Identity fraud is no longer limited to isolated phishing scams or weak passwords. Today’s cybercriminals deploy increasingly sophisticated, multi-layered attacks — from deepfake videos and manipulated images to the injection of biometric data, forged documents, or pre-recorded videos into digital systems. This trend is particularly worrying for the banking sector and fintech companies, given the rapid digitalisation of their services.
According to IBM’s 2024 Cybersecurity Report, 43% of breaches involving biometric systems are directly linked to presentation and injection attacks. This alarming figure highlights not only the growing complexity of fraud tactics, but also the urgent need to strengthen authentication mechanisms.
Here are six real-life cases illustrating how identity fraud evolves in different contexts:
A fraudster’s treasure trove: 533 million Facebook identities leaked
In 2021, one of the largest personal data breaches came to light when the profiles of over 533 million Facebook users were posted on a hacking forum. The leaked dataset included names, email addresses, phone numbers and dates of birth from users in over 100 countries.
This vast amount of genuine information became the perfect raw material for phishing and impersonation attacks, paving the way for a phenomenon known as “Frankenstein fraud”, where criminals create fake identities using authentic data stitched together from multiple sources.
Ticket scam fuelled by a stolen identity
In 2023, an Australian man shared a photo of his driving licence with someone he believed to be a legitimate ticket seller. It turned out to be a scam. Not only was he defrauded, but his images and personal data were later used to create fake social media profiles that continued selling fraudulent event tickets.
Despite repeatedly reporting the impersonation accounts, they remained active for weeks. The incident demonstrates how a single data leak can fuel a chain of scams, with long-lasting consequences for the victim.
Fraud Intelligence Report 2025
Discover how digital fraud is evolving and protect your customers’ identities
Deepfakes on a video call: $25 million transferred
In 2024, an employee took part in a video call with individuals he believed to be senior executives from his company. Unbeknownst to him, every other participant was a deepfake AI-generated replicas of the CFO and other directors. During the call, they instructed him to transfer a total of $25 million to accounts controlled by the attackers.
This case, which blends social engineering, AI and video manipulation, shows just how convincingly fraudsters can replicate high-stakes corporate scenarios to execute major financial crimes.
Identity theft for auto loans in Mexico
In a recent case in Mexico, a person’s identity was cloned to apply for a bank loan without their knowledge. Lawyer Rafael Abascal reported that he received a notice from his bank about an outstanding payment of 19,000 pesos corresponding to an auto loan he never requested.
Upon investigating, he discovered that the scammers had obtained his personal documents (he suspects they were provided through sales agents) and used that information to process, in his name, a loan of more than $1,000,000 MXN.
This fraud demonstrates how sharing physical or digital documents through certain channels can put your identity at risk: in this case, criminals opened a line of credit using his identity without his permission. The experience reinforces the importance of monitoring accounts and quickly reporting any unusual activity.
SIM swapping in Spain: landmark ruling
In December 2025, Spain saw a landmark judicial ruling on a SIM swapping case. A user reported that attackers managed to duplicate his SIM card (request a fraudulent duplicate) without consent and, with control of his phone number, emptied his bank account.
The Madrid Court jointly convicted the telecom operator and the bank, obliging them to compensate the customer with the 4,047 euros stolen. The proven facts indicate that a third party obtained a duplicate of the user’s SIM through a fake porting process; this allowed them to intercept SMS banking codes and authorize transactions to transfer the funds.
This case highlights shared responsibility: not only the bank, but also the telecommunications provider was found guilty due to lax protocols. In a world where banks increasingly use mobile phones as an authentication factor, this ruling sets a key precedent.
Data breach of Desjardins Group (Canada)
In another recent case of massive scope, it was determined that a former employee of the Canadian financial group Desjardins stole the personal data of 9.7 million customers. The suspects sold this information to other criminals, who used it in fraud schemes.
In November 2025, Spanish authorities arrested the fugitive ringleader, Juan Pablo Serrano, who had been wanted since 2024 for the theft and trafficking of that confidential information.
This is one of the largest known banking data breaches: it exposed names, addresses, credit histories, and other sensitive data. The Desjardins case reveals how identity theft does not always come from “lone hackers,” but can originate from insider threats with consequences on a continental scale.
Strategies to strengthen security
These examples show that impersonation attacks take many forms. To counter them, organizations and users can adopt several key measures:
- Enhanced verification when opening accounts. Implement multi-factor authentication (MFA) that combines biometrics (fingerprints or face) with other factors. Require up-to-date documentation and facial liveness during onboarding to prevent synthetic identities or deepfakes.
- Strict telecommunications protocols. Operators must require robust identity verification (e.g., physical ID) when issuing SIM duplicates or migrating numbers. This closes the security gap exploited in the Spanish case.
- Continuous monitoring and alerts. Banks and fintechs should monitor atypical transactions and notify users in real time. Customers, in turn, must regularly review their statements and immediately report suspicious charges, as in the Mexican lawyer’s case.
- Caution when sharing data. Consumers should avoid sharing sensitive personal information (document photos, banking details) on unofficial networks or apps. In ticket fraud cases, a single photo was enough to trigger repeated scams.
- Education and awareness. Promoting digital literacy helps detect social engineering tactics. No legitimate banking institution will ask for passwords or codes via WhatsApp or email; any unusual urgency, such as fake banking alerts in messages, should raise suspicion.
Identity theft is a real threat that evolves with technology. Companies must strengthen their verification systems (integrating tools such as liveness detection, certified biometrics, encryption of data in transit and at rest, etc.), while users maintain basic security habits. Only in this way can attacks be anticipated, protecting both financial assets and trust in digital environments.