The eight types of document fraud

Document forgery is the act of creating a fake document from scratch, imitating a genuine one. Document forgery is as old as documents themselves, but for most of this time it was largely confined to an underground industry where success required a skilled artistic sense, physical access to legitimate examples, and specialized supplies like presses, printers, paper, and plastic. Given this relatively high bar, bad fakes were fairly easy to spot with a well-trained eye, and good fakes were costly and therefore uncommon.

With the increasing sophistication of technology, however, document forgery is booming. The only required supplies are a computer and free software, while digital examples of what the real deal looks like can be obtained on the internet, in your email, or through your nearest scanner. This means that document forgery is becoming easier and vastly more common: anyone anywhere can whip up a document and try to pass it off as something it’s not.

As image creation and editing software becomes more sophisticated and fraudsters have more time to hone their skills, it's becoming harder to distinguish between genuine and forged documents.

Still, just because making fraudulent documents is easier nowadays, it doesn’t necessarily mean that making good fake documents is easy: fraudsters, being fraudsters, are usually looking for the easy way out and give themselves away with typos, unprofessional formatting, and the use of fonts and logos that don't match the genuine article. Usually, a forged document made entirely from scratch can be distinguished just by comparing it to a document that's been confirmed as the authentic.

Unlike document forgery where a completely fake document is created from scratch, document alteration or document manipulation involves making changes to an existing genuine document. This can be as simple as writing in new dates, names, or numbers on a document, or it can take the form of professional Photoshop jobs that turn out super-convincing fake ID cards. Compared to document forgery, document alteration escalates the challenge to fraud risk management teams in two main ways.

First, document manipulation lets fraudsters leave most of the original file intact; most of the information on the provided document, therefore, may well be valid. Fraudsters seeking to commit first-party fraud, for example, might use their real name, real phone number, real photo, and so on, but they may “adjust” their address to access a service in a country where they aren’t legally allowed to do so. With the majority of personally identifiable information otherwise easy to verify, it’s more likely that the falsified details will be overlooked or simply assumed to be true.

The second way that document alteration challenges most anti-fraud processes is through the ability to make changes so subtle as to be essentially invisible to the naked eye.

Thanks to image editing programs that allow users to make pixel-by-pixel changes, document manipulations today may be tiny, a needle in a digital haystack. Imagine, for example, how a bad actor might use the grade-school trick of changing a 3 to an 8. PDF editing software allows for perfect editing, leaving only traces of alteration in the document's metadata. 

Manual reviews are unlikely to notice such a minute change, not due to negligence but rather simple human limitations. This is often amplified when a review process relies on speedy checks on high volumes of applications, as one of our clients discovered during their digital mortgage underwriting process.

It’s these tiny or even invisible-to-the-naked-eye manipulations in particular that make AI document fraud detection checks a necessity. Simply put, AI and other machine learning techniques pick up on even the tiniest alterations, and can rapidly scan a file's metadata for what changes where made and how.

Identity fraud and identity theft are often used interchangeably, and both refer to the act of obtaining someone else's personal information without their knowledge or consent and then using that information for fraudulent purposes. Essentially, identity theft is an elaborate form of impersonation.

Unfortunately, identity theft thrives due to the many vectors through which fraudsters can obtain personally identifiable information (PII). On the low-tech side, for instance, an online banking password and username combination can be picked up simply by looking over a victim's shoulder as they type, or by carefully overhearing a sensitive conversation.

More technically skilled bad actors make a profession out of hacking into centralized online services to collect reams of well-organized personal data on thousands of customers at once, from names and addresses to credit card and Social Security numbers. These are often sold on internet marketplaces to criminals who specialize in creating and using this info in the form of fraudulent documents. Since thousands of individuals can be involved in these sorts of data breaches, fraudsters who get their hands on tranches of info can carry out industrial-level "serial fraud", which we'll elaborate on shortly.

To make this matter more complicated, the "theft" part of identity theft may in fact be too narrow to describe the full range of confidence tricks that fraudsters use today. Phishing and social engineering, for example, involve fraudsters who take on the role of a trusted figure—a boss, a government agency, etc.—to collect usable data from unsuspecting victims.

Though stolen PII is often combined with the forgery and manipulation techniques described above, that's not always so. In any case, identity fraud presents traditional anti-fraud countermeasures with a challenge because the information being used by fraudsters is usually genuine. This is where looking beyond the document itself becomes indispensable: advanced forensic techniques such as checking for reused documents and examining location data can alert you that a fraudster is at work with PII that isn't their own.

Synthetic identity fraud, sometimes simply called synthetic fraud, is a newer form of identity fraud. It involves combining real information or real and fake information in a way that creates an entirely new but overall fictitious identity.

This type of fraud is particularly challenging to detect because it combines many of the strengths of the techniques described above. A fraudster may, for instance, start off by stealing or buying a large batch of PII, such as photos of ID cards and credit card information. On their own these pieces of information may not be enough to, say, open an online bank account, but document forgery or manipulation can easily fill in the gaps to provide a fake proof of address.

