Global Document Fraud Report 2026

What 170 million documents reveal about amateur and professional document fraud

Document fraud has changed. What used to be a craft practiced by skilled forgers has industrialized into a supply chain serving everyone from first-time opportunists to organized crime rings.

After analyzing 170 million+ documents, it’s very clear: the line between amateur and professional fraud is blurring (and both sides are getting better).

This report examines the state of document fraud in 2025 and what it means for 2026. We'll cover the threats, where they concentrate, and why detection alone isn't enough.

Key statistics

Of all the Docs we saw in 2025, 1 in 3 documents had their structural integrity tampered with, while nearly 1 in 10 were considered high risk, meaning  tampering that indicated strong fraudulent intent. This class of documents was up 28.5% year-over-year (YoY).

Now, being able to tell the difference between a tampered document and one that shows signs of tampering with fraudulent intent is critical. It's the difference between stopping a fraudster, and ruining the experience of three good customers to do so.

Serial fraud, the industrial-scale reuse and (re)production of fraudulent documents to exploit weaknesses in onboarding and underwriting controls, was up a whopping 7x YoY.

Detection rates always fluctuate with improvements, but serial fraud has been a solid and repeatable detection mechanism for us for a while. 

The divide between amateur and professional fraud

Document fraud now spans a spectrum from amateur opportunists to professional operations. Each requires different detection approaches.

• Amateur fraud. Relying on their personal documents (first-party fraud) or acquiring them from template farms, naive Gen AI use (no metadata stripping or transformation of image source), and simple editing techniques. Can be easier to catch, but only if you know where to look: relying on your eyes will get you into hot water.
  
  
• Professional fraud. Custom templates built outside catalogued farms, sophisticated Gen AI usage with metadata stripped, and deliberate detection evasion tactics. It's harder to catch, but network detection still works.

While we’ve only catalogued a representative sample of what template farms have to offer, what we see in our production data and samples indicates the most sophisticated organized operators often building their own infrastructure. This is consistent with the attack cluster data showing coordinated multi-document campaigns that no known template farm supports.

Key consideration for fighting back

To fight against fraud you need to hold on to two truths:

Fraud is subjective. So is efficacy. Define your battle ground

Here's the uncomfortable truth: what counts as "unacceptable risk" varies.

We’re opinionated: We ground our high-risk category in what we consider objective indicators of compromised document structure, integrity, and context.

But different industries (and companies within them) have different risk tolerances, which directly affects automation rates.

That's why our default risk profiles achieve 82–92% automation rates (documents auto-approved or declined) on day one, varying by industry.

Reaching rates up to 98% is possible, but requires clear risk policy definitions, not better technology. Most organizations have never defined these policies when it comes to documents. That's the real blocker.

There isn’t a single bogey man, nor silver bullet

Fraud is multi-faceted. Getting too absorbed by any one trend will leave you open to the tactics you aren’t paying attention to. Part of our research exemplifies this:

• Gen AI is the fastest growing threat, up 90% YoY (but it’s still small). Despite years of media and vendor hype, fully synthetic AI document fraud didn't take off until Nano Banana Pro's November 2025 release. Everything before that was noise. Everything after is a signal.
  
  
• Layered signals beat single indicators. Combining multiple detection layers catches 40% more fraud than relying on any single method alone. The best fraud isn't caught by any one signal. It's caught by the combination.
  
  

The threat landscape

9.08% of documents show high risk markers in 2025

28.5% increase from 2024.

That's nearly 1 in 10 documents showing evidence of tampering with fraudulent intent. And the growth isn't slowing.

Not all documents are equally attractive to fraudsters. Why the variance? Some potential reasons based on document type:

• Tax documents are high-value (they are key in underwriting and onboarding scenarios) and low-verification (they can be hard to verify).
• Company information documents enable KYB fraud at scale, and businesses as fraud vehicles offer higher fraud and financial crime returns: you can transact higher amounts, charge higher amounts, etc. 
• Utility bills are the path of least resistance for proof of address.

Format manipulation: The evasion tactic

A quick glance at high risk rates across formats would lead you to believe digital PDFs are the riskier format. 

