Picture a customer who opened an account eighteen months ago. Passed every check — document upload cleared, SSN matched the credit bureau, no sanctions hits. Regular payments, low utilisation, gradually approved for higher credit limits. Then one Tuesday, they max everything out simultaneously and disappear. No address to serve. No real person to pursue. The identity never existed.
That’s the bust-out pattern. Industry estimates put synthetic identity fraud losses at $23 billion by 2030. Around 95% of synthetic identities pass standard onboarding checks without triggering a single flag.
The failure isn’t a gap you can patch. Static, point-in-time KYC was built for a world where fraudsters stole real identities. It was never designed to detect identities that were fabricated from scratch. This article explains why that matters, how synthetic identities exploit the gap, and what injection attacks do to any KYC stack that relies on document submission alone.
This article is part of our comprehensive modern identity proofing stack series, where we explore the architecture, signals, and governance required to replace static KYC with a defence that matches the threat.
What Is the Difference Between Identity Verification and Identity Proofing?
Most organisations use these terms interchangeably. That conflation is one of the root causes of the problem.
Identity verification checks that a credential is valid and unaltered. Is this document genuine? A passport check, a licence scan, a database match — these interrogate the document, not the person.
Identity proofing goes further. Is this person actually who they claim to be? That means binding a real, physically present human to the document — not just confirming the credential data adds up.
Static KYC typically stops at verification. The standard onboarding flow collects a document, matches data against databases, runs a sanctions screen, and approves. It never asks whether a real human stands behind the credential.
A synthetic identity is specifically designed to carry internally consistent documents. It passes verification — because the credential data is coherent. It fails proofing — because no real person is behind it. If your onboarding has only ever built verification into the process, you’ve left the door open by design.
Gartner predicts that by 2026, 30% of enterprises will no longer consider standalone identity verification reliable. The organisations moving ahead of that shift are building proofing capabilities now.
How Does a Synthetic Identity Actually Get Built?
A synthetic identity is a composite fabrication. The industry calls it Frankenstein fraud — assembled from real and invented parts.
The foundation is a stolen Social Security Number with no active credit file. The SSN is real; everything else — name, date of birth, address — is entirely made up. That pairing is what makes the identity internally coherent. The most verifiable element is genuine.
The fraudster then applies for low-risk credit products — a secured card, a retail store account. They get rejected initially. But the rejection causes the credit bureaus to generate a credit file for the fabricated identity. The file now exists.
Next comes piggybacking: gaining authorised-user status on established credit accounts, inheriting positive credit history. Over twelve to twenty-four months, on-time payments, low utilisation, and gradual approval for higher-limit products.
During this cultivation phase, the identity behaves identically to a legitimate customer. There is nothing to flag. And there is no victim to report the fraud — no one’s real identity was taken, so traditional fraud alerts never fire.
Why Do 95% of Synthetic Identities Pass Standard Onboarding Checks?
Because static KYC checks documents and databases — and synthetic identities are built to satisfy both.
Document verification confirms a credential is genuine and unaltered. A synthetic identity uses a real SSN paired with fabricated but internally consistent data. The document passes because it is technically valid.
Database matching cross-references against credit bureaus and sanctions lists. But a synthetic identity builds legitimate credit history during the cultivation phase — by the time of onboarding, it looks like a real customer with a clean file. Sanctions screening finds nothing, because nothing exists yet.
The 95% pass-through rate reflects a structural mismatch: onboarding checks ask “is this data consistent?” rather than “is this a real person?” The data is consistent — it was built to be. The person does not exist.
Improving document accuracy or expanding database coverage does not fix this. The gap is not in the quality of the checks. It’s in what the checks are designed to ask.
For the architectural response — the four-signal identity verification architecture that replaces single-check verification — see the next article in this series.
What Is Injection Attack Detection and Why Does It Close the Gap Static KYC Cannot?
Even organisations that have added a selfie step to their onboarding face a threat their systems may be structurally blind to: the injection attack.
