What is Biometric Identity Theft?

Key Takeaways

• Biometric identity theft takes two very different forms – and the one most people worry about is not the one most likely to affect them.
• Stolen fingerprints and iris scans require sophisticated attacks on secured databases. For most people, this risk is low.
• Your face and voice are biometrics you share freely on social media every day, and artificial intelligence tools make it easy for scammers to use them against you.
• Free AI tools can clone a person’s voice in under 60 seconds using audio pulled from a public social media post.
• Common attacks include virtual kidnapping scams, CEO fraud and fake celebrity investment schemes.
• A simple family code word is one of the most effective defenses against AI voice scams.
• If you have been targeted, free help is available from the Identity Theft Resource Center. Call 888.400.5530 to learn more.

Most of us will never have our fingerprints stolen from a database. However, millions of us have already handed scammers the next best thing: our faces and voices.

When people hear “biometric identity theft,” they often picture a criminal lifting their fingerprint from a government database or breaking into a corporate facial recognition system. That threat is real, but it is also rare and difficult to pull off. Most people will never have to worry about it.

The more immediate risk is one we create ourselves. Every photo, video and voice clip posted publicly on social media is a biometric data sample that is free for anyone to collect. With today’s artificial intelligence tools, that’s all a scammer needs to impersonate you. This article focuses on that growing threat: what it is, how it works and what you can do about it.

What Are Biometrics?

A biometric is any physical or behavioral characteristic that can be used to confirm who you are. Fingerprints are the most familiar example, but biometrics also include your face, the pattern of your iris, your voiceprint and even the way you walk or type.

Biometrics are increasingly woven into daily life. You likely use one every time you unlock your phone with your face or fingerprint. Airlines use facial verification at boarding gates. Banks use voice authentication on customer service calls. Employers use fingerprint scanners to control access to secure areas.

The appeal is straightforward: biometrics are tied to your body, which makes them harder to steal than a password. You can forget a PIN or have a password guessed. It is much harder for a criminal to replicate your fingerprint. For a long time, that made biometrics feel like a near-perfect security solution.

However, biometrics are not all equally protected. Some, like your fingerprints , are typically stored in a secured database controlled by a business, a government agency or on your device. You never really “share” them publicly. Others, though, you share constantly and freely: your face every time you post a photo, and your voice every time you share a video or a voice memo.

That distinction matters more today than it ever has. While stealing a fingerprint from a secured database is genuinely difficult, training an AI on your face or voice requires nothing more than a scroll through your social media profile.

Biometric Identity Theft: Two Very Different Risks

Not all biometric identity theft looks the same. To understand the real risks, it helps to separate them into two distinct categories.

Stored Biometric Data Breaches

When a company or government agency collects your fingerprints or facial recognition data, that information is stored in a database. If that database is breached, the consequences can be severe and permanent. Unlike a stolen password, you cannot reset your fingerprints. You are stuck with the exposure for life.

High-profile breaches have happened. In 2019, a security database was discovered sitting exposed on the internet, containing more than one million unencrypted fingerprints* and facial recognition records. In 2015, a cyberattack on the U.S. Office of Personnel Management compromised the fingerprints of 5.6 million federal employees.

These incidents are serious. They require significant technical sophistication to execute and exploit. For the average person, a stored biometric breach is a low-probability risk, one worth being aware of, but not one that should keep you up at night.

*Encrypted biometrics are highly secure. Even if a cyber criminal has access to an encrypted biometric, they cannot make use of it without the key to unlock the files. Even then, most biometrics are not stored as an image, but rather are reduced to a unique code.

Your Face and Voice on Social Media

This is where the real and present danger lives for most people.

Every time you post a photo, share a video or leave a voice message in a public or semi-public space online, you are handing over biometric data. Your face and voice are unique identifiers, and unlike your fingerprints, you have been sharing them freely for years.