But this is misleading.

Here's the reality: Scanned PDFs and images are never the original documents. Confirming fraud or authenticity is harder because the conversion process destroys evidence.

Signals you would get from analyzing a PDF, such as structural and metadata tampering, are either harder to pick up or gone. You might end up with only weaker signals, leading to Warning signals, instead of high-confidence fraud signals. 

Without properly defined risk policies (see below), this can either lead to increase fraud exposure, or manual reviews that just won't go away. With the right ones, even light signals can be used to approve or reject documents. 

The "lower" fraud rates for scans and images are undercounts, not signs of safety. If anything, scanned PDFs should be considered higher risk precisely because so much signal is lost.

When this is done with intent, we call this "format hopping."

1 in 4 image or scan submissions show signs of format hopping.

While not always fraudulent (some users genuinely don't know how to download a PDF), the pattern increases risk.

Format hopping examples:

• Digital prints. When a PDF is turned into a pristine JPEG, and integrating that image into a PDF. 

   

• Print-to-pdf. When users "print to PDF" from their browser instead of downloading the original document.

  
  
• Screenshots. Screenshots are never the original document. Period. They're recreations that inherit none of the metadata or structural properties of the source.
  
  

• Printing and scanning, or photographing a document. While some documents are legitimately provided only in printed form, many official documents these days exist in PDF format.

  
  

26.6% of images and scans have digital PDF alternatives.

With that availability, why are there so many scans/photos/screenshots submitted for review? Convenience or intentional evasion?

Businesses accept some of these formats to help customers more easily submit documents. But not all format changes are created equal, and that customer experience can come at higher cost.

Some denote higher levels of technical competency, and therefore should be considered higher risk than others, especially when paired with other signals in the document or at the submission level.

The metadata trap: Less useful than you might think

While High Risk documents are over 5 times more likely to have their metadata stripped than Normal documents, here's the catch: relying on metadata alone is a strategy doomed to fail.

Professional fraudsters can produce documents with correct metadata. Metadata’s just one input among many, not a detection approach.

Here's an example of this trap: finding traces of editing tools in metadata:

At first glance, you might assume that documents revealing these editors in metadata may warrant immediate scrutiny or auto-decline, depending on your risk appetite.

But the challenge is distinguishing intent: Adobe Acrobat and Photoshop are legitimate production tools for many official document issuers.

Correctly distinguishing tool use versus forgery can make or break your customer experience and automation goals. It’s not all about metadata giveaways.

Threat intelligence: The fraud supply chain

If you want to understand the document fraud landscape, follow the infrastructure that makes it possible.

Template farms

The entry point for fraud, template farms allow fraudsters to download editable templates and submit them as formal evidence. 

The economics are striking: $28.29 is the average barrier to entry for document fraud in 2025. Less than a nice dinner.

A note on methodology: These stats are a staggering jump up from what we covered in 2024, with both websites and document templates nearly doubling. But this growth reflects both actual expansion of the fraud economy and our improved cataloging of existing farms. The infrastructure was already larger than we knew.

Most farms target documents from the most mature financial systems, but nearly all are represented, and we expect that as we expand research, we will find more farms specializing in specific regions.

However, given the heavy flow of international web traffic we see to farms specializing targeting mature financial systems, we expect this pattern to hold.

Account farms

Account farms provide pre-verified infrastructure, giving access to already onboarded accounts to be used at will.

Account farms sell the end product: Fully onboarded, KYC-passed accounts that fraudsters can use immediately. No need to create fake identities from scratch: you can buy ready-made access.

How do criminals create onboarded accounts?

• Synthetic identities. Combine fabricated and stolen data into personas that pass basic verification.
  
  

• Account takeovers. Hijack legitimate accounts from real people.
  
  

• Shell companies. Pass basic checks with minimal documentation.

Account farms are the next layer of the fraud supply chain — and they're growing.

Supply chain economics

The fraud supply chain has professionalized:

4 trends reshaping the threat landscape in 2025-2026

Now that we’ve established the current landscape, let's cover some new and evolving threats that are still taking shape.

