Identity Fraud Prevention: Detection Techniques
How Australian businesses detect and prevent identity fraud: synthetic documents, deepfakes
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokIdentity fraud cost Australian businesses and individuals over AUD 3.1 billion in 2024, according to the Australian Institute of Criminology (AIC) and the Australian Criminal Intelligence Commission (ACIC). The ACIC's annual Organised Crime in Australia report identifies identity crime as a key enabler of serious and organised crime, with the scale of identity fraud continuing to grow year-on-year. Meanwhile, the ACSC reported that Australians submitted over 94,000 cybercrime reports in the 2023-24 financial year, with identity fraud a significant component.
For Australian businesses, the threat is both financial and regulatory. The AML/CTF Act 2006, the Privacy Act 1988, and sector-specific APRA and ASIC guidance impose clear obligations on firms to verify customer identity and detect fraudulent documents. Failure carries civil penalties, regulatory sanctions, and reputational damage.
This article examines the main types of identity fraud affecting Australian businesses, the detection techniques that work, and the regulatory framework that governs verification obligations.
Types of Identity Fraud Targeting Businesses
Identity fraud is not a single crime. It encompasses a range of techniques, each with different detection challenges.
| Fraud Type | Australian Prevalence | Manual Detection Difficulty | Primary Channel |
|---|---|---|---|
| Stolen identity (real person's details used) | Very high | High | Online, in-person |
| Forged identity documents (modified originals) | High | Medium | Scanned documents |
| Synthetic identity (fabricated from mixed data) | Rising rapidly | Very high | Online applications |
| AI-generated documents (fully synthetic) | Rising rapidly | Very high | Digital channels |
| Deepfake biometric attacks (video/selfie) | Emerging | Very high | Remote verification |
| Account takeover (existing account hijacked) | High | Medium | Online banking |
Sources: ACIC Organised Crime in Australia, AIC Identity Crime Research.
Stolen and Synthetic Identities
The most common form of identity fraud in Australia involves the use of a real person's stolen details to open accounts, apply for credit, or access services. The ACIC data shows that identity compromise underpins a growing share of all financial crime, often obtained through data breaches, phishing, or social media scraping.
Synthetic identity fraud presents a different challenge. Rather than stealing a complete identity, the fraudster constructs one from fragments: a real Tax File Number (TFN), a fabricated name, an address sourced from a vacant property listing. Each element passes individual checks. The composite identity has no genuine owner to raise an alert, making it detectable only through cross-referencing multiple data sources.
AI-Generated Documents and Deepfakes
The shift from manual forgery to AI-generated documents represents a step change in the fraud landscape. Generative AI tools can produce complete identity documents -- passports, driver licences, utility bills -- that are visually indistinguishable from genuine documents when viewed as digital images.
Deepfake biometric attacks compound the threat. Fraudsters use virtual camera software to inject AI-generated video feeds during liveness checks, bypassing facial verification systems. Our detailed analysis of this threat is available in our article on deepfake and synthetic identity documents.
Detection Techniques That Work
Effective identity fraud detection requires layered controls. No single technique addresses all fraud types. The three fundamental layers are document analysis, biometric verification, and data cross-referencing.
Automated Document Analysis
Automated document verification examines the structural integrity of identity documents at a level impossible for human reviewers to replicate consistently. The analysis covers font consistency, security feature presence, MRZ (Machine Readable Zone) format compliance, pixel-level manipulation detection, and metadata analysis.
For a comprehensive overview of verification technologies, see our guide to identity verification methods.
Biometric Verification and Liveness Detection
Biometric verification matches the document holder's photograph to a live capture, confirming that the person presenting the document is the person depicted on it. The critical component is liveness detection:
- Passive liveness: Analyses a single image for artefacts. Effective against printed photos; insufficient against sophisticated deepfakes.
- Active liveness: Requires the user to perform actions (head movements, blinking, smiling). More robust, but vulnerable to advanced real-time deepfake generators.
- Certified liveness: Compliant with standards such as ISO/IEC 30107-3. The appropriate standard for regulated identity verification.
Data Cross-Referencing
The third layer verifies the consistency of declared information against external authoritative sources: the Document Verification Service (DVS), credit reference agencies, government databases, and commercially available identity data sets. In Australia, the Document Verification Service (DVS) enables real-time verification of Australian identity documents against the issuing agency's records.
