Persona analyzed fraudulent selfie verifications from early 2026 and found that 76.5% of the attempts didn’t involve deepfakes, synthetic faces, or other AI-generated selfies.
We also found that the vast majority of attempts (86.2%) were relatively simple presentation attacks. And even within the more complex injection attacks, bad actors were 194% more likely to inject videos of real people than AI selfies.
The findings reinforce what we’ve anecdotally heard about how bad actors are using AI to increase the scale and sophistication of attacks. There’s a high volume of unsophisticated presentation attacks and a lower (but significant) volume of sophisticated selfie injection attacks.
Persona analyzed over 27M fraudulent selfies from early 2026
We started the analysis by reviewing selfie verifications that failed our selfie liveness checks in early 2026. The results included selfie submissions to companies of various sizes across different regions and industries. It didn’t include every failed selfie verification during the first half of 2026.
Selfies can fail for reasons unrelated to fraud, such as poor lighting, facial obstruction, or other quality-related issues. To account for this, we limited the results to fraud-related reasons, such as deepfake, replica, or virtual camera detection.
We also grouped the failed selfie checks into two primary attack vectors:
Presentation attacks, which happen when fraudsters present an image, recording, or livestream to the capture device. They tend to be simpler because the attacker can wear a mask, hold up a piece of paper, or record a video that’s playing on another screen.
Injection attacks, which happen when fraudsters use software or hardware to replace or intercept an authentic camera stream. The most common form of injection attacks involves free virtual cameras. More complex attacks require technical skills, but bad actors are using AI to overcome some technological challenges.
Persona uses machine learning micromodels to detect different indicators of fraud. Some models focus on the attack vector, such as replica detection (indicative of a presentation attack) and emulator or virtual camera detection (indicative of an injection attack). Other micromodels are trained to detect AI usage, such as deepfakes and AI-generated content.
We can use these insights to highlight how attackers are delivering fraudulent selfies and what type of content they’re presenting.
Non-AI content | AI content | |
|---|---|---|
Presentation attack | 17.9M (66.2%) | 5.4M (20%) |
Injection attack | 2.8M (10.3%) | 952k (3.5%) |
What do 27 million fraudulent selfies tell us?
Digging into the results also reveals interesting insights. At a high level, our analysis shows:
AI-generated content is in nearly one out of every four fraudulent selfies.
Most selfie fraud involves simple presentation attacks with real (non-AI) selfies.
Virtual cameras account for over 80% of selfie injection attacks.
Attackers are over three times more likely to inject videos of real people than AI selfies.
Here’s a closer look at each finding.
“There are fraud rings that use bots or AI to launch hundreds of thousands of attacks. Frankly, it’s fraud slop. They’re essentially crossing their fingers and hoping something slips through.”
Fraudsters aren’t using AI selfies as often as you might expect
“Across industries, almost one in four (23%) selfie attacks include AI content,” says Coco Tang, a product architect at Persona. That might feel counterintuitive when you read so many headlines about the rise in deepfake fraud, but it’s a significant and growing threat.
“Deepfakes and GenAI synthetic faces are getting better, which is why we think a multi-layered detection approach is the best defense,” adds Coco. “If you know a user is using a virtual camera, exhibiting anomalous behavior, or taking a picture of another screen, you can flag them as risky before you analyze the actual face.”
Presentation attacks are the most common selfie attack vector
Most (over 86%) of the fraudulent selfie attempts in early 2026 involve a presentation attack, and the majority of presentation attacks (77%) don’t use AI selfies.
We present a broad picture of what’s happening, and don’t weight the results in our industry-inclusive approach. Keep this in mind if you’re comparing your organization’s or industry's attack surface to the findings.
“We tend to see high-quality AI selfies and injection attacks when fraudsters have high-value targets,” says Coco. “But there are also fraud rings that use bots or AI to launch hundreds of thousands of attacks. Frankly, it’s fraud slop. They’re essentially crossing their fingers and hoping something slips through.”
Virtual cameras account for over 80% of selfie injection attacks
Overall, about 14% of selfie fraud attempts are from injection attacks. There are also some interesting insights into how fraudsters inject the selfie.
The most common method (82%) involved video injection using a basic virtual camera setup. Bad actors can easily find free virtual camera software and tutorials on how to inject prerecorded or altered videos into a selfie request.
The remainder comes from more advanced selfie injection techniques, such as function hooking.
Attackers are 194% more likely to inject videos of real people
Similar to what we find with presentation attacks, the majority (75%) of injection attacks don’t involve AI-generated or AI-manipulated selfies. Since bad actors are already going through the effort of launching a more complex attack, they may be trying to avoid AI-specific detection checks by using real videos.
“Many of these videos come from people who are tricked into sharing a selfie, or get paid but don’t fully understand what’s happening,” says Coco. In early 2025, we shared reports of fraud marketplaces selling full packages with identifying information, documents, and video selfies for $12.
Coco points out that “When the most sophisticated attackers inject AI selfies, they often use asset refinement techniques, such as artifact suppression or noise injection, in an attempt to avoid detection.”
How can you stop selfie fraud in 2026?
Stopping selfie fraud in 2026 requires systems and tools that consider the content, context, and delivery method for the selfie. The layered approach can help you automate defenses against high-volume attempts and the latest, sophisticated techniques alike. These can include:
Visual models that detect AI-generated content and presentation attacks.
Device intelligence to detect the use of a virtual camera, emulator, rooted device, or otherwise risky device.
Behavioral signals to highlight bot and abnormal activity.
Population-level analysis that can flag when users are connected to fraudulent activity or submitting similar images.
There are also organizational or product decisions that can help deter selfie fraud, such as limiting how many submissions users can attempt, asking users to make specific movements at random, requiring users to submit a selfie from a mobile device, and enabling video capture during the selfie.
Interested in learning more? Visit Persona’s selfie liveness detection page, contact our fraud experts to ask questions, or download our two-pager (PDF link, no email required) on deepfake and bot detection.
Methodology and limitations
Methodology
We examined slightly more than 27M selfie verifications that failed due to a fraud-related reason, such as deepfake, replica, or virtual camera detection. The results do not include every failed selfie verification from the first half of 2026.
We excluded reasons unrelated to fraud, such as poor lighting, facial obstruction, or other quality-related issues.
We pulled data from identical time frames, but we did not limit the search to specific industries, company sizes, or regions.
Limitations
Our insights are limited to what we see when our customers require selfie verification checks. Some require every user to submit a selfie, while others only require selfies during step-up verifications.
We treat all failed selfies as fraudulent in this report, but organizations can set risk thresholds for selfie liveness checks. As a result, a selfie that triggers a low threshold at one organization might pass a selfie check at an organization with a higher threshold.
Organizations determine whether users can submit a new selfie if the initial check fails and how many attempts users can make. We’re counting each attempt in this report.
Because of the cross-industry/size approach, the volume shouldn’t be misconstrued as a measure of the danger a particular organization faces. Some organizations fend off hundreds of thousands of bot-submitted deepfakes each month, and a single false negative will cost them only a few dollars. Others deal with a much lower volume, but a false negative could cost them tens of thousands of dollars.