The new identity theft threat in India
Imagine trying to open a bank account online, only to find someone else has already done it using your name, your Aadhaar card, your photo, and a digital mask of your face. This isn't science fiction anymore. The Ministry of Home Affairs' Indian Cybercrime Coordination Centre recently issued a major warning about the I4C deepfake video KYC bypass method, which has become a preferred tool for cybercriminals to create mule accounts in India. It is a critical threat to our financial security.
Thing is, online banking has made our lives incredibly simple. You can open a bank account from your living room in ten minutes. No queues. Absolutely no paperwork. Just a selfie and your Aadhaar number. But this convenience is a double-edged sword. Scammers are now using artificial intelligence to build realistic, animated models of real people. And they use these models to trick the facial recognition software that major banks and fintech companies use. In my experience, these systems aren't as smart as they claim to be.
Look, this is way worse than someone stealing your password. If a crook bypasses video KYC, they can open bank accounts under your name. These are called mule accounts. Scammers use them to park money stolen from other victims through UPI frauds, task scams, fake job offers, and fake investment schemes. When the police investigate the money trail, the accounts lead straight to you. You become the prime suspect. And then the legal notices start arriving. Before you know it, your bank accounts get frozen. It's a mess (which is an understatement, honestly) that takes months of running around police stations and courts to clear.
Understanding this fraud is the first step. Honestly, I think the government recently warned banks to upgrade security. But as users, we've got to understand how this works to protect ourselves.
How the deepfake bypass scam works
The entire operation is structured, quiet, fast, and highly automated. Fraudsters don't target you randomly. They follow a specific process to build a digital version of you. Then they bypass security checkpoints. I'm not sure exactly why it's so easy for them, but they manage it pretty well.
Phase 1: Information gathering
First, they need your basic details. This includes your Aadhaar card, PAN card, phone number, and high-quality photos. You might think your documents are secure, but leaks from private databases, fake job portals, sketchy loan apps, and web forums happen constantly. Once scammers get their hands on a scan of your Aadhaar card, they already have your full name, date of birth, address, and your photo. I think it's terrifying how fast they can compile this.
But a flat photo isn't enough for a video KYC. Bank systems require the user to move, blink, nod, or speak. Scammers need more. So, they search your public social media profiles on Instagram, Facebook, YouTube, or LinkedIn. They collect short videos you posted or high-resolution photos taken from different angles (which is pretty easy to find nowadays).
Phase 2: Generating the deepfake
Next, they run these photos and videos through AI face-swapping software. The tech has become shockingly cheap and accessible. Scammers don't need supercomputers anymore. Basically, they can run these apps on a mid-range laptop. Or they just use subscription-based online tools.
The software maps your facial features onto a live actor or a pre-recorded video template. If the bank's KYC system asks the user to blink, turn left, turn right, or read out numbers on the screen, the actor does these actions. The software swaps the actor's face with yours in real-time. So, the output looks real. It looks like a live video of you responding to the screen prompts. I'm not sure exactly why it's so convincing, but the tech is incredibly good.
Phase 3: Bypassing the system
Here's the technical trick. When you do a video KYC, the banking app normally opens your phone's camera. But scammers don't use a normal camera. Instead, they use modified smartphones or emulator software on computers.
These emulators trick the banking app into reading a virtual camera feed instead of the physical camera sensor. The emulator doesn't capture a real person standing in front of the lens. Instead, the app receives the fake video stream directly. The bank's system sees a face that matches the Aadhaar photo. It watches the face blink and turn as requested. And then it just approves the verification.
Phase 4: Opening the account
Once the system is tricked, the account is active. Scammers link this account to a burner phone number they control. And they set up UPI services immediately. Now, they have a fully functional bank account registered under your name, but they control it completely. They can receive and transfer lakhs of rupees (scary, I know) without you getting a single SMS alert.
Warning signs you are being targeted
Identity theft of this nature is silent. You won't get an OTP when they open the account. That's because they use their own burner phone number for the bank registration. But, in my experience, there are always subtle signs that your data has been leaked.
- You receive unexpected credit score alerts from CIBIL or Experian showing inquiries for loans or bank accounts you never applied for.
- You get random SMS messages or emails from banks thanking you for opening an account or requesting you to complete your pending KYC.
- You notice unauthorized transactions, even small ones of 1 INR or 10 INR, in your primary bank accounts or UPI apps.
- You receive calls from people claiming to be bank executives asking you to look into your camera or perform a quick video test to verify your identity.
- Your mobile network connection suddenly stops working for no reason, which could indicate a SIM swap attack designed to intercept verification codes.
If you experience any of these, don't ignore them. It's a huge red flag.
How to protect your digital identity
You can't change your face once it's leaked. If you ask me, you can't reset biometric data the way you reset a password. So, prevention is the only real defense. Here are some practical steps you must take to secure your identity.
WARNING: Never complete a video verification call or look into a verification camera if requested by an unsolicited caller or via a link sent on WhatsApp.
Lock your Aadhaar biometrics
This is the most important step. Basically, the Unique Identification Authority of India (UIDAI) lets you lock your biometrics online. Once it's locked, nobody can use your fingerprint or iris data for verification, even if they have your Aadhaar number.
You can lock it easily using the mAadhaar app or by logging into the official UIDAI portal. If you need to complete a real verification, you can unlock it for ten minutes. It relocks automatically. Honestly, you should make this a habit.
Use DigiLocker for document sharing
Don't send raw PDF scans or photos of your Aadhaar and PAN cards via WhatsApp or email. Scammers love email attachments. Instead, use the DigiLocker app to share digitally signed, verified copies of your documents.
DigiLocker documents are secure and leave a digital trail. If you must share a physical photocopy, write the purpose clearly across the document. For example: 'Only for rental agreement verification in June 2026. Do not use for any other purpose.' And make sure to draw lines through your signature so it can't be easily cropped and pasted elsewhere.
Manage your social media privacy
We share too much online. Scammers use your public videos to train their AI models. Honestly, you should go to your Instagram and Facebook settings and make your accounts private.
Don't accept friend requests from strangers. If you have public video content that shows your face clearly from different angles, think about how you can remove it or limit its visibility. It takes very little footage for modern AI to create a convincing deepfake. I think it's better to be safe than sorry.
Check your credit reports regularly
Make it a monthly routine to check your credit history. Apps like Paytm, Google Pay, CRED, or official credit bureau portals offer free credit report checks. Just look for any new active loans, credit cards, UPI IDs, or bank accounts.
If you see an account you don't recognize, contact the bank immediately. You should also check our safety guides to learn how to monitor your digital footprints across different financial platforms. It doesn't take long, but saves a lot of headache.
Where to report identity fraud
If you discover that someone has used a deepfake to bypass KYC and open an account in your name, you must act fast. Don't wait for the bank to resolve it. Honestly, they won't act as fast as you need them to.
First, file an official complaint immediately on the government's national cybercrime portal at cybercrime.gov.in. You can also call the national cybercrime helpline at 1930. This helpline is active 24/7 and connects you directly to the cyber police team.
Next, contact the bank where the fraudulent account was opened. Send them a copy of the police complaint and ask them to freeze it right away. It's the only way to protect yourself from legal liability if that account is used to move illegal funds. Also, report the incident to CERT-In on their portal at cert-in.org.in.
If you want to know more about handling online financial fraud, read our detailed section on cyber scams in India. It's a great resource to understand your rights under Indian banking laws.
