Fraud

APAC's Identity Fraud Surge

tldr

Identity fraud in Singapore, Thailand, and Indonesia jumped more than 200% year over year. Deepfakes, synthetic identities, and AI-generated phishing are driving the spike. Traditional KYC and one-time checks are failing because most fraud now happens after onboarding. Device-bound, phishing-resistant authentication with continuous verification offers a scalable defense. Ideem’s zero-trust approach helps financial services and digital platforms deploy these protections quickly and keep user experience seamless.

The data picture

Sumsub’s 2024 Identity Fraud Report shows APAC’s average identity fraud growth hit 121%, with the sharpest increases in Singapore (+207%), Thailand (+206%), and Indonesia (+201%). Indonesia also recorded one of the region’s highest fraud rates, underscoring a fast-evolving threat surface.

A separate 2025 Entrust study found a deepfake attempt every five minutes in 2024 and a 244% rise in digital document forgeries. These numbers highlight how quickly AI-powered fraud has scaled.

What is driving the surge

Deepfakes
Real-time video and audio impersonation has moved from rare to routine. Singapore police reported a case where scammers used deepfake video to impersonate a CEO and push a finance director to move nearly US$500,000.

Synthetic identities
Fraud rings assemble personas from real and fabricated data to bypass document checks and age accounts before monetizing them. Global studies highlight synthetic identities as a growing vector that legacy controls struggle to catch.

AI-generated phishing
Automated, localized phishing now exploits QR payments and customer support channels. Weak passwords and phishing together account for a large share of account compromise across APAC.

Country snapshots

Singapore

High digital wallet usage and cashless adoption create new entry points, while executive deepfake scams are entering mainstream corporate risk. MAS and IMDA have implemented a Shared Responsibility Framework for phishing scams and issued anti-scam measures for e-wallet providers, increasing institutional accountability.

Thailand‍

Authorities warn about AI voice impersonation targeting families and officials, with recent cases reaching the Prime Minister. Thailand has tightened rules on mule accounts and updated its Emergency Decree on technology crime to broaden operator obligations. New transfer caps are also slowing fund movement.

Indonesia

Identity fraud more than doubled and remains elevated across sectors. Regulators responded with OJK Regulation 12/2024, which consolidates anti-fraud standards across financial institutions. Authorities have also flagged abuse of e-KTP and Digital Population Identity in scam flows.

Why traditional KYC and one-time checks fail

Most attacks occur after onboarding. Sumsub’s data shows 76% of fraud attempts happen during ongoing account use, not during initial KYC. That makes document checks and selfie verification at sign-up necessary but insufficient. Once an account is open, AI-assisted phishing and synthetic personas slip past passive controls.

OTPs and legacy MFA are easily bypassed. SIM swap, social engineering, and real-time phishing kits defeat SMS and one-time codes. Standards bodies now recommend phishing-resistant authenticators instead of OTPs for higher assurance.

Device-bound authentication and continuous verification

Device-bound passkeys
Binding the credential to a user’s secure hardware enclave or TPM makes theft and reuse far harder and prevents uncontrolled syncing. FIDO guidance recognises device-bound models as the right fit for high-assurance use cases.

Continuous verification
Real-time checks for device integrity, geovelocity, behavioural anomalies, and liveness catch post-KYC fraud without friction when risk is low.

This is the space where Ideem operates. Ideem’s Zero-Trust Secure Module (ZSM) offers a ready-to-deploy way to implement device-bound passkeys inside mobile apps. Financial services can combine ZSM with risk-based continuous checks so sensitive actions like large transfers or device changes trigger extra assurance without burdening users. By embedding these controls in the app layer rather than relying on SMS or email, Ideem helps teams meet new anti-fraud expectations across APAC without sacrificing user experience.

Resilience roadmap

Understand your regulatory lane
1. Singapore. Align with MAS anti-scam expectations and the Shared Responsibility Framework on phishing scams. Build audit trails and real-time controls that demonstrate compliance.
2. Thailand. Map obligations under the amended Emergency Decree and new BOT measures on mule accounts and transfer limits.
3. Indonesia. Implement OJK 12/2024 anti-fraud strategy requirements across all financial services.
Raise your assurance bar
1. Move high-risk flows to phishing-resistant, device-bound passkeys for app logins, payment approvals, and recovery. Require fresh on-device biometrics and secure element attestation for money movement and device registration. Ideem’s ZSM provides these capabilities as an SDK, letting product and growth teams ship bank-grade passkeys without a heavy security engineering lift.
Make verification continuousMonitor for session-level risk and step up only when needed. Add deepfake and document-forgery detection at onboarding and during sensitive changes.
Harden against known fraud mechanics
Add SIM swap and call-forwarding checks before approving risky actions. Rate-limit device rebindings and require in-app confirmation instead of SMS.
Build user trust
1. Show visible anti-scam protections, explain how to verify company contacts, and give customers fast, empathetic recovery with money-lock and cooling-off options.

The regional path forward

Fraud is a cross-border, real-time problem. APAC already has building blocks for cooperation such as FRONTIER+, which links anti-scam centres across economies. The next step is a practical regional standard for phishing-resistant authentication and continuous verification in financial services. Countries seeing triple-digit fraud growth can lead that effort so platforms across the region can adopt the same playbook and close off attacker arbitrage.