Credit Risk Signals You Can Trust.

1. Introduction – Identity Is No Longer a Fixed Attribute

The biggest shift in fraud today isn’t the sophistication of attackers – it’s the way identity itself has changed.

AI has blurred the boundaries between real and fake. Identities can now be assembled, morphed, or automated using the same technologies that power legitimate digital experiences. Fraudsters don’t need to steal an identity anymore; they can manufacture one. They don’t guess passwords manually; they automate the behavioral patterns of real users. They operate across borders, devices, and platforms with no meaningful friction.

The scale of the problem continues to accelerate. According to the Deloitte Center for Financial Services, synthetic identity fraud is expected to reach US $23 billion in losses by 2030. Meanwhile, account takeover (ATO) activity has risen by nearly 32% since 2021, with an estimated 77 million people affected, according to Security.org. These trends reflect not only rising attack volume, but the widening gap between how identity operates today and how legacy systems attempt to secure it.

This isn’t just “more fraud.” It’s a fundamental reconfiguration of what identity means in digital finance – and how easily it can be manipulated. Synthetic profiles that behave like real customers, account takeovers that mimic human activity, and dormant accounts exploited at scale are no longer anomalies. They are a logical outcome of this new system.

The challenge for banks, neobanks, and fintechs is no longer verifying who someone is, but understanding how digital entities behave over time and across the open web.

2. The Blind Spots in Modern Fraud Prevention

Most fraud stacks were built for a world where:

• identity was stable
• behavior was predictable
• fraud required human effort

Today’s adversaries exploit the gaps in that outdated model.

Blind Spot 1 — Static Identity Verification

Traditional KYC treats identity as fixed. Synthetic profiles exploit this entirely by presenting clean credit files, plausible documents, and AI-generated faces that pass onboarding without friction.

Blind Spot 2 — Device and Channel Intelligence

Legacy device fingerprinting and IP checks no longer differentiate bots from humans. AI agents now mimic device signatures, geolocation drift, and even natural session friction.

Blind Spot 3 — Transaction-Centric Rules

Fraud rarely begins with a transaction anymore. Synthetics age accounts for months, ATO attackers update contact information silently, and dormant accounts remain inactive until the moment they’re exploited.

In short: fraud has become dynamic; most defenses remain static.

3. The Changing Nature of Digital Identity

For decades, digital identity was treated as a stable set of attributes: a name, a date of birth, an address, and a document. The financial system – and most fraud controls – were built around this premise. But digital identity in 2025 behaves very differently from the identities these systems were designed to protect.

Identity today is expressed through patterns of activity, not static attributes. Consumers interact across dozens of platforms, maintain multiple email addresses, replace devices frequently, and leave fragmented traces across the open web. None of this is inherently suspicious – it’s simply the consequence of modern digital life.

The challenge is that fraudsters now operate inside these same patterns.
A synthetic identity can resemble a thin-file customer.
An ATO attacker can look like a user switching devices.
A dormant account can appear indistinguishable from legitimate inactivity.

In other words, the difficulty is not that fraudsters hide outside normal behavior – it is that the behavior considered “normal” has expanded so dramatically that older models no longer capture its boundaries.

This disconnect between how modern identity behaves and how traditional systems verify it is precisely what makes certain attack vectors so effective today. Synthetic identities, account takeovers, and dormant-account exploitation thrive not because they are new techniques, but because they operate within the fluid, multi-channel reality of contemporary digital identity – where behavior shifts quickly, signals are fragmented, and legacy controls cannot keep pace.

4. Synthetic IDs: Fraud With No Victim and No Footprint

Synthetic identities combine real data fragments with fabricated details to create a customer no institution can validate – because no real person is missing. This gives attackers long periods of undetected activity to build credibility.

Fraudsters use synthetics to:

• open accounts and credit lines,
• build transaction history,
• establish low-risk behavioral patterns,
• execute high-value bust-outs that are difficult to recover.

Why synthetics succeed

• Thin-file customers look similar to fabricated identities.
• AI-generated faces and documents bypass superficial verification.
• Onboarding flows optimized for user experience leave less room for deep checks.
• Synthetic identities “warm up” gradually, behaving consistently for months.
  
  

Equifax estimates synthetics now account for 50–70% of credit fraud losses among U.S. banks.

What institutions must modernize

One-time verification cannot identify a profile that was never tied to a real human. Institutions need ongoing, external intelligence that answers a different question:

Does this identity behave like an actual person across the real web?