While document generators and cross-border leakage are still under investigation and somewhat self explanatory, Serial Fraud and Generative AI already have a lot of data behind them as you’ll see below:

Serial fraud: The organized threat

We defined the category of serial fraud in September 2024:

23% of all high risk documents

show signs of serial fraud.

It’s not just growing. It's becoming a larger share of the fraud we catch, amounting to:

70,000 median serial fraud detections per month.

Where it concentrates

While marketplaces are overwhelmingly exposed, Payment providers, especially those that are marketplace adjacent and are responsible for seller onboarding onto the marketplaces, are similarly exposed.

Meanwhile, gaming and insurance see modest but measurable activity.

Outside these sectors, serial fraud may seem rare when looking at the percentage distributions, but this is skewed by the scale of attacks on marketplaces.

Serial fraud impacts all sectors. 

We catch serial fraud by identifying behavioral patterns across documents, not by maintaining a database of known bad templates. When a template shows up that we've never seen before, we still catch it because the pattern of reuse is visible in the network.

Fundamentally, the difference we are talking about here is actually one of attribution: the 1.7% that have a template farm attribution would still have been caught by our core serial fraud detection capabilities. 

This difference in attribution is driven by two things: 

• The first is that the rabbit hole of template farms is far deeper than what we have mapped so far. 
  
  

• The second is what we see in our own production data: The most sophisticated professionals aren't using off-the-shelf templates from farms. They're making their own to create novel large scale attacks.

23,352 documents in a single cluster

The largest serial fraud cluster we detected in a single customer included 23,352 documents. 

But it wasn't 23,352 copies of the same template.

It was a coordinated operation using multiple different document types as part of the same fraud campaign.

This is what network detection catches that document-level analysis misses.

A fraudster submitting Bank of America statements, Chase statements, and Wells Fargo statements might look like three separate applicants at the document level.

At the network level, we see the connections: same underlying patterns, same fraud operation, same cluster. 

That’s not to say certain templates aren’t more heavily targeted:

Interestingly, the largest cluster we saw this year was 1/3rd the size of the largest we saw in 2024, which reached just over 70,000 documents.

We attribute that to the usual pattern we see over time in institutions we protect: fraudsters adapt and increase their iteration speeds to try and get past our defenses. 

80% of serial fraud campaigns last less than 25 days

This incredible growth is obviously a combination of two factors: 

• Increased detection capabilities. We have been rolling out more and more sophisticated detection capabilities over the past year. 
• Actual fraud growth. Yes, we're catching more, but there is also more to catch. 

The Nano banana moment

In fact, for most of the year, Gen AI document fraud was not theoretical but largely ineffective on complex documents.

Detection numbers were low, and the media hype outpaced the actual threat, something we heavily covered in our multiple webinars covering the up-to-date limits of the threat.  

Then Nano Banana Pro launched in November 2025 and totally changed hte game.

The mid-march social media obsession with expense receipts was really driven by the fact that receipts are simple documents with no standard layout that needs adhering to, and was all the models could really handle without messing.   

Unlike previous models that struggled with text consistency in complex documents, Nano Banana Pro can generate nearly perfect documents with very few, if any, instances of mangled text.

It can even do the math on the documents it creates correctly, adjusting totals when you add line items.

We've come a long way since mid 2024: 

A large portion of the document fraud we've seen this year came at the tail end of the year off the Nano Banana Pro launch. 

Document image generation has markedly improved. For a deep dive on Gen AI document fraud, see our dedicated analysis.

How amateur and professional fraudsters differ in Gen AI use

Most Gen AI fraud is amateur hour. Users prompt ChatGPT or Gemini, get an output, and submit it directly (with all the telltale metadata intact). Basic checks catch them.

But the proportion of sophisticated fraud is growing. As fraudsters learn, the easy catches will disappear.

But what separates the two? What makes professionals harder to catch?

1. Generate 100 documents via API.
2. Use a second model to quality-check outputs.
3. Combine with leaked PII to create complete application packages.
4. Submit at scale.

This industrialization isn't theoretical. OnlyFake demonstrated batch creation of fake documents in 2024, even with limited generative capabilities.

