboarding lets risk teams reject fabricated faces before the account ever funds, shrinking the window between application and loss. With reported new account fraud across all types reaching $6.2 billion in 2024, the economics of front-loading verification are difficult to argue against.

Government ID verification and public benefits

Agencies issuing credentials or disbursing benefits face organized attempts to claim entitlements under stolen or invented identities. Government ID verification technology that pairs document authentication with passive liveness supports remote identity proofing at population scale without forcing citizens through awkward movement challenges that disproportionately exclude older or less technical applicants.

Identity platform providers

Platforms that sell verification as a service must defend many tenants against shared attack playbooks. A presentation attack that succeeds against one customer is quickly reused against others. Centralized eKYC biometric liveness, continuously tuned against new attack types, gives every downstream client the benefit of collective defense.

Current research and evidence

NIST anchors much of the testing rigor in this space. Its biometric Presentation Attack Detection testing program and the Face Recognition Vendor Test evaluate how reliably systems separate live subjects from artifacts, while NIST Special Publication 800-63 sets identity proofing and authentication expectations that many regulated buyers treat as a baseline. The international standard ISO/IEC 30107-3 defines how PAD subsystems should be measured, giving procurement teams a vocabulary for comparing attack presentation classification error rates rather than vendor marketing claims.

The evidence from the fraud side reinforces the urgency. TransUnion's 2024 analysis traced more than $3.3 billion in synthetic identity exposure to newly opened accounts, and separate reporting documented synthetic account fraud attempts growing 153 percent from late 2023 to early 2024. Experian's record-level findings and the UK's 60 percent year-over-year increase point to the same conclusion that researchers across institutions keep reaching: the volume and sophistication of attacks at onboarding are climbing faster than legacy controls can adapt. The methods that hold up are the ones that confirm a living, present human rather than the data or documents a scammer can simply acquire.

The Future of stopping scammers at account opening

Three shifts are likely to define the next several years. First, the attack surface will keep tilting toward AI-generated faces and injected video, pushing detection from "is this a photo of a screen?" toward "is this signal physiologically consistent with a live human?" Approaches grounded in involuntary biological cues, including rPPG-based identity verification, are positioned for this because they target signals that are hard to synthesize convincingly.

Second, expect tighter coupling between liveness and continuous risk signals. Verification at onboarding will increasingly feed device, behavioral, and network intelligence so that a passed liveness check is one strong input among several, not a single binary gate.

Third, regulatory frameworks will harden. As NIST, ISO, and regional supervisors formalize expectations for remote identity proofing, buyers will demand standards-aligned PAD evidence as a condition of procurement. The organizations that treat passive liveness as core infrastructure, rather than a bolt-on, will be the ones able to stop scammers from opening stolen identity accounts before the loss is booked.

Frequently asked questions

What is the difference between a stolen identity and a synthetic identity? A stolen identity uses a real person's complete information without consent. A synthetic identity blends real data fragments, often a valid but unused Social Security number, with fabricated details to create a new persona that does not map to any single victim, which makes it harder to detect through traditional checks.

Why is account opening the most important moment to stop fraud? Once an account exists, downstream controls assume the holder was legitimately verified. Catching a fraudulent application at onboarding prevents the account from funding, building credit, or accessing benefits, so prevention there is far cheaper than remediation later.

Does passive liveness detection slow down legitimate users? No. Passive liveness analyzes a single natural camera capture without asking the user to blink, smile, or turn their head, so genuine applicants typically clear the check in seconds while presentation attacks are rejected.

How does presentation attack detection handle AI-generated faces? Modern PAD looks for physiological and capture-level signals consistent with a real, present human. Techniques such as rPPG read subtle blood-flow cues that synthetic media struggles to reproduce, raising the cost of deepfake and injection attacks.

Circadify is building toward this future of high-assurance, low-friction verification, applying passive liveness and presentation attack detection so institutions can confirm a real human at the riskiest moment without scripted challenges. Teams designing onboarding defenses can review the fraud detection integration guide to see how these controls fit into an existing identity stack.