For years, cybercriminals went after passwords, one-time passcodes (OTPs), and banking credentials. That is still happening — but the smarter ones have moved on to something far more valuable and a lot harder (read: mostly impossible) to replace.
 
Your face.
 
A recent advisory from the Indian Cybercrime Coordination Centre (I4C) under the Union ministry of home affairs (MHA) has flagged an emerging threat where criminals are using AI and deepfake technology to steal facial biometrics and weaponise them for financial fraud. 
 
The warning is well-timed. 
Facial recognition, video know-your-customer (KYC), biometric authentication and artificial intelligence (AI)-powered identity verification are now standard across banks, fintech platforms, investment apps, telecom services and government programmes. These systems have made customer on-boarding genuinely faster and more convenient. They have also handed criminals a new attack surface.
 
Why Your Face Has Become a Target
Most people guard their passwords, personal identification numbers (PINs) and OTPs carefully or rather religiously. Very few think of their face the same way. That is a problem — because increasingly, your face has become one of the ultimate credentials.
 
Here is the critical difference: if your password is compromised, you change it. If your facial biometric is stolen, you can't do anything about it. You can't reset your face. 
 
There are 100s of news reports about how people with incorrect biometrics captured in their Aadhaar are facing a Herculean task to rectify them. It is not easy and it can take a week to years for a common person to accomplish the rectification. 
 
According to the advisory issued by I4C’s national cybercrime threat analytics unit (NCTAU), criminals are now collecting facial recordings and photographs from unsuspecting people and running them through AI tools to build realistic digital replicas. These AI replicas can mimic facial expressions, head movements, blinking patterns and voices with unsettling accuracy. The goal is straightforward — trick identity verification systems into believing the fraudster is you.
 
How the Scam Works
It usually starts with something that feels routine.
 
You get a call from someone claiming to be your bank, your telecom provider, an insurance company, or a government department or agency. They tell you your eKYC has expired and needs to be updated immediately, or your account will be suspended, or you will be excluded from a government scheme. In other versions of the scam, the approach comes through social media, messaging apps, job portals, or even dating apps. 
 
You are asked to visit the concerned institution or office to do the needful immediately. However, here comes the most interesting part. Whether you agree to a personal visit or not, the ‘ever-helpful’ cybercriminal immediately offers to do it online via a video call! 
 
The fraudster then walks you through a ‘verification process’ over a video call. You are asked to look directly at the camera. Turn your head left and right. Blink. Smile. Read a sentence aloud. Move closer to the screen. Follow various on-screen prompts.
 
It feels like a routine identity check. It isn't.
 
What is actually happening is that the fraudster is capturing high-quality biometric data — in real time, with your full cooperation. That footage is then processed through AI systems capable of generating deepfake videos and synthetic identities. 
 
The resulting digital clone can potentially be used to impersonate you across multiple authentication processes, often without you ever knowing it is happening.
 
 
 
The Fake Job Interview Trap
 
Cybercriminals advertise attractive remote positions and invite candidates to online interviews. Applicants are asked to perform various facial movements, answer questions on camera and stay connected for extended periods — all under the guise of candidate evaluation or identity verification. Since most applicants willingly comply and produce high-quality footage, these fake interviews can become remarkably productive sources of biometric data.
 
If you have ever attended an online interview with an unfamiliar company and been asked to perform unusual camera-based exercises, think back carefully about what that session may actually have been for.
 
Why Video KYC Has Become Attractive to Criminals
Banks and fin-tech companies use video KYC precisely because it is hard to fake. Users are asked to blink, move their heads, or perform simple actions to prove they are physically present — specifically to prevent someone holding up a photograph. For years, this worked reasonably well.
 
The problem is that AI-generated content has advanced rapidly and cybercriminals are now creating synthetic videos that convincingly imitate these liveness behaviours, fooling some systems. 
 
The I4C's advisory explicitly warns that deepfake technology is being used in attempts to bypass facial authentication, liveness verification, account recovery processes and other digital identity checks. Financial institutions are strengthening their defences, but it is an ongoing race.
 
Social Media Is Doing Half the Work for Them
Here is something most people have not considered: every public video you post is potentially a data source for this kind of fraud.
 
Instagram reels, Facebook videos, YouTube vlogs, LinkedIn clips, TikTok content — anything that shows your face clearly, from multiple angles, in good lighting, is potentially usable material. Birthday celebrations, travel montages, live streams, family videos, everything that you posted. Cumulatively, a criminal with access to enough of this content can use AI to build a surprisingly detailed facial model without ever speaking to you.
 
This is not an argument for deleting your social media. It is an argument for tightening your privacy settings and being more intentional about what you make publicly visible.
 
The Damage Goes Well beyond Your Bank Account
People tend to think of this as a banking fraud problem. It is bigger than that.
 
A compromised biometric identity can potentially be used for fraudulent account openings, unauthorised SIM acquisitions, fake investment accounts, loan fraud, money laundering, social media impersonation and account recovery attacks. 
 
In many cases, victims don't discover the misuse until financial losses or legal complications have already materialised — sometimes months later.
 
Warning Signs You Should Know
Be suspicious whenever someone unexpectedly requests a video verification session. The specific red flags to watch for: unsolicited calls demanding urgent KYC updates; threats of account suspension; requests to complete video verification over WhatsApp or Telegram; recruiters insisting on unusual camera-based exercises; repeated facial movement prompts with no clear purpose; demands for Aadhaar details during unofficial video calls; and any pressure tactic built around urgency or fear.
 
Legitimate organisations have official communication channels. They do not typically demand immediate action through random video calls.
 
What You Can Actually Do
Never Complete a KYC Process Triggered by an Unsolicited Call. If someone contacts you claiming to represent your bank or telecom provider, hang up and call the organisation yourself using the number on their official website.
 
Protect Your Facial Data the Way You Treat Your Password. That means not handing over video recordings just because someone claims they're needed for verification.
 
Lock Your Aadhaar Biometrics. The I4C's advisory specifically recommends this, and it is one of the most effective defences against remote identity theft. The UIDAI app and official portal allow you to lock and unlock your biometric data as needed.
 
Review Your Social Media Privacy Settings. You don't need to disappear from the internet — but there is a meaningful difference between sharing content with friends and broadcasting high-resolution facial video to anyone who cares to look.
 
If you are attending online interviews with unfamiliar companies, verify the recruiter and the organisation before you show up on camera. Check the company website, the email domain and the standard recruitment process.
 
Watch Your Account Alerts Closely — This includes login notifications, KYC update messages, authentication alerts and SIM replacement requests. Anything unexpected is worth investigating immediately. And if your phone suddenly loses mobile network without explanation, contact your telecom operator at once. That can be an early indicator of a SIM swap attack.
 
If you believe your biometric identity has already been misused, report it immediately at cybercrime.gov.in and contact your bank or financial institution without delay.
 
The Bottom Line
The digital world is moving steadily toward password-less authentication — fingerprints, faces, voices. That is largely a good thing. But it raises the stakes considerably when things go wrong.
 
Cybercriminals no longer need just your OTP. Increasingly, they want your face, your voice and your digital identity. And unlike a password, none of those can be reset.
 
The rule is simple: treat every unexpected request for video verification with suspicion. Before you blink, smile, or turn your head for a stranger on a screen, be absolutely certain you know who is watching — and why.
 
In the age of AI-powered fraud, your face may be the most valuable credential you own.
 
Stay Alert, Stay Safe!