Summary
Fraud has always been a major issue in the field of financial services. But the kind of fraud that keeps compliance departments alert today is distinct from anything that has been reported before. It doesn’t involve counterfeit cards or documents. It’s the video of a face that has never existed — created by artificial intelligence in a matter of seconds.
The fraud that is referred to as Deepfake is real, it’s growing rapidly, and is currently at apprehension of Video KYC systems. This guide explains how these attacks operate, why traditional liveness checks aren’t sufficient to stop them, and what an artificial intelligence-powered Video KYC system must be able to do to prevent these types of attacks.
What Is a Deepfake, Exactly?
A deepfake is a synthetic video or image created using machine learning. These tools can replace one person’s face with another, animate a still photograph, or generate an entirely new face that looks completely real.
Until a few years ago, creating a convincing deepfake required expensive hardware and significant technical skill. That has changed. Today, free and low-cost tools can generate realistic face-swap videos in minutes. Some apps require nothing more than a single photograph.
For fraudsters, this is a gift. A person can now attempt to pass a video identity verification check using a fake face — one that responds to prompts, blinks on cue, and moves naturally without ever appearing on camera themselves.
How Big Is This Problem?
Key Statistic
AI-generated deepfake fraud attempts increased by approximately 3,000% between 2022 and 2025. In late 2025, FinCEN issued a formal alert on synthetic identity fraud. FATF’s
December 2025 Horizon Scan explicitly named deepfakes as an emerging risk to KYC and AML controls worldwide.
How Deepfake Attacks Target Video KYC?
Fraudsters use several different methods to attack Video KYC systems:
Face Swap Injection
A live camera feed is intercepted and replaced with a pre-recorded or AI-generated video stream. The KYC system sees what appears to be a live person, but it is actually a synthetic face.
Replay Attacks
A real video of a legitimate customer is replayed during the KYC session. This is one of the older methods, but it remains in use.
Face Generation
Entirely synthetic identities are created using generative AI. These do not correspond to any real person, making them impossible to catch through document matching alone.
GAN-Based Manipulation
Generative Adversarial Networks are used to produce faces that pass basic liveness tests by mimicking natural facial movement and skin texture.
Why Traditional Liveness Detection Is Not Enough
Many Video KYC systems use active liveness detection: ask the user to blink, turn their head, or smile, and verify that they do it. This was a reasonable defence a few years ago. It is no longer sufficient.
Modern deepfake tools can generate real-time responses to liveness prompts. They track the instructions and animate the synthetic face accordingly. The new standard combines multiple layers:
- Passive liveness analysis — examining micro-textures, skin pores, light reflection patterns, and subtle inconsistencies in the face without requiring any user action.
- 3D depth sensing — verifying that the face has genuine three-dimensional structure, not a flat image or 2D video.
- Behavioural biometrics — analysing how the user moves, the timing of their responses, and patterns that are difficult for AI to fake consistently.
The Role of AI in Detection
It takes AI to fight AI. The deepfake models used by fraudsters are trained on massive datasets of real human faces. Detecting them requires a model trained specifically to identify the artefacts that generative AI leaves behind. What does a deepfake detection model look for?
- Blending boundaries — the edges where a swapped face meets the original neck or hairline often show subtle inconsistencies in lighting and texture.
- Temporal inconsistencies — across frames of a video, deepfake faces sometimes flicker or fail to maintain consistent geometry.
- Frequency domain analysis — deepfake generation leaves traces invisible to the naked eye but detectable algorithmically.
- Eye and teeth rendering errors — generative models still struggle with realistic teeth and iris reflections.
- Metadata and device signals — legitimate video streams carry device metadata; injected streams often do not.
What RBI’s August 2025 Amendment Means for India
India’s RBI amended its Video KYC master direction in August 2025 to specifically address AI-generated fraud. The amendment requires that VKYC systems used by regulated entities must include technical safeguards against deepfake and synthetic media injection.
This means liveness detection is no longer optional or best-practice — it is a regulatory requirement. Institutions that have not upgraded their VKYC infrastructure to include AI-based fraud detection are now operating outside compliance.
Comparison: Basic vs. AI-Powered VKYC Fraud Detection
| Capability | Basic VKYC System | AI-Native VKYC System |
|---|---|---|
| Liveness Detection | ⚠️ Active prompts only | ✅ Active + passive + 3D depth |
| Deepfake Detection | ❌ Not available | ✅ Real-time GAN/diffusion model |
| Injection Attack Prevention | ❌ Not available | ✅ Camera feed authentication |
| Document Fraud Checks | ⚠️ Manual or basic OCR | ✅ AI-based tamper detection |
| RBI Compliance (post Aug 2025) | ⚠️ Partial | ✅ Full |
| Human Review Escalation | ⚠️ Manual queue | ✅ Risk-scored auto-escalation |
What to Look for in a Video KYC Provider
If you are evaluating VKYC vendors or reviewing your existing setup, these are the questions that matter:
- Does the system detect video injection attacks — not just replay, but real-time injection of synthetic video streams?
- What generation of liveness detection does it use? Passive liveness should be the baseline, not active-only.
- How often is the deepfake detection model retrained? Fraudsters iterate quickly — a model trained on 2023 data will miss 2026 attack patterns.
- What is the false positive rate? Aggressive fraud detection that blocks legitimate customers creates its own cost.
- Is the system compliant with RBI’s August 2025 anti-deepfake amendment?
Frequently Asked Questions
Q – Can a deepfake fool any Video KYC system?
A – No system is perfect, but a layered AI-powered system with passive liveness, injection detection, and real-time deepfake scoring is significantly harder to deceive than basic active liveness alone.
Q – Does deepfake detection slow down the KYC process?
A – Modern AI inference is fast. A well-implemented system adds only a second or two of processing time — imperceptible to the end user.
Q – Are deepfake attacks common in India specifically?
A – Yes. India’s large digital financial sector and rapid VKYC adoption make it a high-value target. The RBI’s 2025 amendment was a direct response to documented incidents.
Q – What happens if a deepfake attempt is detected?
A – The session is flagged, the attempt is logged for audit purposes, and the applicant may be invited to retry through a different channel or referred to branch verification.
