Scamicide recently talked about a “free piano scam” where the scammer gifts the victim a piano for free—if the victim pays delivery costs northwards of $600—in advance. Guess what never gets delivered?
The post goes on to say:
“A big indication that this is a scam is that the moving company asks for payment by Zelle or cryptocurrencies. No legitimate business asks for payment by Zelle or cryptocurrencies, but scammers often do because of the anonymity for these types of payments and the difficulty in tracing or reversing payments made in this manner.”
Well, Bredemarket doesn’t REQUIRE Zelle…but I take it. (No crypto.)
I never saw the text this person received, but you can tell that it claimed to be from McAfee (it wasn’t) and demanded urgent action, presumably asking the recipient to enter PII including financial information.
I generated this picture in Imagen 4 after reading an AI art prompt suggestion from Danie Wylie. (I have mentioned her before in the Bredemarket blog…twice.)
The AI exercise raises a question.
What if you are in the middle of an identity verification or authentication process, and only THEN discover that a fraudster is impersonating you at that very moment?
Because I have talked about differentiation ad nauseum, I’m always looking for ways to see how identity/biometric and technology vendors have differentiated themselves. Yes, almost all of them overuse the word “trust,” but there is still some differentiation out there.
And I found a source that measured differentiation (or “unique positioning”) in various market segments. Using this source, I chose to concentrate on vendors who concentrate on identity verification (or “identity proofing & verification,” but close enough).
Before you read this, I want to caution you that this is NOT a thorough evaluation of The Prism Project deepfake and synthetic identity report. After some preliminaries, it focuses on one small portion of the report, concentrating on ONLY one “beam” (IDV) and ONLY one evaluation factor (differentiation).
Four facts about the report
First, the report is comprehensive. It’s not merely a list of ranked vendors, but also provides a, um, deep dive into deepfakes and synthetic identity. Even if you don’t care about the industry players, I encourage you to (a) download the report, and (b) read the 8 page section entitled “Crash Course: The Identity Arms Race.”
The crash course starts by describing digital identity and the role that biometrics plays in digital identity. It explains how banks, government agencies, and others perform identity verification; we’ll return to this later.
Then it moves on to the bad people who try to use “counterfeit identity elements” in place of “authentic identity elements.” The report discusses spoofs, presentation attacks, countermeasures such as multi-factor authentication, and…
Well, just download the report and read it yourself. If you want to understand deepfakes and synthetic identities, the “Crash Course” section will educate you quickly and thoroughly, as will the remainder of the report.
Synthetic Identity Fraud Attacks. Copyright 2025 The Prism Project.
Second, the report is comprehensive. Yeah, I just said that, but it’s also comprehensive in the number of organizations that it covers.
In a previous life I led a team that conducted competitive analysis on over 80 identity organizations.
I then subsequently encountered others who estimated that there are over 100 organizations.
This report evaluates over 200 organizations. In part this is because it includes evaluations of “relying parties” that are part of the ecosystem. (Examples include Mastercard, PayPal, and the Royal Bank of Canada who obviously don’t want to do business with deepfakes or synthetic identities.) Still, the report is amazing in its organizational coverage.
Third, the report is comprehensive. In a non-lunatic way, the report categorizes each organization into one or more “beams”:
The aforementioned relying parties
Core identity technology
Identity platforms
Integrators & solution providers
Passwordless authentication
Environmental risk signals
Infrastructure, community, culture
And last but first (for purposes of this post), identity proofing and verification.
Fourth, the report is comprehensive. Yes I’m repetitive, but each of the 200+ organizations are evaluated on a 0-6 scale based upon seven factors. In listed order, they are:
Growth & Resources
Market Presence
Proof Points
Unique Positioning, defined as “Unique Value Proposition (UVP) along with diferentiable technology and market innovation generally and within market sector.”
Business Model & Strategy
Biometrics and Document Authentication
Deepfakes & Synthetic Identity Leadership
In essence, the wealth of data makes this report look like a NIST report: there are so many individual “slices” of the prism that every one of the 200+ organizations can make a claim about how it was recognized by The Prism Project. And you’ve probably already seen some organizations make such claims, just like they do whenever a new NIST report comes out.
So let’s look at the tiny slice of the prism that is my, um, focus for this post.
Unique positioning in the IDV slice of the Prism
So, here’s the moment all of you have been waiting for. Which organizations are in the Biometric Digital Identity Deepfake and Synthetic Identity Prism?
Deepfake and Synthetic Identity Prism. Copyright 2025 The Prism Project.
Yeah, the text is small. Told you there were a lot of organizations.
