Most CISOs spend their time thinking about account takeover and phishing, but identity document fraud is becoming a tougher challenge. A new systematic review shows how attackers are pushing past old defenses and how detection models are struggling to keep up. The study analyzes work published from 2020 to 2025, giving security leaders a view of where these systems stand and what is holding them back.
A detection problem shaped by data limits
The researchers note that remote onboarding has become a major target. Fraudsters exploit the first step of the process, which asks users to submit a photo of an ID document and a selfie for comparison. The review explains that most detection systems depend on training data that is smaller and less diverse than what is needed. Privacy rules prevent the release of large public datasets of real identity documents. As a result, many research teams build private collections that cannot be shared. More than sixty percent of studies in the review use private data. That makes it hard for the field to benchmark progress.
Synthetic data has become a common workaround. Some teams generate artificial documents or artificial attack samples to fill in the gaps. Others rely on mock-ups. Models trained on synthetic data may learn the quirks of the generator instead of the traits of an attack. The authors call this the synthetic utility gap. The field often assumes synthetic data is helpful, but there is little proof that it improves real deployment outcomes.
A second issue, which the authors describe as the reality gap, shows up when models perform well on private datasets but struggle on the small public ones. The weaker performance points to a lack of generalization. Many models learn patterns that do not carry over to new document types, new lighting conditions, or new capture devices.
Probable points of attack in a typical identity document verification workflow
How attackers are getting better at hiding traces
Researchers outline how fraud techniques have advanced. Some methods focus on blending edits into the document so that print patterns, lighting artifacts, and texture cues look genuine when captured by a smartphone. Other methods alter the document before recapture to remove features that might expose manipulation. One system studied by the authors showed that forged and recaptured documents could fool several commercial detectors.
On the defensive side, two broad approaches dominate. One relies on deep learning to classify images of documents as genuine or manipulated. The other uses forensic analysis of tiny visual artifacts, such as texture differences or grid patterns left by screens or printers. Some teams combine both methods in multi-stage models. For example, one stage may detect digital edits while another checks for signs of physical tampering.
The review notes that pixel-level supervision can help with subtle cues. Some studies train models to inspect each part of the image rather than classify the document as a whole. Others use comparison networks that evaluate small patches against known reference samples. These strategies aim to capture signals that might get lost in a global classifier.
Foundation models show early promise
A growing number of studies use foundation models trained on large image collections. These models already know many visual patterns, so they need less domain-specific data. The review highlights cases where a foundation model achieved equal error rates near four percent in zero-shot tests and lower rates with light fine-tuning. For some datasets, combining a foundation model score with a traditional model score reduced errors by a large margin.
The research community has also tested privacy-preserving methods. One group anonymized documents and then extracted small patches from areas without personal data. A foundation model trained on these patches reached zero percent equal error rate on the internal test set. When the team tested the model on a public dataset it kept its performance at the document level. This suggests that training on patches can protect privacy while still capturing useful forensic cues.
Competitions reveal generalization gaps
Two recent academic competitions show how much work remains. In 2024, the best equal error rate was above twenty percent. In 2025, the top team lowered it to about six percent in one track, but performance varied based on document type and attack style. The review states that screen based attacks were among the hardest to detect. Results also suggest that standardized documents help some models generalize better.
Where the research points next
The authors note that the field needs larger public datasets, better synthetic data validation, and methods that can handle new document types without heavy retraining. Foundation models offer a promising path because they carry broad visual knowledge that can bridge many gaps. The review also points to the need for standard evaluation protocols so that teams can compare results without guesswork.
Download: Strengthening Identity Security whitepaper