Protect Your Mobile App From “Frankenstein Fraud”

A new monstrous creation is wreaking havoc on the mobile financial landscape. Mobile synthetic identity fraud, otherwise known as “Frankenstein fraud”, has rapidly gained traction over the past five years, in tandem with the growth of digital banking in a post-Covid environment. It’s caught the attention of not only major financial institutions but also governing bodies like the Federal Reserve. But what is this growing threat, and why should mobile finance apps take heed of its sprawling impact?

Mobile synthetic identity fraud is an offshoot of the larger synthetic identity fraud threat that has been taking place over the past fifteen years. However, the growth of synthetic identity fraud schemes has exploded since the pandemic began in 2020. The trend has grabbed the attention of regulatory officials like Mike Timoney, Vice President of Secure Payments at the Federal Reserve Bank of Boston: “in the last five to six years we went from eight billion to 30, 30-plus billion [dollars in fraud]. So, it's a big problem. It's growing fast, and it's costing us a lot of money.”

The laboratory origins of mobile synthetic identity fraud

A bad actor commits synthetic identity fraud by doing their best impersonation of Dr. Frankenstein: assembling a digital persona from the pieces of digital footprints left behind by real-world people. Social security numbers, bank account information, real credit score profiles, and more are all pieces to the puzzle. Each alone serves as verification that the person attempting to gain access or execute a financial transaction is authentic and genuine. However, the reality is this verifiable information is exploited to form a synthetic identity. The result of this experiment is an amalgamation of a digital person, with its purpose being to do its creator’s bidding as a means to an end.

The following is an example of the process an attacker will take to execute this growing fraud method. A data breach occurs, leaking personal identifiable information (PII) that become accessible on the dark web. With that information, the attacker begins to build a profile with real data: names, addresses, tax identity numbers like social security numbers. The targets that are often the most vulnerable either do not access their information frequently or have no reason to access it at all. Think children’s social security numbers or credit profiles of the elderly. In fact, over 1 million children had their PII used in fraud in 2017.

How synthetic mobile identity fraud is executed

Once the information is obtained, the attacker has all the ingredients needed to begin compiling an online “Frankenstein” identity. Attackers will begin building credit history with small transactions that establish credibility. Afterwards, the activity will escalate and accounts will begin to be created at scale to execute wide-ranging fraud. As stated by Tejal Kaur, an identity fraud investigator for Feedzai: "fraudsters have long used bots for credential stuffing and brute-force attacks, but AI now enables them to industrialize onboarding by creating synthetic identities at scale and mapping the onboarding flows [procedures] of different banks" (initially reported by ACAMS).

To assist with attack execution, AI deepfake technology has become the Igor to fraudsters’ Dr. Frankenstein persona. Attackers have begun to pair mobile synthetic identity fraud with deepfake forgery of ID documents and photographs to bypass know-your-customer (KYC) verification measures. Italian officials in 2025 noticed the rapid ascent of this fraud mechanism for money laundering schemes targeting Italian banks.

The trend has gone mobile with the advent of mobile applications increasingly replacing traditional and online finance functions. Bad actors are now creating synthetic identities off the backs of real people to establish accounts for digital wallets, crypto conversions, and committing fraudulent activities.

Mobile synthetic identity fraud scenarios and mitigation strategies

As mentioned above, fraud actors are becoming creative in how they are executing their attacks. The onus is on financial institutions and their apps to be able to discern genuine users from fraudulent ones using verifiable account details. It’s a tough balancing act.

On the one hand, users must be protected. On the other hand, a degraded user experience that prohibits any user that even hints at being non-genuine risks locking out legitimate customers. Results from a recent broad survey of enterprise mobile app developers revealed that 38% of organizations explicitly state that their security configurations caused a negative user experience. The same survey reported that 65% of direct customer churn was due to friction and poor mobile app security issues.

Luckily, there are mitigating measures that can be taken to prevent mobile synthetic identity fraud without impacting legitimate users’ financial experiences. The key is being able to establish that the app is not only genuine and untampered with, but is also operating in a trusted environment.

