Three months ago, I reviewed a case that looked like routine onboarding fraud — until none of the patterns I expected to find were there.

The application was for a mid-sized supplier with a decent credit profile, clean documents, and a sensible business model. The verification photos checked out. The voice call with the principal sounded normal. The contract was signed. Two weeks later, the bank account had gone dark, and the customer who had introduced them no longer recognised the name.

The application was synthetic. The photos were generated. The voice on the call was cloned. The business model existed only in the pitch deck.

I have spent fifteen years inside Indonesian risk functions — banking, insurance, sharia microfinance — and I have lectured on fraud detection in two of those years. The patterns I learned to look for, the patterns I taught others to look for, are not the patterns showing up in the casework now. The playbook I trusted for a decade has stopped working — faster than most risk teams in ASEAN are willing to admit.

What changed

Three patterns are new enough that they deserve to be named in the open.

Synthetic identity at scale. Until about eighteen months ago, identity fraud was bottlenecked by the cost of fabrication. A reasonable fake ID, a plausible address, a working phone, a consistent social presence — each piece required real effort. Generative AI has collapsed that cost curve. A single attacker can now generate hundreds of internally-consistent identities in an afternoon, each passing every check designed before 2024.

Voice and video impersonation. The “CEO email scam” of 2018 has evolved. The 2026 version is a thirty-second voice call from a number resembling your CEO’s, with the CEO’s actual voice asking for an urgent wire transfer. The voice is generated from three minutes of public conference recordings. The verification protocols banks trained employees on five years ago do not catch this attack.

Slow-burn synthetic onboarding. The most expensive new pattern is the patient one. An attacker creates a synthetic business identity, lets it operate for six to twelve months building a transaction history, applies for credit on the back of that history, draws down the credit, and disappears. The fraud is only visible in aggregate — after the loss is locked in.

Also Read: The AI economy is moving faster than our institutions

Why the old playbook fails

Most fraud playbooks across the region were built on three assumptions that no longer hold.

Fabrication is expensive. Identity verification, document checks, and onboarding interviews all assumed the cost of producing convincing fake material was high enough to deter scale. That assumption is gone. The marginal cost of one more fake identity is indistinguishable from zero.

Human verification is the gold standard. The voice call, the video interview, the in-person meeting — these were the fallbacks when automated checks were ambiguous. Each is now itself vulnerable to generated content.

Fraud is an event. The traditional playbook treats fraud as a moment — a fake invoice, a suspicious transaction, a flagged login. The 2026 pattern is increasingly a campaign — a multi-month sequence of legitimate-looking actions designed to build trust before the loss. By the time the loss arrives, the institution has already paid its onboarding cost on the relationship.

What is starting to work

Three responses are emerging.

Cross-channel correlation. Risk teams that connect onboarding, transaction monitoring, and customer service data into a single view are catching slow-burn fraud earlier. The signal is rarely visible inside one channel. It is almost always visible across three.

Liveness and behavioural verification. Identity checks that include real-time, randomised prompts — actions an attacker cannot pre-render — are catching synthetic identities at the door. Deployment across the region is uneven, but the institutions doing it well are seeing the difference in their loss numbers.

Internal red-teaming. The teams catching the most generated content are the ones running their own attacks against their own defences. That detection muscle is the closest thing to a real defence we have.

Also Read: AI governance in banking operations and decisioning

What needs to happen

The next eighteen months will be the most expensive in ASEAN fraud history for the institutions that have not retired the old playbook. Three moves would meaningfully shorten the gap.

Retire the verification protocols built for pre-2024 fabrication costs. They were designed for a world that no longer exists.

Invest in cross-domain risk talent before the loss events force it. The people who can sit between fraud, identity, and data engineering are not being trained anywhere at scale.

Treat fraud as a campaign, not an event. Build the systems and the reviews to detect patterns across months, not transactions across minutes.

The macro stakes

ASEAN’s financial system has digitised rapidly over the last five years. The fraud surface has digitised faster. The institutions that will absorb the next wave of losses are not the ones with the smallest fraud teams — they are the ones whose fraud teams are still working from the playbook that taught them to expect events instead of campaigns, individuals instead of synthetics, and effort-bottlenecked attacks instead of zero-marginal-cost ones.

The new playbook exists. The question is how quickly the institutions reading the old one will admit they are.

—

The post Synthetic identities now cost nothing to make, and ASEAN’s banks have not caught up appeared first on e27.