The problem is that AI tools have made it trivially easy to weaponize that data. Free tools available to anyone can now clone a person’s voice in under 60 seconds. A few seconds of audio pulled from a social media post is enough to create a convincing imitation. Facial deepfakes (or cheapfakes because of their low cost) have become so convincing that most people cannot tell them apart from real footage.

You do not need to have done anything wrong to be at risk. You just need to have a public profile.

How Scammers Use Your Face and Voice Against You

Understanding that your face and voice can be weaponized is one thing. Seeing how it actually plays out in the real world is another. These are not hypothetical attacks. They are happening now, to ordinary people, and the tactics are becoming more convincing.

The Virtual Kidnapping Scam

Imagine getting a phone call from your child. They are crying, panicked, telling you they are in trouble and need money immediately. The voice is unmistakably theirs – the cadence, the tone, even the way they say your name.

Except it is not them. It is an AI-generated clone built from audio scraped from their social media posts. Parents across the United States have received exactly these calls, and many have sent money before realizing what happened. The emotional shock of hearing a loved one’s voice in distress is precisely what scammers are counting on. It overrides rational thinking before you have a chance to ask questions.

Executive Fraud and Wire Transfer Scams

This tactic is not limited to personal relationships. Businesses are targeted, too. In one well-documented case, an employee at a UK energy company received a phone call from someone who sounded exactly like the company’s CEO, instructing them to wire funds to a supplier immediately. The voice passed every mental credibility check the employee had. The company lost €220,000 before anyone realized the call was fraudulent.

These attacks often combine multiple channels: a convincing email followed by a voice call or even a video message to lower the chance that any employee will pause and ask for verification. The more touchpoints a scammer creates, the more legitimate the request feels.

Fake Celebrity and Investment Scams

AI deepfakes are also being used to put words in the mouths of celebrities, executives and public figures. Videos circulate on social media, appearing to show well-known faces endorsing investment opportunities, cryptocurrency schemes, charities, or miracle products. None of it is real, but the production quality is often good enough that viewers do not question it until after they have already acted.

These scams spread quickly because social media platforms are built for rapid sharing. By the time a deepfake video is flagged and removed, it may have already reached hundreds of thousands of people.

The Numbers Behind the Threat

The scale of this problem is significant and growing. Deepfake fraud caused losses of more than $200 million among American companies in just the first three months of 2025. Analysts predict that figure could climb to $40 billion annually in the U.S. by 2027 if current trends continue.

Those numbers reflect only reported cases. Many victims – especially individuals targeted through family emergency scams – never report what happened, either out of embarrassment or because they do not know where to turn.

Why These Scams Work

The technology is alarming, but the psychology behind these attacks is not new. Scammers have always relied on urgency, fear and emotional pressure to make people act before they think. AI simply makes those tactics more believable and more scalable.

When you hear a voice you recognize, your brain is wired to trust it. When that voice tells you someone you love is in danger, your instinct is to act immediately, not to stop and verify. Scammers know this. They design their attacks specifically to trigger that response, and AI gives them the tools to do it more convincingly than ever before.

The Emerging Threat: Automated, AI-Driven Attacks at Scale

The scams described above still require some degree of human effort. A criminal has to identify a target, gather samples of their voice or image, build the attack and launch it. That is changing faster than most people realize.

The individual components of a fully automated biometric attack already exist. AI can scrape publicly posted images, videos and audio clips. It can clone a voice or generate a convincing deepfake face. It can write a personalized script based on details pulled from someone’s social media profile: their family members’ names, their employer, their recent travel. Automated calling and messaging systems can then deliver that attack to hundreds or thousands of targets simultaneously, with no human involvement after the initial setup.

The legal and regulatory response is trying to keep pace. The FCC has banned AI-generated voices in robocalls. The FTC has introduced rules prohibiting the use of AI to impersonate individuals, businesses or government agencies to commit fraud. The Take It Down Act, signed into law in 2025, makes it a federal crime to share non-consensual intimate deepfake imagery. These are meaningful steps – but enforcement lags behind the speed of the technology, and the laws cover only a fraction of the ways these tools are currently being misused.