Deepfake camera KYC bypass

As mentioned earlier, fraudsters are using deepfake technology to circumvent KYC protection measures. This mostly occurs at the account opening stage. Bad actors will use the information they have compiled to create a synthetic identity, then input the details to create a fraudulent bank account.

At the verification stage, they will inject forged documentation or spoofed video to bypass the KYC protections that leverage their device’s built-in camera. To accomplish this, they will use tools like emulators or virtual environments, rooted or jailbroken devices, and hooking frameworks like Frida to inject pre-recorded videos.

Building your mobile banking app with embedded RASP (runtime application self-protection) analyzes the environment your app is running in and detects the presence of code-injection tools. RASP ensures your application cannot be modified or tampered with while it is running.

RASP solutions like DexGuard and iXGuard embed code-level protections that identify any code-injection tools attempting to interact with your app. These protections include automatic predetermined actions to stop the illicit activity as soon as it’s detected. In the case of KYC camera spoofing, once the framework attempts to hook the device camera’s API, the threat is identified and the app can be programmed to crash.

Emulator farm campaigns

After a data breach, potentially millions of people’s PII is available online. Given the amount of breaches that have been occurring in recent years, this gives fraudulent actors plenty of datasets to work with when creating their synthetic identities. Fraudsters will run bots to create many combinations of identities forged from real information, often numbering in the hundreds or thousands.

Once the identities are created, the bad actor will use them to begin opening accounts at financial institutions. Bad actors will use emulators or virtual environments to open these accounts so they can conceal their physical location. “Emulator spoofing” or “geo-spoofing” is a common tactic to hide their usage.

Protection measures like environmental checks for emulators or rooted devices thwart these actions. Financial apps can implement these checks through RASP checks within their application that detect insecure environments. Real-time threat monitoring with tools like ThreatCast detect instances of threats with contextual metadata. Security and development teams can leverage threat data to determine if there’s a cluster of emulator detections in a specific geolocation. If detected, they can block these threats at the API level by updating app attestation security policies instantly, before the account is created or fraud is committed.

Fraudulent account scalability and bot mitigation

To create hundreds or thousands of accounts from a similar number of synthetic identities is an unfeasible manual task. Hence, fraudsters will use bots to scale their attacks and create thousands of fake identities. Each application version is potentially facing an army of bots, waiting to batter down defenses and begin committing large-scale fraud.

This is where mobile API security strategies, like app attestation, come into play. App attestation is built off a set of server-side security policies defined by the app developer. These policies are designed to detect bots, insecure environments, and other runtime threats that map to RASP checks. When new threats are detected, the policies are updated instantly because they are located on the server-side and do not require a new build of the application.

The fraudulent, bot-driven account will reach out to the application’s API to create the account. A cryptographic token will be sent with the (illegitimate) user’s information: app version, environment, location, etc. In order for the application’s server to grant access, the token must meet certain criteria defined by the security policies mentioned earlier. In this instance, the token will demonstrate the user is an illegitimate bot and the server will deny access. Thus, bot attacks to create fake accounts are rejected before being given the chance to commit fraud.

Conclusion: Burying the Frankenstein monster

Mobile synthetic identity fraud is a modern-day monster, stitched together from fragments of real data and animated by sophisticated technology like deepfakes and emulators. As we’ve seen, "Frankenstein Fraud" doesn't just knock on your app's door—it uses bot-driven scalability to batter it down.

However, by implementing robust app attestation, real-time threat monitoring, and runtime checks, you can ensure that these synthetic identities never take their first breath within your ecosystem. Protecting your application requires more than just reactive fixes; it demands a proactive, server-side defense paired with runtime protections that identify the "stitched-together" nature of these accounts before they can cause harm.

Don't let your app become a laboratory for fraudsters. Secure your API, validate your users’ environments, and put the Frankenstein monster to rest for good. To learn more about how to combat rising mobile synthetic identity fraud, reach out to Guardsquare today.