An injection attack doesn’t spoof the camera — it bypasses it entirely. Instead of holding a deepfake image in front of the lens, the fraudster uses virtual camera software to replace the device’s real camera feed at the software layer. The verification system receives an injected stream and processes it as live input.
Presentation attacks are physical. Injection attacks are architectural. They require different defences, and static document checks have none for the latter. A selfie check cannot tell you whether the feed is coming from a live camera or a virtual camera stream.
Liveness detection is the specific countermeasure. It verifies that a real, physically present human is performing the check in real time — passive liveness analyses a selfie for skin texture, blood flow, and 3D depth; active liveness requires a physical response that makes replay attacks much harder.
Deepfake attacks targeting biometric KYC checks increased by 704% in 2023. FinCEN issued a formal alert in 2024 specifically about deepfake media in identity verification. That’s direct regulatory acknowledgement that document-only KYC leaves a gap that is being actively exploited.
What Does the Bust-Out Pattern Reveal About the Lifecycle Failure of Point-in-Time KYC?
Back to the opening scenario. Eighteen months of legitimate behaviour. One Tuesday event.
The bust-out pattern exposes a lifecycle gap static KYC was never designed to close. Identity is verified once, at onboarding, and never re-assessed. The fraud is not an onboarding failure — it is a lifecycle failure. The identity was always fraudulent; the fraud only materialises after the fraudster has maximised the trust the static system extended on day one.
The Equifax Digital Fraud Trends Report documents a 50% year-over-year increase in synthetic identity losses from 2022 to 2023. Synthetic identities are up to five times more likely to become delinquent than average accounts. Under a periodic KYC model, a fraudster who passes onboarding has a year or more of unmonitored access before the next check.
As Alloy puts it: “It’d be crazy to give someone access to your bank account after the first date, then wait a full year before checking in on them again. But that’s essentially what financial institutions that conduct periodic KYC rather than perpetual KYC do.”
Perpetual KYC (pKYC) replaces the scheduled review model with continuous, event-triggered monitoring. Risk profiles update automatically and trigger re-verification when signals escalate — not when the calendar says so.
For the full treatment of how continuous identity verification works operationally, see the article on continuous identity verification.
When Does Workforce Onboarding Become the Same Problem as Customer Identity Fraud?
The structural vulnerability in static KYC isn’t confined to financial services. One-time identity checks at onboarding, never re-assessed, create the same failure mode wherever they are used.
North Korean state-sponsored IT workers — documented by the FBI and Google Mandiant — have used the same synthetic identity techniques that defeat financial KYC to infiltrate Western tech companies as fake employees. One facilitator compromised more than 60 US identities, impacted more than 300 companies, and generated at least $6.8 million in fraudulent revenue.
The structural parallel is exact. A hiring background check confirms that identity data is consistent and clean. Synthetic credentials are built specifically to be consistent and clean. Neither check — financial KYC nor background verification — asks whether the person is real.
35% of hiring managers report interviewing someone who was not actually the person applying. If you’re running remote-first hiring, this risk is immediate. Someone on your team may not be who they claim to be — and the only check that confirmed their identity was done on day one.
For the full treatment of workforce identity proofing, including how to detect deepfake fraud during remote hiring, see the dedicated article on this topic.
What Does a Modern Identity Proofing Stack Look Like Instead?
Static KYC cannot be fixed by improving its individual components. The structural gap requires a different architecture.
A modern identity proofing stack operates on four signal types simultaneously. Document verification remains part of the picture — but it’s joined by liveness detection (confirming a real person is present and the feed is genuine), behavioural biometrics (monitoring typing cadence, touch pressure, and scrolling behaviour that are hard to fake at scale), and device intelligence (flagging emulator indicators, risky network patterns, and multiple accounts from a single device).
Each layer asks a different question. Together they answer the question static KYC never asked: is this a real person?
The operational model shifts from point-in-time to perpetual. Risk-based authentication adjusts verification intensity based on assessed risk — a routine low-risk login glides through, a large transaction from an unusual location escalates to full verification. Friction proportionate to risk, not friction applied uniformly at onboarding and then abandoned forever.
