Shufti's Deepfake Fraud Index Projects a 495% Surge in 2026

Key Takeaways

Four findings from analysed fraud attempts

What a Deepfake Actually Is, and Why It Scales Like Software

Deepfake is the use of generative AI to create synthetic faces, videos, and identity documents that pass automated identity checks. Instead of editing one stolen photo, attackers now generate complete, believable identities on demand.

The shift is from craft to assembly line. A few years ago, a believable fake face needed a skilled editor and hours of work. Today an attacker feeds one image or a text prompt into a generative model and gets back a fully animated face that blinks, turns its head, lip-syncs, and reacts in real time, ready to drop into a selfie check or a live video call.

That industrialization is why the growth in this report climbs the way it does. When fraud becomes software, it scales like software.

The Deepfake Fraud Stack Behind the Surge

Four AI-driven categories make up the threat. Synthetic Identity account for the largest share, but all four are climbing, and Document Deepfakes is accelerating the hardest.

The mix is no longer dominated by any single technique. Synthetic Identity lead, live video deepfakes and Face Swaps's follow, and document deepfakes, though the smallest share today, is rising fastest:

42.3%Synthetic Identity

28.1%Live Video

17.6%Face Swap

11.9%Document

42.3%

Synthetic Identity

Entirely synthetic faces of people who do not exist.

28.1%

Live Video Deepfakes

A manipulated live video stream presented during verification.

17.6%

Face Swaps

A victim's face mapped onto an attacker's head in real time.

11.9%

Document Deepfakes

AI-produced documents and media submitted as genuine.

Fastest growing

How Fast This Is Moving: AI Fraud, Year by Year

This chart tracks the four AI attack types as a single combined threat, indexed to 2025 = 100. The climb is steep and accelerating: from a negligible base in 2023, AI fraud has multiplied every year, and on current trends, 2026 reaches nearly six times the 2025 level.

All four AI attack types: Projected 2026 growth

Document Deepfake - The Fastest Growing Type

One category is driving the spike. Document Deepfakes is the fastest-growing of the four, projected to rise nearly +3,900% year over year in 2026 (annualized estimate), by far the sharpest mover in the dataset.

A note on method: 2026 figures cover January to May only. When we project a full year, we annualize the five-month run rate and label the result 2026E, an estimate, not a confirmed figure.

Synthetic Identity: The Largest Type, Still Climbing

GAN-generated faces, fully synthetic people who never existed, are the biggest single AI fraud type and still growing. First tracked as a distinct category in 2025, they’re projected to rise about +73% in 2026. The synthetic-identity problem is scaling, not slowing.

Face Swap: A Newer Category Gaining Ground

Face-swap attacks map a victim’s face onto an attacker’s head in real time. Tracked as a distinct category from 2025, they’re projected to grow about +21% in 2026, a smaller but steady climb that widens the range of live-video threats teams have to block.

Deepfake Video: Climbing Every Year, Now an Established Threat

Deepfake video, manipulated live streams during verification, has the longest track record of the four types, and it has grown every year since 2023. By 2025 it had become the second-largest AI fraud type, at 28% of the mix. It remains a core, persistent threat that layered liveness is built to catch.

How the Attacks Actually Reach the Camera

Attackers reach the camera in three broad ways, and most real campaigns combine them. Understanding the overlap is the difference between blocking one technique and blocking the chain.

Deepfake Presentation attacks

Hold something up to a real camera, a silicone mask, a printed photo, or a live video deepfake playing on a screen.

Deepfake Injection attacks

Skip the camera entirely, piping an AI-generated feed straight into the verification app through virtual-camera or emulator software.

Deepfake-Enabled Synthetic Identity Creation

Stitch a generated face to fabricated documents to manufacture a brand-new person who has never existed.

Why Human Review Can’t Catch Up to High-Quality Deepfakes

Manual review is no longer a reliable backstop against high-quality deepfakes, because humans are less likely to spot a live video deepfake than a deepfake image. When the human eye is overconfident, and the fakes are this good, a reviewer won’t be enough.

How Modern Detection Works: Three Layers, Not One Selfie Check

Effective deepfake detection is layered, no single signal is enough, so defenses stack independent checks an attacker has to beat all at once. Shufti uses a three-layer approach.

Shufti’s models carry independent validation: iBeta Level 3 passive-liveness conformance with 0% APCER and 0% BPCER across iOS and Android, and a 98.49% true-accept rate with zero false template creation at the DHS Remote Identity Validation Rally.

Trust, Regulation, and the Financial Stakes

The regulatory and threat trajectories point the same way: detecting synthetic inputs is becoming a baseline expectation, not a differentiator. Three external markers stand out.

• Standalone selfie checks are losing trust. Gartner predicts that by 2026, 30% of enterprises will no longer consider identity verification reliable in isolation because of AI-generated deepfakes, and noted injection attacks rose 200% in 2023.
• Regulation is catching up. Under the EU AI Act, Article 50 transparency obligations for AI-generated and manipulated content begin applying in 2026, making detection of synthetic inputs a compliance concern, not just a security one.
• The financial stakes are rising. Deloitte's Center for Financial Services estimates generative AI could enable fraud losses of up to $40 billion in the US by 2027, up from $12.3 billion in 2023.

How Shufti Catches These Attacks

Shufti was built to stop exactly the four attack types in this report. Its deepfake and biometric stack is 100% proprietary, with no third-party models in the chain, and Shufti is a certified iBeta Level 3 liveness provider. Each attack type meets a control designed for it, so a synthetic input has to beat several independent checks at once.

360° Deepfake Detection: Shufti's Seven Gates of Defense

Shufti runs deepfake detection as a seven-part forensic model. Rather than trusting one cue, it puts every face and video through seven independent authenticity checks, each probing a different trace a fake leaves behind. Media is only cleared when all seven align, so no single trick can slip past, and the checks are built to hold up even after compression, screenshots, and re-uploads.