For my purposes I’m going to concentrate on the “identity proofing and verification” beam in the lower left corner. But I’m going to dig deeper.
In the illustration above, organizations are nearer or farther from the center based upon their AVERAGE score for all 7 factors I listed previously. But because I want to concentrate on differentiation, I’m only going to look at the identity proofing and verification organizations with high scores (between 5 and the maximum of 6) for the “unique positioning” factor.
I’ll admit my methodology is somewhat arbitrary.
There’s probably no great, um, difference between an organization with a score of 4.9 and one with a score of 5. But you can safely state that an organization with a “unique positioning” score of 2 isn’t as differentiated from one with a score of 5.
And this may not matter. For example, iBeta (in the infrastructure – culture – community beam) has a unique positioning score of 2, because a lot of organizations do what iBeta does. But at the same time iBeta has a biometric commitment of 4.5. They don’t evaluate refrigerators.
So, here’s my list of identity proofing and verification organizations who scored between 5 and 6 for the unique positioning factor:
ID.me
iiDENTIFii
Socure
Using the report as my source, these three identity verification companies have offerings that differentiate themselves from others in the pack.
Although I’m sure the other identity verification vendors can be, um, trusted.
I received a suspicious email from “Sara Romano,” a “scout” with HiveLLM who wanted me to bid on a biometric content calendar with a budget of “75000” (no currency specified).
HiveLLM has no corporate address, no LinkedIn presence, a website only a couple of months old, and an advertised business model in which you can ask a question for 10 cents.
A clear case of the need for Know Your Business (KYB).
And as you can see, HiveLLM failed a rudimentary KYB check.
But let’s ask some questions anyway.
“Sara, to confirm that HiveLLM is not a fraudulent entity, please provide your corporate address, registration information, and the identities of your owner(s) and corporate officers.”
UPDATE. At midnight Pacific Time, “Sara” sent a long response. Buried toward the end: “I’m unable to provide corporate registration or ownership details.”
“The documents were forged Labour Market Impact Assessments, or LMIAs. Employers typically receive the documents from Employment and Social Development Canada (ESDC) if they want to hire a foreign worker.”
Biometrics aren’t enough. The person may be who they say they are, but the documentation they are holding may be fake.
Your cybersecurity firm can provide the most amazing protection software to your clients, and the clients still won’t be safe.
Why not? Because of the human element. All it takes is one half-asleep employee to answer that “We received your $3,495 payment” email. Then all your protections go for naught.
The solution is simple: eliminate the humans.
Eliminating the human element
Companies are replacing humans with bots for other rea$on$. But an added benefit is that when you bring in the non-person entities (NPEs) who are never tired and never emotional, social engineering is no longer effective. Right?
Well, you can social engineer the bot NPEs also.
Birthday MINJA
Last month I wrote a post entitled “An ‘Injection’ Attack That Doesn’t Bypass Standard Channels?” It discussed a technique known as a memory injection attack (MINJA). In the post I was able to sort of (danged quotes!) get an LLM to say that Donald Trump was born on February 22, 1732.
“Visual agents that understand graphical user interfaces and perform actions are becoming frontiers of competition in the AI arms race….
“These agents use vision-language models (VLMs) to interpret graphical user interfaces (GUI) like web pages or screenshots. Given a user request, the agent parses the visual information, locates the relevant elements on the page, and takes actions like clicking buttons or filling forms.”
Clicking buttons seems safe…until you realize that some buttons are so obviously scambait that most humans are smart enough NOT to click on them.
What about the NPE bots?
“They carefully designed and positioned adversarial pop-ups on web pages and tested their effects on several frontier VLMs, including different variants of GPT-4, Gemini, and Claude.
“The results of the experiments show that all tested models were highly susceptible to the adversarial pop-ups, with attack success rates (ASR) exceeding 80% on some tests.”
Educating your users
Your cybersecurity firm needs to educate. You need to warn humans about social engineering. And you need to warn AI masters that bots can also be social engineered.
But what if you can’t? What if your resources are already stretched thin?
If you need help with your cybersecurity product marketing, Bredemarket has an opening for a cybersecurity client. I can offer
Scammers tried to extract information from Ann Stephens, but she refused to give them the stuff they wanted: Social Security digits, her home address, or her bank account information.
Ann Stephens taking a scammer call at work.
The only information she provided was her work address.
At the time (2019), she was a police captain in Apex, North Carolina.
Oops.
She retired in 2022. And presumably continues to handle fraudsters, to their detriment.
And one more thing…
The formal announcement is embargoed until tomorrow, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
Bredemarket 