How do I know my online account isn't being opened by a fake version of me?
How banks, fintech fraud teams, and KYC providers stop an online account fake person from impersonating real customers during remote onboarding.
Opening a bank account, a brokerage profile, or a lending product now happens in minutes from a phone camera, and that convenience has quietly become the most contested perimeter in financial services. The unsettling question underneath every remote signup is whether the face on the screen belongs to the real applicant or to an online account fake person assembled from stolen documents, scraped photos, and generative video. For fraud teams at banks, fintechs, and KYC providers, the answer is no longer about matching a selfie to an ID. It is about proving that a living human, present in real time, is the one applying.
"8.3% of all new accounts created in the first half of 2025 were suspected to be fraudulent, a 28% increase over the same period in 2024, while synthetic identity fraud grew eight-fold to become the fastest-growing fraud category globally." - DeepStrike Deepfake Statistics 2025 and LexisNexis, reported by Biometric Update, 2025
Why an online account fake person is now easy to manufacture
A decade ago, impersonation required a forged plastic card and a cooperative branch employee. Today the raw materials are abundant and cheap. A single profile photo, a leaked driver's license scan, and a few dollars of cloud compute are enough to generate a moving, blinking, talking synthetic face. The volume of deepfake content online is projected to reach roughly 8 million pieces in 2025, up from 500,000 in 2023, a growth rate near 900% per year according to industry trackers compiled by DeepStrike. Deepfake-enabled fraud losses tripled from about $360 million in 2024 to $1.1 billion in 2025.
The mechanics of an online account fake person fall into a few repeatable patterns:
- Synthetic identity assembly, where real and fabricated data points are stitched into a person who has never existed.
- Face-swap deepfakes, where a generative model maps a stolen identity onto a live or recorded video stream.
- Replay and injection attacks, where pre-recorded or AI-generated video is fed directly into the verification pipeline, bypassing the camera entirely.
- Presentation attacks, where printed photos, screens, or 3D masks are held in front of the camera during a liveness check.
The common thread is that all of these can defeat a system that only checks whether a face looks correct. Appearance is exactly what generative models are optimized to fake.
How modern verification proves a real human is present
The defense that holds up against synthetic media does not ask "does this look like the right person." It asks "is this a living body." That shift is why physiological signals have moved to the center of anti-spoofing facial analysis. One of the most studied approaches is remote photoplethysmography, or rPPG, which reads the faint color changes in skin caused by blood flowing through facial capillaries with each heartbeat. A real person produces a measurable, rhythmic pulse signal. A printout, a screen, a mask, and most synthetic video do not.
The table below contrasts how different verification methods respond to the attack types fraud teams actually face.
| Verification method | Static photo / document | Replay / injected video | High-quality deepfake | Real present human |
|---|---|---|---|---|
| Document-to-selfie matching | Often passes | Often passes | Often passes | Passes |
| Active liveness (blink, turn, smile) | Blocks most | Vulnerable to scripted video | Increasingly vulnerable | Passes, adds friction |
| Frame-level deepfake artifact detection | Blocks most | Partial | Degrades as models improve | Passes |
| rPPG blood-flow liveness | Blocks (no pulse) | Blocks (no coherent pulse) | Blocks most (no physiological signal) | Passes, no action required |
The strategic value of a blood-flow signal is that it targets something a generator has no native reason to produce. A face swap optimizes pixels, not circulatory rhythm. That is the logic behind reading real blood flow to confirm there is a real person, with no pulse meaning no person.
Industry applications across onboarding teams
Banks and account opening
New account creation is the primary battleground. Only about one-third of financial organizations effectively detect most fraud during onboarding, according to 2025 industry surveys, which means the majority of losses are seeded at signup and surface later as credit abuse or money mule activity. Layering passive physiological liveness into the camera step lets a bank confirm a living applicant without adding the drop-off that scripted active challenges introduce.
Fintech and neobank fraud teams
Neobanks compete on frictionless onboarding, which makes them favorite targets for synthetic identity rings running automated signup at scale. A passive check that runs in the background of an ordinary selfie capture preserves conversion while filtering injected video and rendered faces before an account is ever provisioned.
KYC and identity verification providers
KYC vendors sit in the middle, supplying verification as a service to dozens of regulated clients. For them, anti-spoofing facial analysis is a shared defense layer. Adding a physiological signal to the stack raises the cost of attack across every downstream customer at once and supports defensible audit trails when regulators ask how presentation and injection attacks are handled.
Current research and evidence
The academic record on rPPG-based detection is maturing fast, and it is honest about both strengths and limits. A 2024 comprehensive review from Torrens University Australia cataloged how rPPG signal inconsistencies expose many manipulated videos because generative pipelines disrupt the subtle color rhythm of genuine skin. Work published through Frontiers and amplified by EurekAlert in 2025, often summarized as "high-quality deepfakes have a heart," cautioned that the newest generators can sometimes inherit or mimic a plausible heart-rate signal from source footage, which means a naive single-signal check is not a silver bullet.
That tension is the actual state of the art, and it points to a clear design principle:
- Physiological liveness is a powerful filter against the overwhelming majority of presentation, replay, and synthetic attacks.
- It is strongest when combined with injection-attack detection, device and signal integrity checks, and behavioral signals.
- Researchers including teams at Unimore have urged treating rPPG as one robust layer in a defense-in-depth design rather than a standalone verdict.
For fraud leaders, the takeaway is not that any single technique is invincible. It is that an attacker now has to defeat several independent physical and statistical properties at once, which collapses the economics of mass fraud.
The future of impersonation-resistant onboarding
Three shifts are likely to define the next phase. First, detection moves from artifact spotting to liveness biology, because chasing visual artifacts is a losing race against generators that improve monthly. Second, passive methods win on economics, since every second of friction costs legitimate conversions while the strongest physiological checks can run invisibly during a normal capture. Third, layered scoring becomes standard, with blood-flow liveness, injection detection, and risk signals feeding a single confidence decision rather than a brittle pass or fail gate.
Synthetic identity fraud is forecast to remain the defining onboarding threat into 2026 by reports from Mitek and Datos Insights, which means the institutions that treat liveness as a core control, not a checkbox, will carry the lowest fraud loss and the cleanest customer experience.
Frequently asked questions
Can a fraudster open an account using a deepfake of my face?
It is technically possible with stolen photos, but modern verification is built to stop it. Systems that confirm a living human, for example by reading blood-flow signals through the camera, are designed to reject recorded video, rendered faces, and screens because those lack a genuine physiological pulse.
How does blood-flow liveness tell a real person from a fake?
Remote photoplethysmography measures tiny color changes in facial skin caused by your heartbeat pumping blood through capillaries. A live person produces a coherent, rhythmic signal. A photo, mask, or most synthetic videos do not, so the absence of that signal flags an online account fake person.
Does this kind of check slow down my signup?
Passive physiological liveness can run in the background of an ordinary selfie capture, so most users experience no extra steps. That is a key reason fraud teams favor it over scripted challenges that ask people to blink or turn their head.
Is any single detection method enough on its own?
No. Research in 2024 and 2025 shows the strongest results come from layering blood-flow liveness with injection-attack detection and risk signals, so an attacker must defeat several independent defenses at once rather than fooling one model.
Circadify is building toward this layered standard, applying rPPG blood-flow analysis to separate living applicants from synthetic and replayed media at the moment an account is created. Fraud, KYC, and identity teams evaluating how to harden remote onboarding can request an enterprise security demo to see how physiological liveness fits into an existing verification stack.