Synthetic Identity Fraud vs. Due Diligence: Why AI Can Fake the Paper Trail, But Can't Fake a Human Source
By Mike LaCorte
For twenty-five years, Corporate Due Diligence frameworks and Risk Management Services have rested on three distinct pillars: documents, references, and a digital footprint. Show me a clean set of all three and, historically, an international investigation firm could tell you with reasonable confidence that the counterparty was exactly who they claimed to be.
That assumption is now entirely broken.
Every one of those three pillars can be manufactured today; cheaply, convincingly, and at an industrial scale. AI-driven corporate fraud and synthetic identity theft have emerged as some of the fastest-growing threats in financial crime precisely because they no longer rely on a single, amateurish forged passport. Deep-cover threat actors can easily generate plausible identities, blend real and breached data, and fabricate the supporting documents and online history needed to pass standard compliance verification checks. The digital footprint that used to corroborate an individual can now be conjured to order.
The Sophistication Shift: How Deepfakes Counterfeit the Verification Layer
The empirical metrics tell a stark story. Identity verification analysts at Sumsub recorded a staggering 94% rise in deepfake fraud attempts in the UK over a single year. Identity fraud as a whole is undergoing what analysts politely term a "sophistication shift"—with advanced deception cases up by triple digits year on year.
Furthermore, Gartner research projects that by 2028, as many as one in four candidate profiles could be completely artificial. This is no longer the work of lone, rogue specialists. It runs on a highly structured production line, with fraud-as-a-service marketplaces renting out advanced deepfake and document-generation tools to anyone with an illicit motive.
Here is the uncomfortable implication for corporate attorneys, managing directors, and risk professionals who sign off on asset risk for a living:
A clean file is no longer evidence of legitimacy. It is only evidence that someone understood exactly what a clean compliance file is supposed to look like.
The employment reference that seamlessly checks out may be an AI-cloned voice. The glowing third-party professional profile may have been meticulously seeded six months ago. The video call that reassured your executive board may have been the most carefully constructed deepfake part of the deception. We have spent decades training corporate teams to "trust but verify," and the verification layer itself is exactly what is now being counterfeited.
The Human Intelligence Shield: Why Clean Documentation Is Not Enough
So where does genuine assurance come from when a digital paper trail can be printed on demand?
It comes from the one variable that cannot yet be synthesised: a human source who actually knows the subject, speaking candidly, completely off-script, with no digital screen to perform to.
This is the highly specialised part of the craft that does not appear in a public database or an automated registry check. It relies on human intelligence (HUMINT)—corroborating a transaction claim across several independent human sources who have absolutely no reason to align. It demands noticing the minor detail that does not sit right, the subtle gap in an executive chronology, the commercial relationship that is conspicuously absent, or the answer that is technically true yet deliberately incomplete.
Knowing exactly which questions to ask of whom, and reading what the silence means, requires human judgment built over years in the field. It is precisely the level of nuance that an attacker cannot generate from a prompt.
Hardening the Corporate Perimeter Against Synthetic Risks
For a legal advisor signing off on KYC (Know Your Customer) data before a high-value corporate deal completes, for an investment team running pre-transaction corporate intelligence, or for a wealth manager requiring advanced corporate asset protection, deploying comprehensive Pre-Employment Screening Services to vet a new fund manager or a new partner who has suddenly appeared in a principal's life is paramount.
The question has quietly changed. It is no longer "does the documentation check out?" Of course it does; that is now the easiest part to fake. The urgent question is: who genuinely knows this person, and what do they say when nobody is performing for an automated verification system?
None of this implies abandoning technical security measures. Specialised Cyber Security Services and the advanced digital tools engineered to detect synthetic media are improving rapidly, and they remain critical defence mechanisms. If an asset exploit does succeed, immediate, expert Asset Tracing and Recovery protocols must be positioned to deploy instantly.
However, these automated tools are continuously catching up to a threat that is also improving, and that technical contest will run for years. In the meantime, the answer is not more automation. It is a return to first principles: human intelligence, applied with discipline, as the ultimate corroborating layer that a synthetic version cannot replicate.
The firms and families who weather this climate well will be the ones who stop treating a spotless file as the end of the enquiry, and start treating it as the absolute beginning.
Adapting to a Counterfeit Environment
So, a closing question for the advisers, principals, and risk professionals in my network: when you last relied on a clean set of digital documents to sign off on a transaction, how confident are you, today, that a real person was actually behind them?
I would be interested to hear how you are currently adapting your own due diligence protocols to a corporate environment where the digital paper trail can lie.
Mike LaCorte is CEO of Conflict International, an international investigations and corporate intelligence firm with offices in London, New York, and Dubai.