Deepfake Bank Fraud: Lessons From the Amsterdam ABN AMRO Case

A fake apartment listing is where this fraud began. Someone posted a flat for rent on Marktplaats, one of the Netherlands' busiest classifieds sites, and prospective tenants did what the Amsterdam housing market trains people to do: they replied fast and sent whatever was asked for, including passport copies and pay slips to prove they were good for the rent. The apartment did not exist. The documents were real, and they became the raw material for fraud.

A 34-year-old man used those identity documents, along with others scraped from social media, to open dozens of bank accounts at ABN AMRO in other people's names. He did it through the bank's standard mobile onboarding flow, the one that asks an applicant to photograph an ID and take a selfie so an automated system can confirm the two faces match. He defeated that check with deepfake imagery that blended his own features with each victim's ID photo. In June 2026 the Amsterdam District Court convicted him and sentenced him to 30 months in prison, six of them suspended, plus compensation to the bank.

The obvious takeaway is that AI beat the bank. The more useful one is about what sat on either side of the deepfake. Closing the machine-side failure is ABN AMRO's job, and that fix is well understood. What carries over to everyone else is that the attack leaned on ordinary social engineering at both ends, and the defense for that is a practiced habit rather than a piece of technology.

How one person opened dozens of accounts

The mechanics were consistent across the reporting. ABN AMRO lets customers open an account from a phone by submitting a photo of an ID document and a selfie, with an automated system checking that the face in the selfie matches the face on the document. The fraudster broke this in two linked moves. First he collected genuine identity documents belonging to real people. Then he used face-swap software to merge his own facial features with the photo on each stolen document, producing a "selfie" that matched the ID closely enough to clear automated review.

The documents came from more than one place. Some were pulled from public social media profiles, where a high-resolution photo and a full name are often a click away. Others arrived through the fake Marktplaats rental listing, where victims handed over passport scans in good faith. Dutch reporting also pointed to older data breaches as a third source. None of this required breaking into anything. It required convincing people, or their past mistakes, to supply the pieces.

Once an account was open, the bank mailed out a debit card, and the accounts became infrastructure. Investigators tied them to bankhelpdeskfraude, the Dutch term for bank-helpdesk fraud, where criminals phone victims while posing as bank staff and talk them into moving money. The accounts also took in cash that prosecutors linked to laundering, with CCTV footage showing the man depositing large sums.

The way the scheme came apart is telling. The automated system did not catch it. A human did. One application paired a woman's ID document with a selfie that showed a man's face, because the deepfake had blended her features onto his well enough to fool an algorithmic match but not a person looking at it. A reviewer flagged the mismatch, the bank investigated, and the full scale of the fraud surfaced from there. The man was later stopped at a border crossing carrying a suspicious number of bank cards, was seen deleting Telegram from his phone, and had envelopes of debit cards and PINs and dozens of fake IDs with him.

One detail gets overstated in coverage, so it is worth being precise. The man had used ChatGPT, but not to generate the deepfakes. His phone showed him asking the model how bank identity verification works and how it might be bypassed. He used a chatbot the way a determined criminal once used a search engine or a forum: for research and planning. The deepfakes themselves came from separate face-swap tools. The AI here accelerated a person's homework. It did not replace the rest of the operation, and it left a tidy, timestamped record of intent that ended up helping the prosecution.

Why a selfie check could not stop it

The failure at the center of this case is specific and worth naming precisely, because it explains why the same trick keeps working elsewhere.

A selfie-to-document check answers one question: does the face in front of the camera match the face on the ID? That is a test of consistency. It does not answer a second, harder question: is the face a real, living person captured right now, rather than a synthetic image fed into the process? That is a test of presence. ABN AMRO's onboarding, like a lot of mobile banking onboarding across Europe, was strong on the first question and thin on the second. The moment an attacker can manufacture a face that bridges his own appearance and someone else's ID photo, a consistency check approves it, because consistency is all it was ever measuring.

A reliable verification system has to confirm three things at once: that the person is the right person, that they are a real person, and that they are present in real time. The control that covers the second and third points is liveness detection, ideally paired with defenses against injection, the technique of feeding a prepared image or video stream into the verification pipeline instead of holding something up to the camera. Public reporting on this case does not establish exactly how the manipulated selfies were delivered, whether uploaded or injected, and it does not need to. The outcome is the same either way: a face-match check cannot tell a synthetic face from a genuine one, so it waved the fraud through.

The standards bodies have caught up to this. The 2025 revision of the U.S. federal identity guidelines, NIST SP 800-63-4, makes injection-attack detection a control objective for higher assurance levels rather than an optional nicety, and European testing standards now define how to measure resistance to these attacks. The point of mentioning this is not to send you shopping for a liveness vendor. It is to be clear about the boundary of the lesson. If you run a bank's onboarding stack, closing this gap is your job, and there is now a recognized way to do it. If you do not, the bank's control is not the part of this story you can act on. The part you can act on is everything the attack relied on before and after the camera.