The infrastructure exists, and the models are getting better at enabling automation at scale. 

Where fraud concentrates

Who is most at risk from the document fraud threat?

Industry verticals and use cases

We primarily work within 7 key verticals: marketplaces, gaming, payment providers, banks, lenders, insurance, and screening services (more details available in our methodology section). 

But not all verticals face the same fraud profile: nearly 1 in 5 marketplace documents have high-risk markers. 

High volume, rapid onboarding, and valuable accounts create perfect conditions for organized fraud.

The 86% of serial fraud that concentrates in marketplaces mentioned earlier tells the same story.

The pattern we see repeats itself across sectors: the higher the velocity, and the more focused on b2b the flow, the face higher risks. 

We see the same thing when breaking down the risks by use case: "vendor onboarding" is an often overlooked document verification workflow for large institutions, but supplier fraud and business email compromise scams often rely on doctored invoices and fake certifications. 

High-risk regions

Since we received documents from over 135 different countries, we've focused on countries where more than 100,000 documents were received and were not overly concentrated from any one use case or customer. 

Bangladesh stands out as an extreme outlier with just over 50% of documents falling into high risk categories. Overall, most countries sit between sit in the 20 to 10% range.

From detection to decision

Time for actionable insights on what to do about these threats.

Network detection vs single document-level analysis

The industry default is document-level analysis: examine each document in isolation, catch obvious manipulation, maybe compare it to a library of templates, move on.

Network detection is different. We connect patterns across documents, customers, and time, leverage signals beyond the documents alone. We catch coordinated, industrial scale serial fraud attacks that look normal at the individual document level.

What actually triggers declines

While we pride ourselves in our network-level capabilities and all of the other detection capabilities, the reality is that the clear majority of declines are driven not by a single detection signal, but by multiple detection signals operating in concert. 

Risk tolerance: The questions you need to answer

We could give you a prescriptive framework. Signal X means action Y. But that would miss the point.

Fraud is subjective. What's unacceptable risk for one organization is acceptable for another. The questions matter more than our answers.

Some signals indicate high-confidence fraud across virtually all verticals:

If you see these, decline. The false positive rate is negligible.

Signals that require questions

• Screenshots. Evidence of fraud, or just a user who doesn’t know how to download a PDF? Your answer depends on your vertical, your customer base, and your fraud exposure.
  
  
• Print-to-PDF. A red flag, or standard behavior for certain demographics? Some user populations legitimately struggle to download PDFs properly.
  
  
• Single manipulation signals. Enough to decline, or does context matter? A single anomaly might be an artifact. Multiple anomalies are a pattern.
  
  
• Online generator-created documents. Fraud, or a freelancer using a legitimate paystub tool? The tool is the same; the intent is different.

These questions don't have universal answers. They have your answers.

Why risk policy matters more than detection tools

Detection identifies signals. Decisioning applies context.

Without clear risk policies, you're left with every flag requiring human review, no differentiation between high-confidence fraud and edge cases, and reviewer fatigue leading to missed signals.

Most organizations have never defined these policies. That's the real blocker.

82-92% automation from day one

We have various out-of-the-box configurations tailored to specific industry use cases that provide a range of fully automated decisions (auto-approval and auto-decline), depending on risk appetite.

The differentiator isn't technology. It's:

• Using any document attribute as a decision signal. Format, classification, issuer, country, fraud indicators, verdict: all of these can drive automatic decisions if you've defined the policy.
  
  
• Defining explicit policies for edge cases. What do you do with screen photos from certain countries? Generator-created documents in certain use cases? Single manipulation signals on certain document types
  
  
• An ongoing partnership. 98% automation means flagging false negatives and positives that have never occurred before, defining clear answers to them, and adjusting models appropriately. 

The Adaptive Decisioning leverage

Detection without decisioning creates operational burden. Every flag requires review.

Detection plus decisioning creates operational leverage. High-confidence fraud gets blocked automatically. Low-risk documents approved automatically. Human expertise gets reserved for genuine ambiguity.

We don't just detect fraud.

We help you define and operationalize the risk policies that turn detection into extreme automation.