How Weak Identity Security Posture Affects Organizations 

The report paints a clear picture: fraudsters are refining their strategies, targeting high-value credentials and exploiting vulnerabilities across all channels. Several statistics stand out, demanding immediate attention from security and risk leaders.  

How Compromised Credentials Lead to The Rise of Identity Fraud

• A particularly alarming trend highlighted is the increasing exposure of government-issued IDs in data breaches. In 2024, 31% of US data breaches included driver's licenses or other state IDs, a sharp rise from 19% in 2023. 
  
  
• For years, presenting a physical ID or a scan of one has been a common identity verification step. However, when the digital versions of these documents are readily available to criminals due to breaches, relying solely on document verification becomes dangerously inadequate.
  
  
• Fraudsters can now more easily acquire the very credentials used in traditional proofing processes, making it essential to layer additional, dynamic verification methods.

How Fraudsters Use ID Spoofing and KBA To their Benefit

Fraudsters are becoming more adept at impersonating legitimate customers, and legacy verification methods are failing to stop them. The TransUnion survey found:

• 55% of knowledgeable business leaders reported that call spoofing to impersonate a customer became more common in the past year. 
  
  
• 58% reported that the use of stolen personal information to pass knowledge-based authentication (KBA) became more common.  

• The Implication: These two statistics are intrinsically linked. Widespread data breaches have made personally identifiable information (PII) – the foundation of KBA questions like "What street did you grow up on?" or "What was your first pet's name?" – easily accessible to criminals. Simultaneously, spoofing technologies allow fraudsters to appear as legitimate callers. Relying on information recall (KBA) or caller ID is no longer a viable defense mechanism. Knowledge is not identity.  

Call Centers and Help Desks Are Now Prime Targets of Identity Fraud

The human element in customer service remains a key target. The report reveals a significant increase in attacks targeting call centers:

• The percentage of high-risk calls into US call centers surged by 33%, rising from 4.5% in 2023 to 6.0% in 2024.  
• This coincides with 43% of knowledgeable business leaders indicating fraudsters increased their attacks on call centers over the past year.  
• Understanding the Risk: Call centers and internal help desks often handle sensitive requests, including password resets, account changes, and information verification; actions that provide direct pathways for account takeover if compromised. The pressure on agents to provide quick support can conflict with rigorous security protocols, creating vulnerabilities that fraudsters exploit through social engineering and impersonation. The report also notes the specific risk posed by non-fixed VoIP calls, which are harder to trace and showed a high percentage of fraud risk.  

How to Ensure Identity Assurance For Your Organization

The insights from the TransUnion report demand a fundamental shift in how organizations approach identity security. Reactive measures and outdated techniques are insufficient. The goal must be Identity Assurance: establishing ongoing, high confidence in a user's identity across their entire journey through orchestrated, risk-appropriate verification.

1. Adopt Identity Verification Solutions with Journey Orchestration

Given that even physical IDs can be compromised and personal knowledge is widely available, modern IDV must be dynamic and context-aware.  

• Move Beyond Static Checks: Merely scanning a driver's license is no longer enough. Effective solutions must layer multiple verification techniques. This includes document authentication (checking security features as well as against a reliable database), biometric verification (matching a live selfie to the ID photo), crucial liveness detection (to prevent spoofs using photos/videos), and potentially cross-referencing with trusted data sources or device intelligence.
• Orchestrate Based on Risk: Not all interactions carry the same risk. Identity verification shouldn't be one-size-fits-all. Implement solutions that allow for fine-grained policies based on the specific action (e.g., onboarding vs. login vs. password reset), the user's privilege level, and real-time risk signals (like device health or location).

2. Knowledge-Based Authentication (KBA) is Broken

The data is clear: KBA is fundamentally broken. The sheer volume of breached PII, combined with the power of AI to gather and correlate information, makes relying on secret questions a critical vulnerability.  

• Embrace Stronger Factors: Organizations must transition to phishing-resistant authentication methods. This includes passwordless, FIDO-certified authenticators like device-based biometrics or security keys, which prove possession of a trusted factor rather than relying on easily compromised knowledge.
• Secure Recovery: Critically, this applies to recovery processes too. Using KBA for account recovery negates investments in strong primary authentication. Secure recovery must leverage other verified, phishing-resistant factors.

3. Harden Call Center and Help Desk Defenses Interactions

The sharp rise in high-risk calls targeting support channels necessitates specific countermeasures.  

• Empower Agents with Better Tools: Equip support staff with integrated tools that provide stronger identity verification methods than simply asking KBA questions or trusting caller ID.
• Implement Risk-Based Authentication: For high-risk requests (like credential resets or changes to sensitive account information), trigger strong step-up authentication challenges that cannot be easily socially engineered. This could involve pushing a notification to a user's registered and trusted device for biometric approval.
• Orchestrate High Risk Workflows: Implement workflows that escalate high-risk verification scenarios. This might involve requiring approval from an employee's pre-verified manager through a secure channel or routing the interaction to a specialized risk team equipped with advanced verification tools.

Upgrade Your Security Posture with Identity Assurance

The TransUnion H1 2025 State of Omnichannel Fraud Report serves as a stark reminder: identity is the new security perimeter, and it's under constant attack. The rise in compromised identity documents, the blatant failure of KBA, and the relentless targeting of support channels demand immediate action.  

Organizations can no longer afford incremental improvements to outdated security models. A paradigm shift towards proactive Identity Assurance is essential for survival and growth. This means embedding strong, phishing-resistant identity verification across the entire user lifecycle, orchestrating verification based on risk, and eliminating reliance on easily compromised factors like passwords and shared secrets.

Discover HYPR’s Identity Assurance Platform

HYPR, The Identity Assurance Company, is built to address these modern challenges head-on. Our platform delivers FIDO-certified, passwordless MFA, integrates high-assurance identity verification methods, and enables sophisticated journey orchestration to ensure the right users gain access, securely recover accounts, and interact safely across all channels, including vulnerable support touchpoints.

Don't let legacy vulnerabilities dictate your security posture. Embrace Identity Assurance and build a resilient defense against the evolving threats highlighted by TransUnion.

Key Takeaways:

1. Static Identity Verification is Obsolete

Reliance on physical IDs or static document scans is increasingly less secure due to the amount of stolen PII credentials online. Identity verification must use a multi-layered approach that includes biometrics, liveness detection, and real-time risk assessment.

2. Knowledge-Based Authentication is Broken

Breached data and data aggregated by AI have rendered knowledge-based authentication nearly useless. Organizations must adopt phishing-resistant factors like biometrics and FIDO2 passkeys.

3. Call Centers and Helpdesks Are the New Frontline

The increase in spoofed calls and VoIP abuse increases the fraud risk for both call centers and help desks. Organizations must implement risk-based step-up authentication and use tools that provide more secure identity verification methods.

4. Identity Assurance is the New Standard

The security focus must shift from one-time, static checks to continuous identity assurance across the user journey. Modern IDV solutions must be adaptive and risk-aware to meet the challenges of the current threat landscape.