Think about what actually happens when you hand over a car. Someone shows a driving licence, maybe a passport, taps a card, and drives off in an asset worth twenty, thirty, fifty thousand euros. The whole deal rests on one assumption: that the person is who the document says they are. For the vast majority of renters, that assumption holds. For a small and growing minority, breaking it is the entire point.

That minority has better tools than it used to. A fake driving licence no longer means a clumsy laminate you can spot across the desk. It can mean an AI-generated image ordered online for the price of a tank of fuel, or a real stolen identity wrapped around a stolen card. This guide sets out what's actually documented about identity fraud in car rental in 2026 — the numbers, the methods, the cases that reached a courtroom — and what genuinely works against it.

One thing up front, because it shapes everything that follows. A lot of the loudest numbers in this field come from companies that sell fraud-prevention software. That doesn't make them wrong, but it does mean you should know who's counting. So I label every source: law-enforcement or official, standards body, or commercial vendor. Where I only have a vendor's word for a figure, I say so. And where a number is genuinely solid — a guilty plea, a police operation — I lean on that instead.

In brief

Fake-ID attempts against car businesses are rising. The share of fake IDs caught at automotive customers (car dealers and rental firms, combined) rose 21 % since December 2024, on more than 5 million IDs scanned in 2025 (vendor: IDScan.net, January 2026).
AI fake IDs are cheap and scale fast. The operator of "OnlyFake" pleaded guilty to selling more than 10,000 digital fake IDs for as little as $15 each, with bulk packs of up to 1,000 at a time, covering documents from 50+ countries (official: U.S. Department of Justice, 2026).
Law enforcement sees deepfakes going mainstream. Europol warns that deepfake technology could become a "staple tool" for organised crime, including document fraud by morphing faces to pass identity checks (official: Europol).
Onboarding checks alone are not enough. Around 70 % of fraud incidents happen after the identity verification step (vendor: Sumsub) — the risk doesn't end when the contract is signed.
The defence is layered, and it's testable. Document authentication, plus a biometric face-match with liveness detection tested against the ISO/IEC 30107-3 standard (via NIST/iBeta-accredited labs), plus database checks, plus monitoring during the rental.

Why your counter is a target

Most fraud follows the money, and car rental sits on an unusually tempting pile of it. You routinely release a high-value, mobile, resaleable asset to someone you met minutes ago, on the strength of a document and a card. That combination — high value, high liquidity, low friction — is exactly what organised fraud looks for.

The playbook isn't mysterious. Verification vendors and law enforcement describe the same handful of patterns: rent a car with a stolen or fake identity and a stolen card, then drive it long distances, sell it abroad, or strip it for parts (vendor: Sumsub, "Trust on the Move", April 2026). Europol has documented organised crime groups that procure and distribute forged ID and travel documents across borders, and notes that counterfeiters buy or rent vehicles using fake papers (official: Europol). There's also a quieter, more everyday version: someone under the minimum age, or with a suspended licence, using an altered document to get behind the wheel.

None of this is unique to any one country, which is rather the point. The asset is mobile, the documents travel, and the fraud travels with them.

The threat in numbers — and who's actually counting

Here's the honest state of the evidence. Car-rental-specific fraud statistics are thin, and most of what exists comes from vendors measuring their own traffic. I'll give you the best figures available, with that caveat attached to each.

The most rental-adjacent hard number comes from IDScan.net, a document-verification vendor. Across its automotive customers — and this bundles car dealerships together with rental firms, so it is not rental on its own — the share of fake IDs detected rose 21 % since December 2024, drawn from more than 5 million IDs scanned in 2025 (vendor: IDScan.net, press release, 6 January 2026). Treat it as a direction of travel for the sector, not a rental-only rate.

On the documents themselves, Sumsub's mobility analysis breaks down the fakes it catches: of detected fraudulent documents, 72 % were ID cards, 13 % passports and 10 % driving licences (vendor: Sumsub, Identity Fraud Report 2025). The same source puts account takeover at 19 % of third-party fraud in 2025 across ride-hailing, car-sharing and micromobility, and — the figure I'd pin above your screen — finds that roughly 70 % of fraud incidents happen after the verification check (vendor: Sumsub, April 2026). In other words, a clean ID at pickup is necessary, not sufficient.

