How Fraudsters Open Bank Accounts — and How to Stop Them
Stolen IDs, synthetic identities, deepfake liveness attacks, money-mule recruitment, device obfuscation — here's the exact playbook fraudsters use to open bank accounts, and the controls that stop each step.
Every fraudulent bank account starts at onboarding. By the time fraud analysts see the damage — the unauthorized transfers, the washed funds, the credit line drawn against a fabricated identity — the account has already passed KYC. The exploit happened before the customer existed.
This post breaks down the playbook fraudsters use, step by step, and maps each technique to the control that stops it.
Key takeaways
- Account opening fraud runs in five overlapping stages: identity acquisition, document production, liveness bypass, device and network obfuscation, and post-open mule activation.
- Each stage has a specific technical countermeasure. Patching one without the others is what fraudsters look for.
- The baseline KYC core flow — ID Verification + Passive Liveness + Face Match 1:1 + Device & IP Analysis — closes the most common vectors at $0.33 per check.
- AML Screening catches money-mule identities that passed document checks because the ID was genuine; the person was recruited, not fabricated.
- Device & IP Analysis surfaces fraud rings through
DUPLICATED_DEVICE_FINGERPRINTandDEVICE_RECOVERED_HIGH_CONFIDENCE— the signals that appear when one operator runs many onboarding sessions from a shared pool of machines.
Stage 1: Identity acquisition
Before any fraudster touches your onboarding flow, they need a name, a date of birth, and a document number that will pass a database check. There are three ways to get one.
Stolen identities are the most common starting point. Data breaches, phishing, and dark-web markets give fraudsters access to real names, addresses, ID numbers, and sometimes scans of the original document — most of what a KYC flow asks for.
Synthetic identities combine real and invented elements — a genuine Social Security Number (or national ID number) paired with a fabricated name and date of birth. Because the ID number is valid, format and checksum checks pass. Synthetic fraud is especially costly in credit contexts because it builds a history before cashing out.
Identity-as-a-service is the organized version: criminal networks selling complete kits — aged document images, utility bills, and instructions for the specific onboarding flow they've already tested.
What stops it: Document verification beyond format checks — OCR across 14,000+ document templates, MRZ and barcode parsing, NFC chip reading — combined with database validation against government registries. Stolen real IDs and fabricated synthetic IDs leave different signatures at this layer.
Stage 2: Document forgery and manipulation
A stolen ID number is useless without an image that matches. Fraudsters produce documents in three ways.
Template editing is the entry level: buying a high-resolution scan of a legitimate document and substituting the photo and data in a fraud tool. Cheap forgeries are obvious; well-produced ones require trained ML models to catch.
Printed and re-photographed documents bypass some injection-detection defenses. The fraudster prints the forged document, photographs it with good lighting, and submits the result — trying to introduce the physical artifacts (grain, shadow, reflection) document classifiers expect from a genuine capture.
AI-generated documents are an emerging vector: generative models producing synthetic document images realistic enough to fool human reviewers.
What stops it: Document liveness analysis (flat/printed surface detection), multi-frame consistency checks, and ML classifiers trained on fraud patterns. NFC chip reading is the hardest countermeasure — if the chip validates cryptographically, the document is genuine.
Stage 3: Liveness bypass — defeating biometric checks
A fraudster with a forged document still needs the face to match. Attacks take two forms.
Presentation attacks: a printed photo, a video on a second phone, or a 3D mask held in front of the camera. Modern liveness models are certified at iBeta PAD Level 1 to defeat this.
Digital injection attacks skip the camera entirely. The fraudster injects a synthetic video stream using virtual camera software or browser API overrides. A deepfake face — animated to blink and track on command — is served to the liveness model as if it came from a real camera. No physical environment required, and it scales programmatically. Countermeasures include virtual camera driver detection, frame-level deepfake classifiers, and API interception checks.
What stops it: Passive Liveness ($0.10) with sub-2s inference and 200+ fraud signals, paired with Face Match 1:1 ($0.05) that verifies the live face against the document portrait.
