
Deepfakes Have Arrived at Investor Onboarding. Your Checks Haven't Noticed
There's a comforting story compliance teams tell themselves about deepfakes: it's a consumer problem. Romance scams, celebrity crypto ads, fake CEOs on video calls asking for wire transfers. Serious institutional onboarding with its certified documents and liveness checks sits safely above the fray.
That story stopped being true.
Industry analyses now put deepfake elements in roughly one in seven digital onboarding fraud attempts in financial services. The World Economic Forum's Cybercrime Atlas examined publicly available face-swapping and camera-injection tools and found most could bypass standard biometric onboarding checks. Deloitte projects US fraud losses driven by generative AI reaching $40 billion by 2027. And Gartner predicted that by 2026, nearly a third of enterprises would consider standalone identity verification unreliable in isolation - a prediction that has aged uncomfortably well.
How the attack actually works
Forget the Hollywood version. Nobody is rendering a photorealistic villain in real time. The working attacks are mundane, which is why they scale.
Face-swap tools overlay a synthetic face onto a live video feed convincingly enough to pass a selfie-plus-liveness check. Camera injection goes a level deeper: instead of fooling the camera, the attacker replaces the camera feed entirely, serving pre-rendered video directly to the verification software, which believes it is looking at a live sensor. Pair either with a synthetic or stolen identity document - increasingly also AI-generated - and you have a complete fake person who passes the checks real people fail on bad lighting.
What once required a skilled fraud team is now a subscription and an afternoon. When an attack gets a thousand times cheaper, you get a different threat category.
Why the investment world should worry specifically
The reflex is to assume this hits retail neobanks, not funds. The reflex is wrong, for three reasons.
The prize is bigger: A fraudulent retail account nets a fraudster an overdraft. A fraudulent investor relationship - a fake UBO behind a plausible structure, a synthetic director on an entity account - can launder serious money through a vehicle with institutional credibility. Higher effort, but vastly higher payoff.
The checks are less hardened: Ironically, high-touch institutional onboarding often relies more on documents and less on hardened biometric pipelines than a modern neobank does. A certified passport copy sent by a lawyer is precisely as trustworthy as the lawyer's inbox security. Video verification of a director on a Teams call is a face-swap target.
The humans are trusting: Institutional onboarding runs on professional courtesy - counsel certifies, administrators forward, everyone assumes the other party checked. Deepfakes weaponise exactly that chain of assumed verification.
Seeing is no longer verifying
For a century, identity verification rested on a physical premise: faces are generally harder to fake, documents are harder to forge, and matching one to the other proves existence. But that feels changed.
Detection helps: forensic analysis of video artifacts, injection detection, document forensics all raise the attacker's cost, but detection alone is an arms race where the defender pays for models and the attacker pays for a subscription update.
The durable answer is corroboration. A deepfake defeats one check. It struggles to defeat twenty independent ones that must all agree: does the passport's data match the registry filing, the tax document, the address history, the corporate record, the screening profile, the device signals, the behavioural pattern? Fabricating a consistent identity across dozens of independent sources is extremely hard even for a great model.
What to do about it
1. Audit your channel assumptions
List every path a face or document enters your onboarding: portals, email, counsel certifications, video calls. For each, ask what actually proves liveness and source integrity. Most firms find at least one channel where the honest answer is "nothing."
2. Demand injection detection, not just liveness
Liveness checks ask "is this a live human?" Camera injection makes the software's answer meaningless. Ask your IDV vendor specifically how they detect virtual cameras and feed injection. Vague answers give you all the answers you need.
3. Cross-verify everything against everything
Stop treating each document as a standalone artifact to be filed. Every data point should be checked for consistency against every other source in the file. This is tedious for humans and trivial for AI, which is exactly why it's now feasible as a default control rather than an EDD luxury.
4. Rehearse the failure
Assume a synthetic identity got through last year. Could your monitoring catch it now? If onboarding is your only line of defence, you don't have defence in depth. You have a door with no house. It is worth checking it.
Where Steward fits
Steward's approach to this threat is the corroboration model: our AI reads every document in the file, extracts everything, and checks it against registries, databases and the rest of the file - relentlessly, on every case, not just the ones that smell wrong. This can be the difference between a regulatory fine and restful nights.
To sum up
Deepfakes moved identity fraud from craft to commodity, and onboarding flows built on "match the face to the document" are quietly obsolete. The fix is making every identity prove itself against so many independent sources that faking the face was the easy part - and the useless one.
Let’s stay ahead of fraudsters, before we are on the firing line. Stop deepfake fraud at the source; request a demo here.
From the blog
The latest industry news, interviews, technologies,
and resources.

AI KYC Remediation: How AI Agents Clear a Backlog, Task by Task
See how AI KYC remediation works task by task: alert adjudication, entity resolution, and perpetual KYC that stops backlogs reforming
Jul 16, 2026
Geoffrey Safar
1 min read

What Europe's New AML Regime (AMLA) Means for Funds
The EU's AMLR applies from 10 July 2027 and AMLA is already writing the rulebook. What the new EU AML regime means for funds, fund admins and private banks - and why waiting is a mistake
Jul 15, 2026
arik oslerne
1 min read

How to Reduce False Positives in AML Screening
Cut sanctions and PEP false positives in AML screening: why they happen, how to tune matching, and how to keep every dismissal auditable and defensible.
Jul 15, 2026
Geoffrey Safar
1 min read

The FinCEN Investment Adviser Rule Moved to 2028. Don't Celebrate.
FinCEN delayed the investment adviser AML rule to January 1, 2028 - but the scope remains intact. Why RIAs and exempt reporting advisers should use the delay, not waste it
Jul 14, 2026
arik oslerne
1 min read
Product