Generative AI enabling identity fraud at scale: Au10tix report

An eight month-long identity fraud campaign coordinated by organized crime groups has attempted 22,080 fraudulent user onboarding attempts by repeatedly applying generative AI to a single passport has been found by Au10tix.

The ID fraud is characterized by Au10tix researchers as a “Mega-Attack.”

The company’s Q4 Global Identity Fraud Report describes two distinct patterns of digital identity fraud attacks at “mega” scale. Half of the 22 thousand attacks took place within a span of two to three weeks, qualifying it as a “sudden burst” attack. “Slow burn” attacks are more typical, where a large number (Au10tix’ example is 2,000) AI-generated IDs are used five or six times a day over a period closer to a full year. Au10tix found 10 such slow burn attacks in 2023.

Criminals carrying out mega-attacks tended to target payments and cryptocurrency services, Au10tix found. Payment services were targets in nearly half of total attacks. Social media attacks also increased by 21 percent, which the researchers suggest could be motivated by establishing social credibility for fake accounts.

Au10tix recommends organizations implement selfie biometrics for user onboarding, as part of a robust set of technologies for KYB, KYC and AML screening. The company also says that consortium validation can increase privacy and improve fraud protection.

“We detected these mega-attacks by cross-referencing anonymized ID data against AU10TIX’s consortium of 60+ top-tier organizations, demonstrating the power of collective expertise in identifying complex fraud patterns that may evade individual entities,” said Dan Yerushalmi, CEO of AU10TIX. “Sophisticated AI and deep-fake technology are helping organized crime groups escalate their attack numbers exponentially, but we will continue working to make the world a safer and more secure place.”

ID fraud makes up 45 percent of all fraud reported by banks and financial services providers, according to research from Synectics Solutions, and most of it originates online.

A national UK database of syndicated risk incidents shows that 24 percent of ID fraud involved fictitious names, 27 percent involved a real person’s address being stolen, and 28 percent involved at least one attribute, such as name or address, that had previously been flagged for potential ID fraud.

“With ID fraud, we’re definitely seeing a sliding scale of sophistication,” says Synectics’ Analytics Consultant Tomas Brown. “For instance, fake names can be relatively easy to spot in some cases, but when paired with real data and used to create a synthetic ID that has accumulated a ‘genuine’ credit rating, the task is much harder. Here, and certainly in the case of the 28 percent linked to previous applications, there’s clear value in being able to refence syndicated fraud data and check ID details against multiple sources.”

Checks against multiple authoritative sources can also lower the risk of false positives, the company says, particularly for legitimate customers with thin credit files who might otherwise be excluded from financial services.

Old school still on

Sophisticated mega-attacks with advanced technologies are coexisting alongside more traditional types of identity fraud.

Police in Hong Kong have arrested three people found in possession of 28 stolen ID documents and payment cards and tools for making fake IDs, South China Morning Post reports.

The trio are accused of stealing the ID documents and cards through various methods, and then manipulating the photos on them to pass face biometrics checks to open fraudulent online accounts.

Article Topics

AU10TIX  |  financial crime  |  fraud prevention  |  generative AI  |  selfie biometrics  |  Synectics Solutions  |  synthetic identity fraud