7 Ways Scammers Beat Face Verification (And the Fix)
A breakdown of the seven ways scammers beat face verification, from printed photos to deepfakes, and why blood-flow detection neutralizes presentation attacks.
Fraud teams at banks and fintechs have watched a quiet inversion take place. The selfie check that once filtered out casual fraudsters has become a predictable obstacle that organized fraud rings have learned to dismantle, one attack vector at a time. Understanding the specific ways scammers beat face verification is now a prerequisite for any KYC program that wants to keep synthetic identities out of its onboarding funnel. Most defeated systems were not weak by accident; they were built to confirm that a face matches a document, not to confirm that the face belongs to a living person sitting in front of the camera.
"Deepfakes accounted for roughly 40% of all video biometric fraud attempts in 2024, with a deepfake identity attack occurring somewhere in the world every five minutes." - DeepStrike Deepfake Statistics, 2025
The gap between what a verification system checks and what an attacker actually presents is where fraud lives. A presentation attack is any artifact placed in front of a sensor to impersonate a legitimate user, and an injection attack bypasses the camera entirely by feeding synthetic frames into the video pipeline. Both routes exploit the same blind spot: traditional systems analyze appearance, and appearance is exactly what generative tools and cheap props now manufacture at scale.
The ways scammers beat face verification
Anti-spoofing facial analysis has to account for a catalog of attacks that ranges from a printed sheet of paper to fully synthetic video streams. The following seven methods cover the overwhelming majority of presentation attack types seen in production fraud attempts. They are ranked roughly by sophistication, from the crudest physical artifact to the most advanced synthetic media.
- Printed photo attacks. A high-resolution photo of the target, lifted from social media or a leaked document, is held in front of the camera. Simple systems that only check for a matching face fall immediately.
- Cut-out and bent-photo attacks. Fraudsters cut eye holes or curve a printed photo to fake depth and parallax, defeating naive 3D and motion checks.
- Screen replay attacks. A video of the victim, recorded from a prior session or a video call, is replayed on a phone or tablet. Replays carry natural blinking and head motion, which fools many active liveness prompts.
- 3D mask attacks. Silicone, resin, or paper masks reproduce facial geometry and texture, neutralizing depth sensors and infrared challenge tests.
- Deepfake face swaps. Generative models map the victim's face onto a live attacker in real time, so the attacker can follow any movement prompt the system issues.
- Fully synthetic faces. AI generates a person who does not exist, paired with a forged or synthetic identity document, to open accounts that have no real victim to raise an alarm.
- Injection attacks. Using virtual cameras and emulators, fraudsters inject pre-rendered deepfake video directly into the verification stream, skipping the physical camera so no real-world artifact ever exists to detect.
Why each attack works
- Photo and replay attacks succeed when a system treats motion or a matching face as proof of life.
- Masks succeed against geometry and texture checks because they reproduce both.
- Deepfakes and synthetic faces succeed against frame-by-frame and active liveness because they generate convincing pixels and respond to challenges in real time.
- Injection attacks succeed because they remove the camera, the one component most defenses assume is trustworthy.
How defenses compare against face spoofing methods
No single appearance-based control covers the full range of face spoofing methods. The table below maps common defense categories against the seven attacks above, showing where each holds and where it breaks.
| Defense method | Printed photo | Screen replay | 3D mask | Real-time deepfake | Synthetic face | Injection attack |
|---|---|---|---|---|---|---|
| Face match only | Fails | Fails | Fails | Fails | Fails | Fails |
| Active liveness (blink, turn) | Stops most | Often fails | Sometimes | Fails | Fails | Fails |
| Texture and frame analysis | Stops most | Stops some | Sometimes | Often fails | Often fails | Fails |
| Depth or 3D sensor | Stops | Stops | Often fails | Stops device-bound | Stops device-bound | Fails |
| rPPG blood-flow liveness | Stops | Stops | Stops | Stops | Stops | Stops |
The pattern is consistent. Each conventional control closes some doors and leaves others open, and a motivated fraud ring simply chooses the attack that the deployed control cannot see. Remote photoplethysmography, or rPPG, changes the question being asked. Instead of testing whether the image looks real, it tests whether the subject has a circulatory system.
How blood-flow detection neutralizes the attacks
Remote photoplethysmography reads the microscopic color changes in facial skin caused by blood pulsing through capillaries with each heartbeat. These shifts are invisible to the human eye but measurable from a standard RGB camera feed, concentrated in regions like the cheeks and forehead. The signal is a property of living tissue, which is precisely why it is so difficult to forge.
