AI Identity Theft: How Artificial Intelligence Is Being Used to Steal Identities

AI identity theft refers to the use of artificial intelligence tools — including deepfake technology, voice cloning software, generative AI, and machine learning — to steal, fabricate, or exploit someone’s identity for financial fraud, account takeover, or synthetic identity creation. Unlike traditional identity theft, AI-powered attacks can generate convincing fake identities from scratch, impersonate real people with near-perfect accuracy, and operate at a scale and speed that outpaces conventional fraud detection.

Why AI Has Changed Identity Theft

Identity theft has existed as long as personal records have. But artificial intelligence has fundamentally altered the threat landscape in three ways:

1. It has eliminated barriers to forgery
2. It has made impersonation real-time and interactive
3. It has enabled the mass production of fake identities that don’t correspond to real people at all

Traditional identity theft required stolen documents, hacked databases through data breaches, or social engineering. Those methods still exist, but AI supplements them. A fraudster today can use publicly available photos to generate a convincing deepfake video, clone a voice from a 30-second audio sample, or build an entirely fictional identity complete with a synthetic Social Security number pattern, fabricated credit history, and AI-generated supporting documents. The threat isn’t just that AI makes old scams faster — it enables entirely new categories of fraud that didn’t exist five years ago.

>> Learn More: What Is Synthetic Identity Theft?

5 Types of AI Identity Threats

AI identity threats are not a single attack type — they span a spectrum of techniques that can be deployed individually or in combination. Here are the five primary categories you need to understand.

Deepfake Fraud

Deepfake technology uses AI to superimpose a person’s likeness onto video or images, producing synthetic media that appears to show them saying or doing things they never did.

Fraudsters generate deepfake videos of recognizable executives, celebrities, and public figures to manipulate employees and ordinary people into taking actions they otherwise wouldn’t — wiring money, surrendering login credentials, or authorizing transactions. Because the face and voice on screen belong to someone the target recognizes and trusts, the psychological barrier to compliance drops significantly.

Real-world Example: In 2024, a finance employee at a multinational firm was deceived by a deepfake video call that impersonated the company’s CFO and several colleagues, leading to a $25 million fraudulent transfer.1

Deepfakes can also bypass video-based identity verification — the kind used by fintech apps, banks, and government services — with alarming reliability. Fraudsters can generate a deepfake of their target performing a liveness check to access bank accounts, online wallets, and online records by feeding AI-rendered footage into a video stream.

Because of how it works, executives and public figures whose video and audio are widely available online and employees at organizations with video-based authorization workflows are the most vulnerable to deepfake fraud.

>> Related Reading: What Are Scams?

Voice Cloning Scam

Simpler but just as effective as deepfakes, AI voice synthesis tools can replicate a specific person’s voice from as little as a few seconds of audio. The resulting clone can be used in real-time phone calls or pre-recorded messages.

Voice clones can be used in a number of different ways to defraud vulnerable targets. For example, scammers can impersonate family members in crisis to ask for money or personal information. In business settings, AI voice cloning can also be used to social-engineer company employees into transferring funds or resetting passwords.

Because voice cloning scams still need a traditional communication medium to target individuals — voice messages and phone calls — they can be more easily detected. Look out for unexpected urgent calls from a “family member” requesting money or gift cards, calls from someone claiming to be your bank asking to verify your identity, or audio that sounds slightly flat, robotic at pauses, or lacks natural filler words.



View Plans

Links to LifeLock



LifeLock with Norton 360 includes a Safe Call feature, which can detect and warn you about incoming calls from suspected spam and scam callers. Try it free for 30 days.

AI-Generated Phishing

Large language models (LLMs) can generate highly personalized phishing emails and phishing SMS at scale, using scraped personal data to create messages that reference real relationships, recent events, and specific details about the target.

From what we’ve seen in the AI threat landscape, AI phishing campaigns are significantly harder to detect than traditional phishing because they eliminate the grammatical errors and generic templates that spam filters are trained to catch.

What makes AI-generated phishing harder to catch is that, with traditional phishing campaigns, scammers send one template to millions of recipients. With the help of AI, they can now generate a unique, tailored message for each target. They can even add in information scraped from data brokers to make phishing messages even more convincing — they could reference the victim’s employer, a recent LinkedIn post, or a mutual contact.

Synthetic Identity Fraud

Synthetic identity fraud involves creating a fictitious person by combining real data (such as a legitimate Social Security number, often belonging to a child or deceased person) with fictitious data. This kind of fraud has existed long before AI, but synthetic identities have become more convincing through AI-generated supporting information — names, addresses, employment history, and even AI-generated facial images.

Synthetic identity fraud doesn’t victimize specific individuals. Instead, it creates a “Frankenstein identity” — a person who doesn’t exist but has a convincing enough paper trail to open credit accounts, secure loans, or pass Know Your Customer (KYC) checks at financial institutions.

The Bigger Picture: Synthetic identity fraud is believed to be the fastest-growing financial crime in the U.S.2 Even before AI, the Federal Reserve estimated that it cost lenders $6 billion in a single year.

That said, owners of real data used in creating synthetic identities can still suffer the consequences. Children (whose SSNs are rarely monitored), deceased individuals, and people who don’t regularly check their credit reports are the most likely to have their SSNs used in synthetic identities.