For scale, the U.S. automotive picture is blunt: Experian's automotive data has 85 % of dealers saying they know or suspect fraud in the past 12 months (vendor: Experian, via Sumsub) — again, dealers rather than rental, and the U.S. rather than Europe, but a useful sense of how normalised this has become on the retail side of cars.

You'll also see eye-watering deepfake projections in the trade press — single-vendor forecasts of several-hundred-percent jumps in a single year. I'm leaving those out. They're unverifiable, they come from one company each, and they don't survive the editorial test for this blog. The qualitative warning from Europol below does the same job without the false precision.

How the fraud really works

Strip away the jargon and there are four recurring methods. They're not exotic; they're industrialised.

The altered or counterfeit physical document. The classic: a tampered or wholly fake driving licence presented at the desk. What's changed is the supply. The "OnlyFake" service sold AI-generated identity documents — driving licences and passports — for as little as $15, and could spin up dozens or hundreds at once from a spreadsheet. Its operator pleaded guilty in the United States to selling more than 10,000 fake IDs covering 50-plus countries, having taken hundreds of thousands of dollars between roughly 2021 and 2024 (official: U.S. Department of Justice, Southern District of New York, 2026). The relevance to a rental desk isn't the crypto exchanges OnlyFake was built to fool; it's the price and the volume. Convincing fakes are now a commodity.

The stolen-but-real identity. Here the document is genuine, or genuinely good, and belongs to a real person who isn't in the room — usually paired with stolen card data so the charge sticks long enough to drive away. This is the version behind most "rent, vanish, export" losses, and it's the one a sharp-eyed counter clerk is least likely to catch, because nothing about the document is wrong.

The synthetic identity. A fabricated person, stitched together from a mix of real and invented details, built up over time to look legitimate. Sumsub reports that synthetic-identity attack rates in auto lending in 2025 were almost double their 2020 level (vendor: Sumsub) — adjacent to rental, and a sign of where patient, organised fraud is heading.

The deepfake or morphed face. As more verification moves to a phone camera, the attack moves with it. Europol's innovation lab flagged that deepfakes and digitally manipulated facial images open a new route for document fraud, combining or "morphing" two faces so a single photo can pass for two different people, and warned the technology could become a staple tool for organised crime (official: Europol, Facing reality?, 2022). Its EU Serious and Organised Crime Threat Assessment goes further, describing criminal networks using AI to automate fraud at scale (official: Europol, EU-SOCTA 2025). The cutting edge isn't holding a photo up to a camera anymore; it's injecting a synthetic video straight into the verification feed.

What it looks like when it reaches a courtroom

Abstract numbers land better with a concrete case or two. These are vehicle-fraud prosecutions rather than rental specifically, but they show the same engine at work — a fake driving licence used to get a car that isn't yours.

In November 2025, Surrey Police reported the sentencing of an organised crime group that handled and cloned more than 50 stolen vehicles worth over £1 million between 2022 and 2024. The method: receive a stolen car, swap the plates, alter the VIN, then deceive dealerships into buying it using fake driving licences and other documents. One member was sentenced to six years; the charges included possession of identity documents with intent (official: Surrey Police, November 2025). Earlier, Hertfordshire Constabulary saw 16 people sentenced over a £2 million car-finance fraud in which members were handed fake identity documents to take out fraudulent credit agreements and collect cars from car parks (official: Hertfordshire Constabulary, 2024).

On the document-supply side, Europol supported French and Spanish investigators in dismantling a network producing and distributing forged ID and travel documents across France, Germany, Italy and Spain (official: Europol). The fake licence at your desk doesn't come from nowhere. It comes from an operation like that one.

Stopping it: defence in layers

No single check stops a determined, well-equipped fraudster. The thing that works is layering, so that a method which beats one control runs into the next. Here's the stack, from document to behaviour.

Authenticate the document, not just glance at it. Modern verification reads a document's security features, checks the machine-readable zone, and — on e-passports and the newer e-ID cards — reads the NFC chip, which is far harder to forge than the printed surface. AI-assisted forgery detection looks for the tell-tale artefacts of generated or edited images. This is the layer the cheap fake-ID services are built to beat on sight, which is exactly why it can't be the only one.