A printed photo has no pulse. A screen replay reproduces a recorded face but not the live, spatially distributed blood-flow pattern that a genuine subject produces in real time. A silicone mask has no circulation beneath its surface. A deepfake renders pixels, not perfusion, and even when an attacker attempts to overlay a fake heartbeat signal, the spatial distribution of blood flow across the face is far harder to synthesize convincingly than a single averaged waveform. Researchers at the Netherlands Forensic Institute have built deepfake-spotting techniques on exactly this principle, tracking subtle heartbeat-driven skin-tone variations that synthetic video struggles to reproduce.
For injection attacks, the logic still holds. A synthetic stream fed into the pipeline must contain a physiologically coherent blood-flow signal across the whole face to pass, and current generative tools do not produce one. The detection does not depend on the camera being trustworthy; it depends on the content carrying a signal that only living tissue creates.
Industry Applications
Banking and account opening
Remote account opening is the single highest-value target for synthetic identity fraud. Adding blood-flow liveness to the onboarding step lets fraud teams reject masked applicants, replayed sessions, and deepfaked applicants without adding friction for genuine customers, who simply look at their camera for a moment.
Fintech and neobanks
Digital-first lenders and neobanks compete on onboarding speed, so they cannot rely on aggressive active-liveness prompts that frustrate real users. Passive rPPG analysis runs in the background of a normal selfie capture, holding the line on security while preserving conversion.
KYC providers and IDV vendors
Identity verification vendors increasingly need to prove resilience against the full catalog of presentation attack types to win enterprise contracts. A blood-flow layer gives them a defense that does not degrade as generative models improve, because it targets biology rather than image quality.
Current research and evidence
The academic foundation for rPPG anti-spoofing has matured quickly. Work on combining rPPG features with contextual patch-based convolutional neural networks has shown that pulse signals materially improve liveness accuracy against print, replay, and mask attacks compared to texture analysis alone. A 2024 review in Frontiers documented the rapid progress of deep-learning rPPG for contactless physiological measurement, noting that webcam-grade cameras can now recover usable cardiac signals in naturalistic settings.
Researchers are also candid about the arms race. High-quality replay attacks can mimic averaged blood-flow changes, which is why current work focuses on the spatial distribution of perfusion across facial regions rather than a single global pulse estimate. The financial stakes give the research urgency: businesses lost an average of nearly $500,000 per deepfake-related incident in 2024, and U.S. generative-AI fraud is projected to climb from $12.3 billion in 2023 to $40 billion by 2027, according to figures compiled in 2025 industry reporting. The direction of travel is clear, with physiological signals treated as a stronger anchor for liveness than any appearance-based feature.
The future of face verification defense
The next phase of anti-spoofing facial analysis will be layered. Document checks, device intelligence, behavioral signals, and appearance analysis all remain useful, but they increasingly serve as supporting evidence around a physiological core that answers the one question fraudsters cannot fake at scale: is there real blood flowing through this face right now. As deepfake generation gets cheaper and injection tooling becomes commoditized, defenses anchored to image realism will keep losing ground, while defenses anchored to biology hold their position. Expect regulators and standards bodies to push presentation attack detection benchmarks toward synthetic-media and injection scenarios, and expect AI fraud prevention facial systems to be judged on how they perform against attacks that have not been invented yet.
Frequently asked questions
What are the most common ways scammers beat face verification? The most common methods are printed photo attacks, screen replay attacks, 3D masks, real-time deepfake face swaps, fully synthetic faces, and injection attacks that feed fake video directly into the pipeline. Each one exploits a system that checks appearance rather than confirming a living subject.
Can deepfakes really pass standard liveness checks? Yes. Real-time deepfakes can respond to active-liveness prompts like blinking or head turns, and they reproduce realistic texture and motion. This is why deepfakes made up a large share of video biometric fraud attempts in 2024, and why appearance-based and frame-level analysis increasingly falls short.
How does rPPG blood-flow detection stop these attacks? rPPG measures the color changes in skin caused by blood circulation, a signal that exists only in living tissue. Photos, masks, replays, and synthetic video do not produce a physiologically coherent, spatially distributed blood-flow pattern, so they fail the check regardless of how realistic they look.
Does blood-flow liveness add friction for real users? No. Passive rPPG analysis works from a normal selfie or video capture without challenge prompts. The user simply faces the camera while the signal is read in the background, which preserves onboarding conversion for legitimate customers.
Circadify is building rPPG-based liveness and synthetic-media detection that reads real blood flow to separate living applicants from photos, masks, replays, and deepfakes. Fraud and KYC teams evaluating their defenses against the full catalog of presentation attack types can request an enterprise security demo to see how blood-flow detection performs against the attacks described here.