This is now a repeatable, cheap pattern

The Amsterdam case is not a freak event. It is one well-documented instance of a method that is spreading because it has become cheap and easy.

The clearest comparison comes from Hong Kong, where in April 2025 police arrested eight people in a ring that used 21 stolen Hong Kong identity cards to make 44 bank account applications, around 30 of which succeeded. The technique was the same: merge the fraudster's face onto the cardholder's ID photo to pass facial recognition, then use the accounts for laundering and credit abuse. It was a different country and a different bank running the same method.

The reason it travels so well is commoditization. Reporting by MIT Technology Review, summarized by Biometric Update, found KYC-bypass tools sold openly across roughly two dozen Telegram channels: stolen biometric data, deepfake generators, and virtual-camera software designed to slip a synthetic feed into a liveness check, with sellers naming well-known banks and exchanges as targets. What used to take specialist skill and expensive hardware is now closer to a subscription.

There is no shortage of large numbers attached to this trend, and they should be read with care. Identity-verification vendors report figures like deepfakes accounting for roughly one in five biometric fraud attempts, and sharp year-over-year jumps in injection attacks against mobile platforms. Those numbers point in a consistent direction, and several independently run reports agree on the trajectory. But most of them come from companies that sell deepfake detection, which gives them a commercial reason to size the threat generously, and their methods are not directly comparable to one another. Treat them as a directional signal that the problem is real and growing, not as precise measurements. The court-verified facts of a single case like this one carry more weight than any vendor's headline percentage.

The attack was bracketed by old-fashioned social engineering

Strip the word deepfake out of this case and look at what the fraud actually depended on at each end. Conventional social engineering was doing the heavy lifting.

At the front end, the deepfake was useless without genuine identity documents, and those came from people. Victims were talked into sending passports and pay slips to a landlord who did not exist, through a request that looked completely routine. Handing an ID to a prospective landlord is a normal thing to do. That is exactly why it worked. There was no malware and no suspicious link, only a trusted everyday workflow quietly turned into a harvesting operation.

At the back end, the fraudulent accounts were not the goal in themselves. They were tools for bank-helpdesk fraud, where a human being is phoned by someone posing as their bank and persuaded to move money. The synthetic media got the attacker through the door. A live human conversation did the actual theft.

This is why the most common form of deepfake awareness training is aimed at the wrong target. For years the advice was to spot the fake by looking for the glitch: unnatural blinking, mismatched lip-sync, the wrong number of fingers. Current-generation fakes do not reliably show those tells anymore, and the perceptual gap is closing faster than any training program can keep up with. A defense built on catching the visual flaw is a defense with a shrinking shelf life.

The case points to a sturdier conclusion. The fraud did not win because the deepfake was flawless. It won because the verification step had no fallback once the visual check was beaten. Nobody and nothing was positioned to ask, through an independent channel, whether the request was actually legitimate. The real vulnerability was procedural, not perceptual, and procedure is something you can fix without out-running the attackers' image quality.

The verification habit that actually transfers

The single highest-impact control against synthetic-media fraud is also one of the oldest: out-of-band verification. Confirm an unusual or high-stakes request through a separate, pre-known channel, rather than trusting what is on the screen or on the phone. If a call, email, or video asks you to move money, change payment details, reset a credential, or release sensitive data, you verify it by reaching the supposed requester through a contact path you already trust, not one supplied inside the request itself.

What makes this work is that it does not care how convincing the fake is. A perfect deepfake voice of your CFO and a clumsy one both fail the same test when the recipient hangs up and calls the CFO back on a known number. The control sidesteps the entire arms race over media quality, because it never tries to judge the media at all. It judges the request, through a channel the attacker does not control.

Translating that into habits people actually perform looks like this:

• Treat sharing an identity document as a high-risk action, on par with handing over a password. The fake landlord worked because nobody in the chain treated a passport scan as sensitive. Legitimate organizations that need your ID can accept it through a verifiable, regulated channel, and a marketplace chat is not one.

• Require a callback on a pre-registered number for any request involving money movement, credential changes, or data disclosure. The number comes from your own records, never from the message.

• Use multi-person authorization for high-value or unusual actions, so a single deceived employee is not a single point of failure.

• Build in a cooling-off step for first-time or out-of-pattern requests, because urgency is the lever almost every one of these attacks pulls.

• Apply zero trust to any identity claim that arrives digitally, regardless of how authentic it looks or sounds.

The catch is that knowing these rules and performing them under pressure are different things. The fraud in these cases lands precisely because the moment is engineered to feel urgent, authoritative, and normal all at once. People do not rise to the occasion; they fall back on what they have practiced. A policy document that lists the right behavior changes very little if nobody has ever rehearsed it. The verification reflex has to be trained the way any reflex is, through repetition against realistic pressure, until reaching for the independent channel is automatic rather than something an employee has to remember to do.