Data cross-referencing is particularly effective against synthetic identities. A fabricated identity that passes document and biometric checks may fail when its TFN does not correspond to its declared date of birth, or when its address has no postal history.
Decision Matrix: Choosing the Right Verification Level
| Risk Level | Recommended Approach | Document Check | Biometrics | Data Verification | Standard |
|---|---|---|---|---|---|
| Low (basic onboarding) | OCR + data match | Yes | No | Basic | Internal policy |
| Standard (regulated) | Document + selfie | Yes | Passive liveness | Yes | AML/CTF Act compliant |
| Enhanced (high-value) | Document + video + data | Yes | Active liveness | Full cross-reference | AUSTRAC guidance |
| High (PEP/sanctions) | Full multi-layer | Yes | Certified liveness | Full + enhanced DD | AML/CTF Act enhanced CDD |
Explore further
Discover our practical guides and resources to master document compliance.
Explore our guidesAustralian Regulatory Framework
AML/CTF Act 2006
The AML/CTF Act 2006 requires reporting entities to carry out customer identification procedures before providing a designated service. The Act specifies that identity verification must be based on reliable and independent documentation or electronic verification. AUSTRAC's customer identification guidance provides detailed requirements.
Failure to comply with customer identification requirements can result in civil penalties of up to AUD 22.2 million per contravention for body corporates.
ASIC Expectations
ASIC regulates conduct in financial services and expects firms to maintain adequate systems for verifying customer identity as part of their broader compliance obligations. ASIC has taken enforcement action against firms with inadequate identity verification procedures.
Document Verification Service (DVS)
The DVS is the Australian Government's national identity verification service, enabling organisations to verify Australian identity documents in real time against the records of the issuing agency. The DVS covers passports, driver licences, Medicare cards, birth certificates, citizenship certificates, and visa documents.
Implementation Steps for Businesses
Step 1: Map Your Identity Verification Points
Identify every point in your customer journey where identity is established or relied upon: account opening, transaction authorisation, address changes, beneficiary additions.
Step 2: Apply Risk-Based Controls
Not every interaction requires the same level of verification. A risk-based approach applies proportionate controls: basic checks for low-risk transactions, full multi-layer verification for high-value or high-risk operations.
Step 3: Combine Detection Layers
The consensus across Australian regulatory guidance is clear: single-factor verification is insufficient. Document analysis must be combined with biometric verification and data cross-referencing to achieve adequate detection rates.
Step 4: Monitor and Update
Fraud techniques evolve continuously. Detection systems require regular updating to address new attack vectors, particularly AI-generated documents and deepfake biometric attacks.
For a sector-by-sector breakdown of verification requirements, visit our industry verification guide.
For a comprehensive overview, see our industry document verification guide. Our platform processes over 180,000 documents per month with a 94.8% fraud detection rate and a false positive rate of 2.8%, delivering results in an average of 4.2 seconds.
FAQ
How many identity fraud cases occur in Australia each year?
The ACIC and AIC estimate that identity crime costs Australians over AUD 3.1 billion annually. The true incidence is believed to be substantially higher than reported figures, as many cases go undetected or unreported.
What are the penalties for failing to verify customer identity?
Under the AML/CTF Act 2006, failure to conduct adequate customer identification can result in civil penalties of up to AUD 22.2 million per contravention for body corporates and up to AUD 4.44 million for individuals. ASIC and APRA can also impose regulatory sanctions.
Can AI-generated identity documents pass automated verification?
High-quality AI-generated documents can defeat single-layer verification systems. Multi-layer systems that combine document analysis with biometric liveness detection and data cross-referencing through the DVS achieve substantially higher detection rates. No system guarantees 100% detection, which is why a risk-based, layered approach is essential.
What is synthetic identity fraud and why is it difficult to detect?
Synthetic identity fraud involves creating a new identity by combining real and fabricated personal information -- for example, a genuine TFN paired with a fictitious name and address. Because individual data elements can be valid, the fraud bypasses checks that verify each element in isolation. Detection requires cross-referencing multiple data sources to identify inconsistencies.
How often should businesses update their fraud detection systems?
At minimum, annually. In practice, quarterly reviews of detection rules and thresholds are advisable. Businesses should also subscribe to threat intelligence services and AUSTRAC alerts to receive timely information about emerging fraud patterns.
To deepen your understanding of identity verification across different sectors, explore our industry verification guide. Learn how CheckFile.ai automates document verification for businesses, or visit our pricing page to compare available plans.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.