5. Account Takeover: When Verified Identity Becomes the Attack Surface

Account takeover (ATO) is particularly difficult because it begins with a legitimate user and legitimate credentials. Financial losses tied to ATO continue to grow. VPNRanks reports a sustained increase in both direct financial impact and the volume of compromised accounts, further reflecting how identity-based attacks have become central to modern fraud.

Fraudsters increasingly use AI to automate:

• credential-stuffing attempts,
• session replay and friction simulation,
• device and browser mimicry,
• navigation patterns that resemble human users.

Once inside, attackers move quickly to secure control:

• updating email addresses and phone numbers,
• adding new devices,
• temporarily disabling MFA,
• initiating transfers or withdrawals.

Signals that matter today

Early indicators are subtle and often scattered:

• Email change + new device within a short window
• Logins from IP ranges linked to synthetic identity clusters
• High-velocity credential attempts preceding a legitimate login
• Sudden extensions of the user’s online footprint
• Contact detail changes followed by credential resets
  
  

The issue is not verifying credentials; it is determining whether the behavior matches the real user.

6. Dormant Accounts: The Silent Fraud Vector

Dormant or inactive accounts, once considered low-risk, have become reliable targets for fraud. Their inactivity provides long periods of concealment, and they often receive less scrutiny than active accounts. This makes them attractive staging grounds for synthetic identities, mule activity, and small-value laundering that can later escalate.

Fraudsters use dormant accounts because they represent the perfect blend of low visibility and high permission: the infrastructure of a legitimate customer without the scrutiny of an active one.

Why dormant ≠ low-risk

Dormant accounts are vulnerable because of their inactivity – not in spite of it.

• They bypass many ongoing monitoring rules.
  Most systems deprioritize accounts with no transactional activity.
• Attackers can prepare without triggering alerts.
  Inactivity hides credential testing, information gathering, and initial contact-detail changes.
• Reactivation flows are often weaker than onboarding flows.
  Institutions assume returning customers are inherently trustworthy.
• Contact updates rarely raise suspicion.
  A fraudster changing an email or phone number on a dormant account is often treated as routine.
• Fraud can accumulate undetected for long periods.
  Months or years of dormancy create a wide window for planning, staging, and lateral movement.

Better defenses

Institutions benefit from:

• refreshing identity lineage at the moment of reactivation,
• updating digital-footprint context rather than relying on historical data,
• linking dormant accounts to known synthetic or mule clusters.

Dormant ≠ safe. Dormant = unobserved.

7. How Modern Fraud Actually Operates (AI + Lifecycle)

Fraud today is not opportunistic. It is operational, coordinated, and increasingly automated.

How AI amplifies fraud operations

AI enables fraudsters to automate tasks that were once slow or manual:

• Identity creation: synthetic faces, forged documents, fabricated businesses
• Scalable onboarding: bots submitting high volumes of applications
• Behavioral mimicry: friction simulation, geolocation drift, session replay
• Customer-support evasion: LLM agents bypassing KBA or manipulating staff
• OSINT mining: automated scraping of breached data and persona fragments

This automation feeds into a consistent operational lifecycle.

The modern fraud lifecycle

1. Identity Fabrication
   AI assembles identity components designed to pass onboarding.
2. Frictionless Onboarding
   Attackers target institutions with low-friction digital processes.
3. Seasoning or Dormancy
   Accounts age quietly, building legitimacy or remaining inactive.
4. Account Manipulation
   Email, phone, and device updates prepare the account for monetization.
5. Monetization & Disappearance
   Funds move quickly – often across jurisdictions – before detection.

Most institutions detect fraud in Stage 5. Modern prevention requires detecting divergence in Stages 1–4.

8. Rethinking Defense: From Static Checks to Continuous Intelligence

Fraud has evolved from discrete events to continuous identity manipulation. Defenses must do the same. This shift is fundamental:

Institutions must understand identity the way attackers exploit it – as something dynamic, contextual, and shaped by behavior over time.

9. Conclusion

Fraud is becoming faster, more coordinated, and scaling at levels never seen before. Institutions that adapt will be those that begin viewing it as a continuously evolving system.

Those that win the next phase of this battle will stop relying on static checks and begin treating identity as something contextual and continuously evolving.

That requires intelligence that looks beyond internal systems and into the open web, where digital footprints, behavioral signals, and online history reveal whether an identity behaves like a real person, or a synthetic construct designed to exploit the gaps.

‍

At Heka Global, our platform delivers real-time, explainable intelligence from thousands of global data sources to help fraud teams spot non-human patterns, identity inconsistencies, and early lifecycle divergence long before losses occur.

In an AI-versus-AI world, timing is everything. The earlier your system understands an identity, the sooner you can stop the threat.

‍