According to Signicat’s Battle in the Dark report, 74% of businesses believe they are “winning” the fight against identity fraud. Yet, 59% of those same organisations acknowledge an increase in successful fraud attempts over the past year. I discussed the report at Money 20/20 with Pinar Alpay, Chief Product and Marketing Officer at Signicat.

She shared: “One in five of the transactions they do, one in five of the customers they onboard, is fraudulent.” If 20% of your customer base is fraudulent, the battle is not being won. It’s simply being misdiagnosed.

Deepfakes Are No Longer a Marginal Threat

Fraud tactics evolve, but what’s changed significantly in recent years is the scale and precision of identity deception. In 2022, deepfakes accounted for just 0.1% of fraud attempts. Two years later, that figure rose to 4.7%—and climbing.

Pinar Alpay: “Deepfake presentation attacks have levelled off, but injection attacks—where video or images are embedded directly into live verification streams—are increasing substantially.” This kind of fraud is already undermining onboarding processes and remote verification systems in high-value sectors like banking and gaming.

Overconfidence Is the Real Vulnerability

What stood out most in the report wasn’t the technical detail, but the psychological one: a striking overconfidence among respondents.

“Only 45% are tracking or measuring fraud, but 73–74% say they’re winning the battle,” Pinar explained. “They actually don’t have the data.” These organisations operate under the assumption of control without evidence.

Many institutions claim to have strong fraud controls, but the majority don’t even measure the impact of their defences. Without metrics, progress becomes a matter of belief rather than fact.

Identity Fraud Is Fragmented, and So Are the Solutions

The study examined five sectors: banking, fintech, insurance, gaming, and mobility. Each faces different threats, but one tactic remains constant across them all: document forgery.

“It’s a legacy fraud technique,” Pinar noted, “but it’s now turbocharged with new capabilities.”

Synthetic ID Fraud is the most prevalent in Belgium and The Netherlands.

Account takeover is now the costliest form of fraud in most sectors, particularly in banking and insurance. Meanwhile, gaming is being targeted through digital wallet fraud, and the mobility sector is seeing a rise in fake driver profiles.

“We asked: where in the customer journey does fraud hit hardest? The answer: 40% of all identity fraud happens at the transaction stage.”

If you only defend your digital front door and ignore what happens after access is granted, you're only half protected.

Regulation: Necessary but Not Sufficient

From PSD2 to the upcoming AI Act, regulation aims to make digital commerce safer, as you could read in previous posts of The Banking Scene. Yet, Signicat’s study reveals that 73% of businesses surveyed believe regulation is hampering more than helping their fraud prevention efforts.

“We have to comply with all these regulations, which is necessary, but fraudsters have a free rein. We need smarter, more commercial regulation that helps us defend, not just comply.”

There is a growing perception that regulations such as GDPR, PSD2, PSD3, and now the upcoming AI Act, lag behind the innovation curve. By the time legislation is enforced, fraud tactics have already adapted.

This delay creates compliance burdens without necessarily delivering better security outcomes. The result? Financial institutions often invest in ticking regulatory boxes rather than proactively improving fraud detection.

This is a call for recalibration. The goal shouldn't be to slow innovation in the name of caution, but to encourage responsible adoption that balances user protection with operational flexibility.

Identity as a Strategic Function, Not a Compliance Task

The real opportunity for financial institutions lies in rethinking identity as a core business capability, not a back-office obligation. Fraud prevention isn’t a matter of one tool or silver-bullet solution. It requires a coherent, layered strategy.

As Pinar explained: “We tell our customers to do four things: build a multi-layered strategy, know where they’re vulnerable, use the right tools—including risk analysis such as behavioural biometrics and device intelligence as well as ML enhanced, robust tools for identification —and educate both staff and customers.”

It’s not about overwhelming the user with friction, but calibrating defences based on risk. It’s also about ensuring identity remains accurate and verified over time, not just at the first interaction.

What’s needed is a shift in mindset:

• From “meeting requirements” to “managing risk”
• From “single-point controls” to “lifecycle orchestration”
• From “reporting to regulators” to “learning from attacks”

Until then, compliance may keep you out of trouble—but only strategy will keep you truly safe.

The Way Forward: From Guesswork to Governance

“To measure is to know,” I remarked during our talk. It’s an old saying, but it rings more true than ever in this context.

If financial institutions are serious about tackling identity fraud, they must move beyond surface-level awareness and start tracking the right signals consistently and honestly. Otherwise, we risk navigating in the dark, convinced we’re heading in the right direction, while quietly drifting off course.