Match the document to the living person in front of it. A biometric face-match links the document photo to a selfie, and liveness detection confirms that selfie is a real, present human rather than a photo, a mask or a deepfake. This layer is measurable, which is its great virtue. The international standard ISO/IEC 30107-3 defines how to test "presentation attack detection", and independent labs such as iBeta — accredited by NIST/NVLAP — run those tests, reporting error rates like APCER and BPCER (standards: ISO/IEC; NIST). When you evaluate a verification tool, ask which ISO/IEC 30107-3 level it has passed and against what attacks. A serious lab test throws silicone masks, 3D-printed faces and AI deepfakes at the system in their thousands.

Check the identity against the wider world. Depending on your market and obligations, that can mean validating the driving-licence number and entitlement where an official check exists, screening against sanctions or known-fraud lists, and flagging duplicate or previously-abused identities. Device, network and behavioural signals — a freshly created account, a mismatched location, an impossibly fast form-fill — add context the document can't.

Don't stop at pickup. Remember the figure worth pinning up: roughly 70 % of fraud incidents happen after verification (vendor: Sumsub). A held deposit or card authorisation, telematics and geofencing that notice a car heading for a port it has no business visiting, and a real return process all extend the defence across the whole rental, not just its first thirty seconds.

Back it with people and habits. The counter still matters. Staff who are trained to feel a document, to check the name on the card against the name on the licence, and to register the small wrongness of someone in a hurry to skip a step — they catch things software misses. Photographing the renter with their licence at handover, and again at return, ties a real face to a real contract.

Where PASS2RENT fits, and where it doesn't

Several of those layers are exactly what a contactless rental platform is built to run. PASS2RENT's driver app handles identity verification with document checks, a biometric face-match and liveness detection before a car is released, captures an eight-point photo inspection that ties the renter and the vehicle's condition to the contract, and takes an e-signature; the admin console keeps driver verification, contracts and fleet telematics in one place, so the "after pickup" layer isn't an afterthought.

Now the honest part, because I'd rather you trust the rest of the article. No verification system catches everything, and anyone who promises a 100 % fraud-proof check is selling you the very overconfidence fraudsters rely on. A platform raises the cost and lowers the odds; it does not abolish risk. Nor is PASS2RENT a legal, insurance or compliance adviser — your fraud policy, your KYC obligations and your acceptance decisions remain yours. What software does is make the layered defence above practical to run on every rental, including the ones at 2 a.m. when no one is at the desk.

The bottom line

The uncomfortable truth is that the document at your counter has never been easier to fake, and the person presenting it has never been cheaper to invent. The reassuring truth sits right next to it: the defences are well understood, increasingly automated, and — in the case of liveness — independently testable against a published standard. You don't need to believe a vendor's scariest slide. You need document authentication, a face-match with certified liveness, a few sensible database checks, and the discipline to keep watching after the keys change hands. Do that, and you make your fleet a worse target than the agency down the road — which, in fraud, is most of the battle.

Want to see how driver verification, face-match and digital handover work on a single contactless flow? Book a PASS2RENT demo.

FAQ

How common is identity fraud in car rental, really?

There is no clean, rental-only public figure — most data comes from verification vendors measuring their own traffic, which is why I flag the tier on each number. The most rental-adjacent signal is from IDScan.net: fake IDs detected at automotive customers (dealers and rental firms together) rose 21 % since December 2024, on 5 million-plus IDs scanned in 2025 (vendor: IDScan.net, January 2026). Treat it as a trend for the sector, not a precise rental rate.

Are AI-generated fake IDs actually a real threat or just hype?

They're real and they're cheap. The U.S. Department of Justice secured a guilty plea from the operator of "OnlyFake", a service that sold AI-generated fake driving licences and passports for as little as $15 each — more than 10,000 of them, covering 50-plus countries (official: U.S. DOJ, 2026). The price and volume are the story: convincing fakes are now a commodity, not a craft.

What is "liveness detection" and why does it matter?

It's the check that confirms the face in front of the camera is a real, present person rather than a photo, a mask or a deepfake video. It matters because remote, contactless verification is exactly where deepfake attacks land. Crucially, it's testable: the ISO/IEC 30107-3 standard defines how to measure presentation-attack detection, and NIST/iBeta-accredited labs run those tests (standards: ISO/IEC; NIST). Ask any vendor which level they've passed.

Is checking the ID at pickup enough?

