Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Hiring has never been easy. But in the last year, it’s taken on an entirely new level of complexity. Fake candidates have become one of the most urgent problems facing HR, talent, and InfoSec teams alike. Today’s recruiters are flooded with AI-generated resumes that are nearly impossible to distinguish from legitimate candidates. When fake candidates make it to interviews, the tactics escalate with deepfakes used to impersonate people and proxy stand-ins for technical assessments.

Traditional detection methods and point solutions often focus on fraud detection at a single point. Identity platforms and orchestration layers help fraud fighters detect patterns and stop scaling attacks. But there’s a growing fraud vector called identity muling that’s particularly difficult for some fraud systems to detect. Below, we’ll explore how identity muling works, what it looks like from a fraud fighter’s perspective, and what you can do to protect your organization.

Physical discs have given way to streaming. You can make a purchase with a tap of your phone. But relying on documents to verify business and individual identities isn't going anywhere. In fact, the opposite is true. Some regulations require document checks during identity verification. Even when that’s not the case, documents are becoming popular and valuable components of identity checks because they provide information that isn’t available elsewhere.

Update (February 24, 2026): @vmfunc has published part two of their series about Persona. You can read it here. We will update this post with part three when it is released. On February 16, 2026, security researchers @vmfunc, @MDLcsgo, and @DziurwaF published a blog post identifying exposed frontend source maps on a non-production subdomain under withpersona-gov.com.

Supplemental document checks are often required for businesses that conduct Know Your Customer (KYC) or Know Your Business (KYB) checks. Even when compliance isn’t required, organizations often collect supplemental documents for their own business purposes, such as risk assessments. In business contexts, a supplemental document is a non-government-issued document that you collect to support a risk assessment.

Audiences around the world may be captivated by dramatic stories of con men like the Tinder Swindler. But this type of fraud is the exception rather than the rule. Most criminals go to great lengths to stay hidden and minimize the risk of getting caught. Sometimes, though, a criminal needs to show their face — or at least, a face — to pass identity checks.

Synthetic identity fraud used to be a specialty fraud job. Bad actors created synthetic identities by modifying personal information, combining multiple real identities, or combining real and fake information. But building up identities convincing enough to pass muster took time, research, and effort. As a result, you typically saw synthetic identity fraud when bad actors targeted organizations that could pay off in a significant way.

Product, fraud, and trust and safety teams at online merchants and marketplaces have been fighting bots for a long time. While there were occasional disagreements about how “bad” bots were (a purchase is a purchase, some might say), the general consensus often ranged from suspicious to block them all. But not anymore. As AI-powered browsers and agents become more commonplace, online merchants have to prepare for a world where agentic commerce is a standard sales channel.

Globally, companies lost an average of 7.7% of their annual revenue to fraud, according to TransUnion’s 2025 Digital Identity Risk Accelerates Fraud Losses report. In the US, companies reported revenue losses of 9.8%, a 46% increase from the previous year. That’s hundreds of billions of dollars heading into the hands of fraudsters. And those stats don’t account for the loss of trust, hit to brand reputation, and time and resources spent on mitigating and resolving the fraud.