Fortunately, there are services that can detect if a personally identifiable information of yours is being used in synthetic identities. We recently tested LifeLock, which has a dedicated synthetic identity theft detection system. It works by scanning for names and addresses tied to your Social Security number.

AI-Powered Account Takeover

Account takeover (ATO) is another type of fraud that has existed for decades. This kind of attack attempts to steal credentials to gain access to important accounts. Once inside a financial account, email inbox, or cloud storage, attackers can harvest personal information, initiate fraudulent transactions, change account details to lock out the real owner, or use the compromised account to pivot into additional accounts via password reset flows.

AI has simply turbocharged ATO. Scammers can now enable credential stuffing at massive scales to more easily target multiple victims at once. Machine learning models trained on leaked credential databases can also be used to predict likely password variations based on a target’s known information (pet names, birthdays, sports teams). The same goes for answering security questions. Even more worryingly, AI can now also power CAPTCHA-solving tools and browser automation that makes high-volume credential testing difficult to distinguish from legitimate login traffic.

“Account takeover is table stakes for serious identity fraud. The identity information harvested from a compromised email account alone — tax documents, bank statements, insurance records — can fuel months of downstream fraud. – Brett Cruz, cybersecurity expert“

How AI Identity Theft Actually Works: A Typical Attack Chain

Most AI-assisted identity theft doesn’t rely on a single technique. Attackers typically chain multiple methods together. Here’s an example of how a composite attack might unfold:

Warning Signs You May Be Targeted by AI Identity Fraud

AI-powered attacks are designed to be better at evading detection than traditional fraud, but they still leave traces. Watch for these indicators:

• Unexpected credit inquiries or new accounts you didn’t open. Check your credit reports. Synthetic identity fraud often surfaces first as unfamiliar credit activity tied to your Social Security number.
• Calls from “family members” in distress asking for money via wire transfer, gift cards, or cryptocurrency. If something feels off about the voice — even slightly — hang up and call that person directly on a number you know.
• Password reset emails you didn’t request. This is a common early indicator of an account takeover attempt, usually an attacker testing whether they can gain access to your accounts.
• Personalized phishing emails that reference specific details about your life, job, or relationships. If an unsolicited email or text seems to know too much about you, treat it as a red flag.
• IRS notices about duplicate tax filings or income you don’t recognize. Tax identity theft using AI-generated W-2s and employment records is a growing vector.
• Bank or insurance notices about accounts or policies you didn’t open. Your SSN may have been used in a synthetic identity that is beginning to show up in financial systems.

These are just some of the warning signs that you’re being targeted by AI identity fraud, but the reality is that there’s no way to reliably detect it. You’ll need all the help you can get, so we recommend getting identity theft protection. Check out our list of the best identity theft protection services. While they also can’t promise 100% detection, they include identity theft insurance and restoration services that can help you if your identity does end up in the hands of fraudsters.

How to Protect Yourself Against AI Identity Threats

Similarly, no single measure can completely eliminate the risk of AI-powered identity fraud, but a layered approach narrows your attack surface. Here are some of the high-priority measures you should consider doing.

Freeze Your Credit

A credit freeze is the single most effective defense against new account fraud — including the synthetic identity schemes that use your SSN. Freeze your credit with all three major bureaus (Equifax, Experian, TransUnion). It’s free, reversible, and only takes minutes.

Enable Multi-Factor Authentication (MFA)

There are several types of MFA, and while having any MFA in place is better than nothing, we recommend choosing your authentication method wisely. SMS-based MFA is vulnerable to SIM-swapping, so use a reliable and trustworthy authenticator app (e.g. Google Authenticator, Authy) for accounts that hold sensitive information. Some password managers also include authentication features, and they can help in creating random passwords to better protect yourself against account takeovers.

>> Try It Now: FREE Random Password Generator

Establish a Family Safe Word

Voice cloning scams that impersonate family members in crisis are getting increasingly common. While there are warning signs you can watch out for, we also recommend establishing a secret code word with close family members. You can use this to verify identity during an unexpected emergency call.

Monitor Your Digital Footprint

AI-powered attacks are fueled by publicly available data. Audit and restrict your social media privacy settings, opt out of data broker listings (or use a data removal service), and be selective about which platforms you allow to host your voice or video.

Use an Identity Theft Protection Service

Identity monitoring services scan dark web databases, credit file changes, and public records for your personal information. The best services offer real-time alerts when your SSN, email, or financial data appears in a new context, giving you a window to respond before fraud is completed.

Verify Video and Voice Out-of-Band

If you receive a video call or phone call requesting urgent action — transferring money, resetting credentials, authorizing a transaction — verify the request through a separate communication channel before acting. Call back on a number you already have on file, not one provided in the message.

Conclusion

AI has raised the stakes on identity theft in ways that were theoretical just a few years ago. Deepfakes defeat verification systems, voice clones bypass authentication, and synthetic identities are built from scratch — faster and cheaper than any fraud operation in history.

The good news is that awareness is still your sharpest defense. Knowing how these attacks work puts you ahead of most targets. Layer that with a credit freeze, strong multi-factor authentication, and active identity monitoring, and you give fraudsters significantly fewer angles to work with.