No. Roughly 70 % of fraud incidents occur after the verification step (vendor: Sumsub), so a clean ID at handover is necessary but not sufficient. A deposit or card authorisation, telematics and geofencing during the rental, and a proper return process extend the defence across the whole booking.

We're a small agency — isn't this only a big-operator problem?

The asset and the method don't care about your size. A car is a car, and a fake driving licence works the same at a two-branch agency as at an airport desk. The good news is that the layered defence — document authentication, certified liveness, basic database checks, monitoring during the rental — is now available as software rather than a fraud team, which is what puts it within reach of a small operator.

The answers in this FAQ rely on the same sources as the rest of the article (see below).

PASS2RENT driver mobile app — contactless identity verification, face-match and digital handover.
PASS2RENT admin console — driver verification, digital contracts and fleet telematics in one place.

Sources

Official / law-enforcement

U.S. Department of Justice, Southern District of New York — "Creator of 'OnlyFake' charged and pleads guilty to selling more than 10,000 digital fake identification documents" (AI-generated fake IDs from $15; 50+ countries): https://www.justice.gov/usao-sdny/pr/creator-onlyfake-charged-and-pleads-guilty-selling-more-10000-digital-fake
Europol — "Facing reality? Law enforcement and the challenge of deepfakes" (Europol Innovation Lab, 2022; deepfakes as a staple tool for organised crime, document fraud via face morphing): https://www.europol.europa.eu/media-press/newsroom/news/europol-report-finds-deepfake-technology-could-become-staple-tool-for-organised-crime
Europol — EU Serious and Organised Crime Threat Assessment (EU-SOCTA 2025; AI-enabled, automated fraud at scale), in Europol's main reports: https://www.europol.europa.eu/publications-events/main-reports
Europol — "Criminal network distributing fake documents busted" (forged ID and travel documents across FR/DE/IT/ES): https://www.europol.europa.eu/media-press/newsroom/news/criminal-network-distributing-fake-dark-web-documents-busted
Surrey Police — "Crime gang who handled over £1 million worth of stolen cars sentenced to prison" (fake driving licences used to deceive dealerships), November 2025: https://www.surrey.police.uk/news/surrey/news/2025/11---november/crime-gang-who-handled-over-1-million-worth-of-stolen-cars-sentenced-to-prison/
Hertfordshire Constabulary — "Sixteen sentenced for £2 million car finance fraud" (fake identity documents), 2024: https://www.herts.police.uk/news/hertfordshire/news/2024/april-2024/sixteen-sentenced-for-2-million-car-finance-fraud/

Standards bodies

ISO/IEC 30107-3 — Biometric presentation attack detection, Part 3: Testing and reporting (APCER/BPCER metrics) — methodology overview hosted by NIST: https://www.nist.gov/system/files/documents/2020/09/15/12_buschthieme-ibpc-pad-160504.pdf
iBeta Quality Assurance (NVLAP-accredited by NIST) — ISO/IEC 30107-3 Presentation Attack Detection testing: https://www.ibeta.com/iso-30107-3-presentation-attack-detection-confirmation-letters/

Commercial vendors (figures reported by companies that sell verification/fraud tools — read as such)

IDScan.net — "Fake ID presentments to dealerships & car rental companies jump 21%" (5M+ IDs scanned at automotive customers in 2025; combines dealers and rental), 6 January 2026: https://idscan.net/press-release/rising-tide-fake-id-presentments-to-dealerships-car-rental-companies/
Sumsub — "Trust on the Move: Fraud Prevention and Verification in the Mobility Industry" (document-type breakdown 72/13/10; account takeover 19%; ~70% of fraud after verification; rent-and-export modus operandi), April 2026: https://sumsub.com/blog/fraud-prevention-idv-mobility/
Sumsub — Identity Fraud Report 2025-2026 (methodology and global fraud trends): https://sumsub.com/blog/guides-reports/identity-fraud-report-2025-2026/
Experian — Automotive fraud data (85% of U.S. dealers know or suspect fraud), via Sumsub: https://www.experian.com/blogs/insights/ai-fake-id/

Data verified in June 2026. This article is for information and professional education; it is not legal, insurance or compliance advice. Figures from commercial vendors are attributed to their source and date and do not carry the weight of an official statistic; vendor projections that could not be independently verified have been deliberately left out. