Synthetic Identity Fraud in 2025: How AI-Generated Identities Are Hitting SMB Vendor Accounts

Attackers are no longer stealing identities. They’re building new ones – stitching together real and fabricated data with AI tools precise enough to fool the identity verification systems most businesses trust completely. The 2025 fraud data, anchored by FinCEN advisories and FBI Internet Crime Complaint Center (IC3) disclosures, should concern every CEO or COO who oversees vendor onboarding or accounts payable. This post explains what synthetic identity fraud actually is, what the numbers tell us about where it’s heading, and what a defensible business posture looks like right now.

What Is Synthetic Identity Fraud?

A synthetic identity is not a stolen identity. It is a constructed one. An attacker combines a real Social Security Number – often from a child, a recent immigrant, or a deceased person with little or no credit history – with a fabricated name, address, date of birth, and supporting documents. The result is a persona that corresponds to no living, verifiable human being, yet passes automated identity checks because parts of it are technically real.

What’s new is the role AI now plays in generating that supporting documentation. Fraudsters are using generative AI tools to create convincing driver’s licenses, utility bills, bank statements, W-9 forms, and video deepfakes designed to pass liveness detection checks. The forgery quality that once required specialized criminal expertise is now accessible to anyone with a laptop and a subscription.

The Federal Reserve published foundational research on synthetic identity fraud years ago, identifying it as the fastest-growing financial crime in the United States. The 2025 environment is a direct evolution of that baseline – with AI dramatically compressing the skill barrier for entry.

The 2025 Threat Landscape: What the Data Shows

The FBI’s IC3 2024 Internet Crime Report, released in early 2025, recorded over $16.6 billion in total cybercrime losses reported by U.S. victims – a record. Business Email Compromise and related financial fraud schemes accounted for a disproportionate share, with adjusted losses exceeding $2.7 billion from email-based financial fraud alone. Synthetic identity fraud intersects directly with these schemes when attackers use fabricated vendor identities to redirect payments.

FinCEN – the Financial Crimes Enforcement Network, a bureau of the U.S. Treasury – has issued multiple advisories specifically calling out synthetic identity fraud as a growing threat to financial institutions and their business clients. FinCEN Advisory FIN-2022-A001 outlined the mechanics of synthetic identity fraud in credit products. More recent FinCEN guidance reinforces that synthetic identities are migrating from consumer credit fraud into commercial account fraud – meaning the attack surface has shifted toward business accounts, vendor relationships, and payroll systems.

The FinCEN advisories library is publicly available and worth bookmarking if your role involves any financial oversight of your business.

The Consumer Financial Protection Bureau estimated synthetic identity fraud losses in the U.S. financial system at approximately $20 billion annually – and that figure almost certainly understates the true impact. Many cases are written off as credit losses rather than identified as fraud, because the fabricated person simply never files a complaint.

How AI Supercharges the Attack

Four specific AI capabilities have materially changed the synthetic identity fraud threat in the last 18 to 24 months.

Generative Document Forgery

AI image generation tools now produce supporting identity documents – tax forms, incorporation certificates, utility bills – that are visually indistinguishable from real documents to a human reviewer. Metadata can be manipulated to appear internally consistent. A vendor sending you a W-9 with a forged EIN and a fabricated business address may look entirely credible on paper.

Deepfake Video for Liveness Checks

Many identity verification platforms added video selfie or liveness checks as a defense against static photo fraud. AI-generated deepfake video can now defeat real-time liveness detection at a quality that would have been implausible two years ago. Researchers cited by NIST’s AI research division have documented the rapid degradation of liveness detection accuracy against AI-generated faces.

Synthetic Credit File Seasoning at Scale

Attackers now use AI to manage large portfolios of synthetic identities simultaneously – slowly building credit histories, paying small balances, and establishing the appearance of financial legitimacy before executing a large fraudulent transaction. This process, called “busting out,” can be automated and scaled in ways that were operationally impossible before AI tooling existed.

Voice Cloning for Verification Calls

When a business or financial institution calls to verify a vendor or a wire transfer, voice cloning tools can now impersonate a known contact convincingly enough to pass verbal verification. This is no longer theoretical – it has appeared in documented fraud cases reported to the FBI.

Who It Affects: Why SMBs Are the Preferred Target

Large enterprises have invested heavily in identity verification infrastructure – dedicated fraud teams, automated behavioral analytics, layered identity checks. Small businesses, by contrast, typically run vendor onboarding and accounts payable through a handful of staff using email, PDF forms, and a manual approval workflow. That gap is the opportunity.

The SMB profiles most exposed include:

• Businesses that onboard new vendors frequently – construction, professional services, staffing, and consulting firms where vendor relationships turn over regularly.
• Companies that process wire transfers or ACH payments without a secondary out-of-band verification step.
• Organizations where a single person – an office manager, a bookkeeper, a COO – controls both vendor setup and payment approval.
• Businesses that have digitized their onboarding forms but have not updated their verification logic to account for AI-generated documentation.
• Non-profits and smaller professional services firms where trust is culturally embedded and skepticism about incoming vendor requests is low.

Pharmaceutical consulting firms and professional services businesses with global vendor ecosystems are especially exposed – in-person verification feels impractical and therefore gets skipped entirely.

Real-World Attack Patterns in Vendor and AP Workflows

Based on publicly disclosed fraud cases and FinCEN typology reports, these attack sequences are actively occurring against SMB accounts payable and vendor onboarding workflows.

The Phantom Vendor Insert

An attacker submits a new vendor application using a synthetic identity backed by a fabricated LLC, a real-looking EIN, a forged certificate of incorporation, and a bank account they control. The vendor clears normal onboarding. A plausible invoice follows. Payment is made before anyone identifies the vendor as fictitious. By the time a duplicate vendor audit might catch it, the account is closed and the money is gone.

The Existing Vendor Takeover with Synthetic Backup Identity

An attacker compromises a real vendor’s email account, then contacts the target business to update banking information. If challenged for verification, they’re prepared with synthetic documentation that matches the real vendor’s profile – AI-generated supporting documents that appear to corroborate the update request. The real vendor doesn’t know their relationship was used as a vehicle for fraud until payments stop arriving.

The New Employee Banking Fraud

A synthetic identity applies for a remote contractor role, passes background checks that rely on the real SSN embedded in the synthetic profile, gets onboarded, receives a payroll advance or equipment purchase, and disappears. HR and payroll systems at small businesses rarely have the fraud-detection layers that consumer credit bureaus have built over decades.

The Supply Chain Vendor Replacement

Attackers study a target company’s vendor list – often inferred from public procurement records, LinkedIn, or phished email access – then register a near-identical business name with a synthetic identity and reach out proactively, positioning themselves as the vendor’s “new billing entity.” This variant is particularly difficult to catch because it exploits the assumption of continuity in an existing relationship.

Defense Posture: What a Protected Business Looks Like

Defending against synthetic identity fraud does not require enterprise-scale spending. It requires deliberate process design and the right technology supporting those processes. Here is what a mature defensive posture looks like for an SMB.

Out-of-Band Vendor Verification

Any time a new vendor is added or banking information is changed, the verification call must happen over a separately sourced phone number – one found independently, not provided by the requester. A callback to the number in the original vendor contract, or a number pulled from the vendor’s official website, is the minimum acceptable standard. This single control defeats a large percentage of synthetic vendor fraud attempts.

Dual-Control on Payment Approvals

No single person should be able to create a new vendor and approve payment to that vendor. Separation of duties in accounts payable is a basic internal control that most SMBs have never formally implemented. Documenting and enforcing it – even at a two-person minimum – materially reduces exposure.

AI-Aware Document Review

Staff handling vendor onboarding should be trained to recognize the markers of AI-generated documentation: metadata inconsistencies, overly uniform fonts, missing micro-text features on ID documents, implausibly clean formatting. Software tools that perform document authenticity analysis are now commercially available and practical for SMB use.

Identity Verification for High-Value Relationships

For vendors who will receive payments above a defined threshold – one your business should set explicitly – require identity verification through a credentialed third-party service rather than relying on self-submitted documents. Services that cross-reference multiple authoritative databases simultaneously are significantly harder to defeat with synthetic credentials than a manual document review.

Endpoint and Email Security That Detects Compromise Early

Many synthetic identity fraud attacks succeed because they follow an initial email compromise. If your email environment and endpoints are monitored for behavioral anomalies – unusual login locations, first-time email forwarding rules, access from unfamiliar devices – an attacker’s foothold can be identified before the fraud executes. This is where a properly configured, monitored security environment earns its keep. You can read more about how Xact IT approaches layered email and endpoint protection on our cybersecurity services page.

Vendor Master File Audits

Quarterly audits of your vendor master file – checking for duplicate bank accounts, vendors with no purchase history, recently modified payment details, and vendors with addresses that match residential properties – catch the residue of phantom vendor fraud that initial controls missed. Many small businesses have never audited their vendor files. The results are frequently surprising. For more on how managed IT services support these ongoing audit processes, visit our managed IT services page.

What to Ask Your IT and Security Firm

If you’re evaluating whether your current IT and security relationship is equipped to address this threat, these questions separate firms with genuine capability from those who will simply nod along.

• Have you reviewed our vendor onboarding workflow and accounts payable process for fraud control gaps in the last 12 months? If not, what would that review involve?
• Are our email accounts monitored for the behavioral indicators that precede a financial fraud attempt – login anomalies, forwarding rules, unexpected delegation?
• Do we have any tools in place that would flag AI-generated or manipulated documents submitted through our onboarding forms?
• How would we know if a vendor’s email account – not our own – had been compromised before we acted on a payment update request?
• Can you walk me through how our current environment would respond if an attacker had been inside our email for 30 days before executing a fraudulent payment request?

These are not technical questions. They are business continuity questions. Any IT or security firm that can’t answer them clearly and specifically is not operating at the level your business requires.

Synthetic identity fraud is not a future threat. The FinCEN data, the IC3 loss figures, and the documented fraud typologies all point to a threat that is active, growing, and disproportionately landing on businesses that have never thought of their vendor onboarding form as an attack surface. The businesses that avoid losses are the ones that treat process design and verified controls as security infrastructure – not administrative overhead. AI has lowered the barrier for attackers. The defense is not more complexity. It is more deliberateness.

If you want to know where your vendor and payment workflows are exposed, Book a Free Cybersecurity Strategy Call. It’s a 20-minute conversation with our team – no sales pressure, no obligation.