For the detailed architecture of how these four signals work together, see the four-signal identity verification architecture. For a practical guide to implementing continuous identity verification, see our article on continuous identity verification.
The Gap Is Structural — The Fix Has to Be Too
Static KYC was built for an analogue fraud landscape. Synthetic identity fraud, injection attacks, and deepfake-enabled workforce infiltration are products of the AI era. The failure mode is not a missed edge case — it is an architectural mismatch. Patching document accuracy or expanding database checks does not close a gap that was never about data quality in the first place.
The organisations building resilience now are replacing point-in-time checks with multi-signal, continuous verification architectures that ask the one question static KYC never did: is this a real person? For a full architecture overview, see our modern identity proofing stack, which maps the signals, governance layers, and implementation decisions covered across this entire series.
Frequently Asked Questions
Is synthetic identity fraud the same as identity theft?
No. Identity theft involves stealing a real person’s credentials — the victim exists and eventually notices. Synthetic identity fraud creates a fictional identity by combining real data fragments with fabricated personal details. There is no victim to raise an alarm, which is why synthetic fraud persists undetected for years.
Can a document check detect a deepfake?
No. Document verification confirms a credential is genuine and unaltered — it does not examine the video feed used to present the document. A deepfake injection attack bypasses the camera at the software layer entirely. Liveness detection is what closes this gap.
What is a virtual camera attack?
A virtual camera attack uses software to replace a device’s real camera feed with a deepfake stream during an identity verification session. The verification system receives the injected feed as live input, bypassing selfie and document-presentation checks. Unlike a presentation attack — a fraudster holding a photo in front of the camera — it operates entirely at the software layer.
What is the difference between KYC and identity proofing?
KYC verifies identity data against databases and documents at onboarding. Identity proofing confirms a real person stands behind the presented credentials — including liveness detection and biometric binding. KYC can be passed with consistent data; identity proofing requires confirmed human presence.
Why is a background check not enough to verify someone’s identity?
Background checks confirm that data associated with an identity — employment history, criminal record, credit file — is consistent and clean. Synthetic identities are constructed specifically to have consistent, clean records. A background check validates data integrity but cannot confirm the person behind the data is real. Same structural limitation as document-only KYC.
What happens when a synthetic identity slips through your KYC checks?
It enters a trust-building phase — on-time payments, low utilisation, gradual access to higher-value products — lasting twelve to twenty-four months. The fraud materialises in a bust-out event: all available credit lines maxed simultaneously, identity disappears. Losses are discovered only after the fact, with no real person to pursue.
How do I know if my identity stack is out of date?
If your onboarding relies solely on document upload and database matching — without liveness detection, behavioural biometrics, or device intelligence — it was designed for a pre-AI threat landscape. A single onboarding check that is never revisited cannot detect synthetic fraud or injection attacks.
What is perpetual KYC and how is it different from periodic reviews?
Perpetual KYC (pKYC) replaces calendar-based re-verification with continuous, event-triggered risk monitoring. Instead of checking identity every 12 months, pKYC reassesses when specific events occur — large transactions, address changes, unusual patterns. It detects the anomalies that precede bust-out events, which static and periodic KYC miss entirely.
Can AI-generated IDs really fool KYC systems?
Yes. AI-assisted document forgery rose from 0% to 2% of all identity fraud in 2025. Without liveness detection to confirm a real person is presenting the document, document-only verification cannot reliably distinguish a genuine credential from an AI-generated fabrication.
Static KYC vs perpetual KYC: what changes operationally?
Static KYC is a one-time onboarding event: collect documents, match databases, screen sanctions, approve. Perpetual KYC adds continuous monitoring — behavioural analytics engines, event-triggered re-verification, and risk-scoring models operating throughout the customer lifecycle. The shift is from a single checkpoint to an always-on monitoring posture. Cost increases are offset by reduced fraud losses and faster detection.
