In the twelve months to March 2026, identity fraud cases reported through the UK's fraud prevention ecosystem exceeded 237,000 — a 22% increase on the previous year and the highest figure on record. According to data from Cifas, the UK's fraud prevention service, identity fraud now accounts for approximately 68% of all fraud cases filed to the National Fraud Database.
Behind that headline number is a structural shift in how identity fraud is conducted, who it targets, and what it costs. The tools, methods, and scale of identity fraud in 2025-26 bear little resemblance to the stereotype of a stolen wallet and a forged signature. This is an industrialised, technology-enabled problem — and the data tells us exactly where the defences are failing.
The headline numbers
The key figures from the most recent data period paint a comprehensive picture:
237,000+ identity fraud cases recorded on the Cifas National Fraud Database — up 22% year-on-year.
£1.8 billion estimated total cost of identity fraud to the UK economy, combining direct financial losses with the cost of prevention, investigation, and remediation, according to estimates from the National Crime Agency.
89% of identity fraud cases involved the use of a victim's details to apply for financial products (credit cards, loans, bank accounts) — the single largest fraud category.
£580 million in prevented fraud through Cifas member interventions — money that would have been lost without the database matching and flagging systems. This figure underscores both the scale of the threat and the value of prevention infrastructure.
14,200 cases of facility takeover fraud — where a criminal takes control of an existing account using stolen identity information — up 31% from the previous year.
Where the growth is coming from
The overall increase in identity fraud masks significant variation in how different fraud types are evolving.
Synthetic identity fraud
The fastest-growing category is synthetic identity fraud — the creation of entirely new identities constructed from a combination of real and fabricated information. A synthetic identity might use a real National Insurance number (perhaps belonging to a child, a deceased person, or someone who has never applied for credit) combined with a fabricated name, date of birth, and address.
Synthetic identities are particularly difficult to detect because there is no single victim to raise an alarm. The "person" who applies for credit never existed. The application is assessed on its own merits — credit scoring, address verification, employment details — and if the synthetic identity has been carefully nurtured over months (a practice known as "bust-out fraud"), it may pass all automated checks.
Cifas data indicates that synthetic identity fraud grew by approximately 35% in 2025-26. The growth is driven by two factors: the increasing availability of leaked personal data (providing the raw material for constructing synthetic identities) and the use of AI tools that can generate realistic supporting documents, photographs, and even biometric data.
AI-generated fraudulent documents
Traditional document fraud relied on physical counterfeiting — altered passports, forged utility bills, tampered bank statements. The quality was variable, and trained verifiers could often spot the tells.
AI-generated documents represent a step change. Using generative AI tools, fraudsters can produce documents that are pixel-perfect replicas of legitimate originals — with genuine-looking security features, consistent formatting, and accurate institutional branding. UK Finance reported that financial institutions flagged a significant increase in suspected AI-generated documents in 2025-26, particularly in mortgage applications and business lending.
For employers, this has direct implications. Right-to-work documents, qualification certificates, reference letters, and proof-of-address documents can all be fabricated using AI tools. A right-to-work check that relies solely on visual inspection of documents — without cross-referencing against the Home Office online system — is increasingly vulnerable to AI-generated fakes.
Deepfake identity fraud
Deepfake technology has moved from a theoretical concern to an operational fraud tool. The data shows a marked increase in fraud cases involving AI-generated images and video used to bypass identity verification processes.
Common scenarios include:
- Fabricated selfie verification — bypassing "take a selfie" identity checks using AI-generated face images that match a stolen or synthetic identity
- Video call impersonation — using real-time deepfake technology to impersonate a real person during a video verification call
- Document-face matching — creating an AI-generated face that matches a fraudulent document, so the selfie and the document are consistent even though neither represents a real person
The rise of deepfake technology in fraud means that verification methods which rely on visual matching — "does the person match the photo?" — are becoming less reliable as a standalone control.
Sector-by-sector breakdown
Identity fraud affects all sectors, but the concentration varies significantly.
Financial services remains the primary target, accounting for approximately 72% of all identity fraud cases. Credit cards, personal loans, current accounts, and insurance products are the main targets. The financial incentive is direct: successful identity fraud against a financial institution produces immediate monetary gain.
Telecoms accounts for roughly 11% of cases. Mobile phone contracts taken out in fraudulent names are often used as a stepping stone — the phone and the contract it creates become tools for further fraud, providing a verified phone number and a billing address.
Public sector represents approximately 6%. This includes benefit fraud, tax credit fraud, and fraudulent applications for government services. The public sector figure is likely understated, as detection and reporting mechanisms in government departments vary widely.
Retail and e-commerce makes up around 5%, primarily involving fraudulent purchases and account takeovers. The shift to online shopping during and after the pandemic expanded the attack surface significantly.
Employment and recruitment is a growing category — estimated at 3-4% of cases but increasing rapidly. This includes candidates using fraudulent identities to pass employment checks, deepfake candidates in video interviews, and fraudulent right-to-work documents. For employers, this category represents direct compliance risk: if an employee's identity was fraudulent, the right-to-work check based on that identity may be invalid.
The cost to businesses
The financial impact of identity fraud extends well beyond the direct losses.
Direct financial losses — money stolen, credit extended to fraudulent identities, transactions that cannot be recovered — represent the most visible cost. UK Finance estimates that direct losses from identity-related fraud exceeded £1.2 billion in 2025.
Investigation and remediation costs — internal fraud investigation, external forensic analysis, system remediation, customer notification, and credit monitoring for affected individuals — typically run to 3-5x the direct loss.
Regulatory penalties — businesses in regulated sectors (financial services, employment) face penalties for failing to detect fraudulent identities. An employer who employed someone on the basis of a fraudulent right-to-work document and cannot demonstrate that they conducted a proper check faces a civil penalty of up to £60,000.
Reputational damage — the least quantifiable but often the most significant long-term cost. A data breach involving customer identity data, or a public enforcement action, erodes trust in ways that take years to rebuild.
Operational disruption — when identity fraud is discovered within an organisation (an employee working under a false identity, a client whose identity is fraudulent), the operational disruption extends across HR, legal, IT, and management teams.
Where verification is failing
The statistics point to specific failure points in how identity is currently verified:
Over-reliance on document inspection
Physical and digital documents were designed for a world where counterfeiting required skill and equipment. AI-generated documents require neither. A verification process that depends primarily on visual inspection of documents — without electronic validation against authoritative databases — has a growing blind spot.
Static verification at a point in time
Most identity verification happens once — at the point of account opening, employment start, or contract signing. After that initial check, the identity is assumed to remain valid. But identities can be compromised after verification. Accounts can be taken over. Credentials can be stolen. A verification that was valid six months ago may not be valid today.
Siloed verification
Different organisations verify the same individual independently, using different methods, at different times. A person's identity is verified by their bank, their employer, their landlord, their mobile provider, and their GP — each in isolation, each maintaining its own records, none sharing insights. A fraudster who fails verification at one institution simply tries another.
Human judgment as the final layer
Many verification processes ultimately rely on a human being looking at a document, looking at a person, and making a judgment: "Does this look right?" That judgment is vulnerable to fatigue, time pressure, lack of training, and — increasingly — to AI-generated content that is specifically designed to pass human inspection.
What the trends mean for employers
For UK employers, the identity fraud statistics carry specific, actionable implications.
First, the right-to-work checking process needs to go beyond document inspection. Where the Home Office online checking service is available (for biometric residence permits, EUSS status, and other digital-only statuses), use it. For document-based checks, verify that the documents are genuine using available cross-reference tools rather than relying solely on visual inspection.
Second, the rise of synthetic and AI-generated identities means that the risk of employing someone under a false identity is higher than it has ever been. This is not just a compliance issue — it is a security issue. An individual who has passed your hiring process under a fraudulent identity has access to your systems, your data, and your premises under a name that cannot be traced back to a real person.
Third, the employment and recruitment category's rapid growth signals that fraudsters are increasingly targeting the employment verification process itself. Building a robust, multi-layered verification process is not a luxury — it is a response to a measurable and growing threat.
The AI paradox
Perhaps the most significant takeaway from the 2025-26 data is the paradoxical role of AI. AI is simultaneously the primary driver of new fraud methods (synthetic identities, deepfakes, generated documents) and the most promising tool for detecting them (pattern recognition, anomaly detection, biometric analysis).
The businesses and institutions that will navigate this environment successfully are those that adopt AI-powered verification — not as a replacement for human judgment but as a layer that operates at a speed and scale that human inspection cannot match.
The alternative — relying on the same document inspection and visual matching methods that have been in place for decades — is a strategy with a measurable and growing failure rate.
Certifyd uses multi-layered identity verification — combining document validation, biometric analysis, and real-time database checks — to protect businesses against both traditional and AI-enabled identity fraud. When 237,000 identity fraud cases are recorded in a single year, verification that relies on human inspection alone is not enough.