On the other hand, a fraudster might acquire a particularly detailed set of stolen information, more than enough to successfully open an account in any one individual's name. Without the need to forge documents, the fraudster might instead mix and match genuine information many times over—one victim's name with another's address with yet another's credit card number, and so on.

This gives fraudsters the ability to open an essentially unlimited number of unique accounts, or at least grants them an unlimited number of attempts to bypass security screenings, maximizing their payoff and/or slowing how quickly a victim realizes their identity has been stolen.

Fraud detection systems can easily be caught off guard by this technique: if information is properly formatted and individually valid, many systems may not flag it as problematic. At most, a system might just get confused and forward the case for manual review, which is slower, costlier, and not without its own ability to be fooled. This is why, once again, it's vital to step beyond simply what a document says on the page and take a holistic view, looking at all the documents submitted as part of a case and all documents received over time. In addition to catching hard-to-recognize fake documents, patterns of reused documents, reused information, or information that is blended in a predictable way can reveal synthetic identity fraud. This large-scale pattern recognition is a particular strength of AI fraud detection software.

While technically a form of document alteration, template fraud is so prevalent and overwhelming to first-line controls that we consider it a unique and notable brand of fraud. Similar to how identity thieves often distribute the info they've obtained through marketplaces, it's very easy to find ready-to-edit templates for all kinds of common document types online from specialized template farms or document mills. With a little knowledge of what you're looking for, these can pop up in just a few seconds on your favorite search engine.

Skilled forgers create passable fakes, even testing whether they serve their purpose (though of course quality can be highly variable). These are then made available for download in PDF or image format, for free or for a fee. Usually accompanied by instructions for how the end user should input their desired information, templates make document fraud still easier and more accessible, allowing anyone, anywhere to try their hand at digital fraud.

Pre-digital modification is another twist on the document fraud techniques discussed above, but its extra steps can add a lot of complications. Pre-digital document fraud is when a document is forged or altered, printed, then photographed or scanned to produce a new digital file. This is an attempt to wipe away the "fingerprints" left in image or PDF metadata when a file is opened and re-saved in an editing program.

This seemingly simple workaround commonly fools humans and less sophisticated fraud detection solutions. Manual reviewers, for instance, may be presented with an image that looks like any other photo or scan, while technological programs overly reliant on certain portions of metadata will sign off that the file hasn't been altered.

Examining documents holistically rather than in isolation is again vital here. Patterns such as where an image was created, the device used to create it, or even similarities in images themselves can be indicators that a file is coming from an untrustworthy source. This presents an especially significant impediment for serial fraudsters, who might have passable pre-digital modifications but who regularly upload from a specific place using the same equipment.

Just as every technological advancement is soon put toward less savory ends, fraudsters are increasingly harnessing generative AI tools such as ChatGPT and Midjourney. Generated document fraud uses consumer artificial intelligence to produce original documents from scratch—just describe what you want in a prompt and in seconds you can get something usable. The results can range from nonsense words on documents from nonexistent countries to eerily realistic.

As we described in our deep dive into "FraudGPT", traditional fraud checks struggle to reliably identify the minute details that expose high-quality generated documents and images as fakes. Fighting this recent flood of generated documents instead requires multiple layers of self-reinforcing checks that are deployed consistently and simultaneously to check everything from metadata to how an uploaded document fits into the context of other information provided by customers.

Serial fraud deploys one or more of the fraud techniques above on a  repeated, mass scale. Fraudsters identify a vulnerability financial institution's document controls and then use automation and other technologies to exploit that vulnerability on an industrial scale. The combination of freely available personal information, easy-to-use forgery technology, and the semi-secrecy of online services has made this type of fraud not only possible but a particularly pernicious threat among fintechs and financial services providers today.

Here's an example of how it works. A fraudster may hide behind the safety of their computer screen, methodically testing combinations of stolen and/or forged ID cards and supporting documents in an attempt to bypass an online bank's KYC onboarding process. Once they hit on a winning combination, they can mix and match other stolen information, reproduce endless supporting documentation, and even use generative AI to defeat liveness checks. Enterprising criminals have even been known to write scripts to automate questionnaires, filling in fields and checking boxes in seconds. The result can be dozens or even hundreds of fraudulent accounts under the control of a single fraudster, able to be used over and over again for scams or money laundering operations—even if one account is shut down, another is ready to take its place. This sounds elaborate, but it's not theoretical: it was the very real challenge we confronted in one major international payment processor.

It's the combination of techniques used in conjunction with one another in order to flood and overwhelm traditional fraud detection systems that makes serial fraud one of the most significant threats to understand in today's fraud environment. Modern document fraud risk assessments must therefore call for multiple interlocking and mutually reinforcing layers of fraud detection and prevention, starting with the minutiae of identifying individual examples of forgery or alteration that may be invisible to the human eye and building up a picture of fraud and abuse patterns across an entire customer base over time. Taking a broad view that does not rely on the luck of a well-trained human eye or intimate familiarity with specific document types is the only way to effectively counter not just individual bad actors but also the recurrent attempts that have come to characterize document fraud in the digital age.