Stage 4: Device and network obfuscation
A fraud ring running dozens of accounts cannot do it from a single IP and one machine. The operational pattern: rotate IPs through VPNs, proxies, or Tor; use anti-detect browsers that randomize fingerprint signals; run sessions from virtual machines or emulators. The goal is to look, to each session, like a different person in a different place. The tell is that the underlying hardware and network infrastructure are reused.
What stops it: Device & IP Analysis ($0.03), running automatically in every session. It captures a stable device fingerprint from GPU signals, browser build, canvas rendering, and hardware attributes, then checks it against all prior sessions. It also enriches the connection: VPN and proxy detection, Tor and data-center exit-node detection, country-vs.-document consistency.
The two warnings that matter most for ring detection:
DUPLICATED_DEVICE_FINGERPRINT— the same persistent fingerprint appeared under a different identity in a prior session.DEVICE_RECOVERED_HIGH_CONFIDENCE— the persistent ID changed (storage cleared, incognito, reinstall), but the v2 recovery model matched the device anyway.
Both are configurable: review, hard-decline, or approve with a flag.
Stage 5: Money-mule recruitment and activation
Not every fraudulent account belongs to an identity thief. A large fraction are opened by real people using genuine documents — recruited money mules told they'd earn a commission for receiving and forwarding funds. The KYC documents are real. The fraud is in what they've agreed to do.
Money mules are often affiliated with organized crime networks that appear on sanctions, PEP (Politically Exposed Person), adverse-media, or law-enforcement watchlists. Running AML Screening ($0.20, 1,300+ lists) at onboarding catches known mule network associates before they become active accounts. Ongoing AML Monitoring ($0.07/user/year) re-screens as lists update.
What stops it: AML Screening at onboarding plus ongoing monitoring — known actors and emerging network members added post-onboarding.
How Didit helps
Each of the five stages above maps directly to a module in the KYC core flow.
The baseline bundle — ID Verification + Passive Liveness + Face Match 1:1 + Device & IP Analysis — runs as a single session at $0.33, covering stages 2–4. Adding AML Screening ($0.20) extends coverage to mule recruitment (stage 5). All modules run in sequence; the result lands in one decision payload.
curl -X POST 'https://verification.didit.me/v3/session/' \
-H 'x-api-key: YOUR_API_KEY' \
-H 'Content-Type: application/json' \
-d '{
"workflow_id": "YOUR_WORKFLOW_ID",
"vendor_data": "user-123",
"callback": "https://yourapp.com/post-kyc"
}'The session URL goes to the user. The decision comes back via webhook (session.status.updated) or GET /v3/session/{sessionId}/decision/.
Didit is the only identity provider formally attested by an EU member-state government (Spain's Tesoro / Banco de España / SEPBLAC) as safer than in-person verification. 500 free verifications per month, no minimums.
Use cases
Neobank account opening — the $0.33 core flow handles the main attack surface. Add AML Screening for regulatory requirements and mule detection.
Credit and lending — synthetic identity fraud is highest here because the payload is a credit line. NFC chip reading adds cryptographic certainty that the document is genuine.
Crypto exchange onboarding — Wallet Screening ($0.15/check, or $0.02 BYOK) extends coverage to the crypto fraud surface after KYC.
Frequently asked questions
What is the most common method fraudsters use to open bank accounts?
Stolen identity documents combined with device obfuscation. The fraudster uses real PII and a forged document image, then routes sessions through VPNs or anti-detect browsers. Document verification catches the forged image; Device & IP Analysis catches the infrastructure.
What does DUPLICATED_DEVICE_FINGERPRINT mean in practice?
The same persistent device fingerprint appeared under a different identity in a prior session — a strong multi-accounting or mule-farm signal. You configure the response per your policy: review, hard-decline, or flag for manual investigation.
How much does a full fraud-resistant onboarding flow cost?
The KYC core flow is $0.33. Adding AML Screening brings it to $0.53. 500 free verifications per month; no minimums.
Ready to get started?
Account opening fraud is preventable at the infrastructure layer — before an account exists, before funds move, before the fraud analyst is involved.
- Learn the full KYC flow → User Verification docs
- See Device & IP Analysis warnings → ip-analysis overview
- Check the pricing → didit.me/pricing — $0.33 core flow, 500 free verifications/month
- Start free → business.didit.me