The honest truth is that no single law or platform policy is going to solve this problem in the near term. That puts more responsibility on individuals to understand the risk and take steps to reduce their exposure.

How to Protect Yourself: Practical Steps

Protecting yourself from biometric impersonation does not require technical expertise. It requires awareness and a few deliberate habits.

Reduce What You Share Publicly

The less of your face and voice that is publicly accessible, the less raw material a scammer has to work with. That does not mean disappearing from social media entirely, but it does mean being intentional about what you share and with whom.

Consider auditing your public profiles. On platforms like Facebook, Instagram and TikTok, ask yourself whether your posts – especially videos and voice clips – are visible to people you do not know. Tightening your privacy settings so that your content is visible only to friends or followers you have approved is one of the most effective steps you can take.

Be especially thoughtful about tagging family members, particularly children. A scammer building a virtual kidnapping attack needs to know who your loved ones are. Public posts that identify your relationships make that research effortless.

Create a Family Verification System

One of the most practical defenses against AI voice scams is low-tech: a code word. Agree on a word or short phrase with the people closest to you, something that would never come up naturally in a conversation, that must be used any time someone makes an unusual or urgent request for money or personal information. If the caller cannot produce the code word, hang up and call back on a number you already have saved.

Slow Down Whenever Someone Creates Urgency

The defining feature of nearly every deepfake and AI voice scam is artificial urgency. Scammers need you to act before you think. Whether it is a panicked family member, a CEO demanding an immediate wire transfer or a law enforcement officer threatening arrest, the goal is always the same: compress your decision-making window so much that you skip the verification step.

Any request that involves money, personal information or account access, and comes with pressure to act immediately or keep it secret, should be treated as a red flag regardless of how familiar the voice sounds or how official the message looks. Taking the time to independently verify a request through a separate channel is almost always enough to expose a scam.

Stay Informed

The tactics scammers use evolve constantly. Staying up to date on emerging threats is one of the best ways to protect yourself, because awareness alone makes you significantly harder to deceive. The ITRC publishes regular updates on new and emerging identity crime trends.

What to Do If You’ve Been Targeted

If you believe you have been the target of a deepfake or AI voice scam, here are the immediate steps to take.

• If you sent money or shared financial information, contact your bank or financial institution right away. The sooner you report it, the better your chances of limiting the damage. Ask about fraud recovery options and whether any transactions can be reversed.
• If you shared personal information such as your Social Security number, date of birth or account credentials, you may be at risk of further identity theft beyond the initial scam. Place a  credit freeze with the three major credit bureaus – Equifax, Experian and TransUnion – to prevent new accounts from being opened in your name.
• File a report. Report the incident to the FTC at ReportFraud.ftc.gov. Local law enforcement may also be able to help, particularly if a significant amount of money was involved.
• Document everything. Save any voicemails, screenshots, call logs, email threads or other records related to the scam. This documentation will support any reports you file and may be important if the case is investigated.
• Contact the ITRC. If you are not sure where to start, or if you need help navigating the recovery process, the ITRC offers free, confidential support from knowledgeable advisors. You can reach us by phone at 888.400.5530 or through live chat at idtheftcenter.org. No one should have to figure this out alone.

The Bottom Line

The risk of having your fingerprints and other biometrics stolen from a database is real, but it is also rare. It requires sophisticated attackers targeting specific systems, and most people will go their entire lives without being affected by it. 

The risk that is growing is simpler and more immediate: your face and your voice are biometrics you probably share freely every day. AI tools have made it cheap and easy for criminals to take those samples and use them to impersonate you in ways that can be devastatingly convincing.

You cannot eliminate this risk entirely. However, you can reduce it. Tighten your privacy settings. Establish a code word with your family. Build a habit of pausing and verifying before you act on any urgent request. And if something happens, know that help is available.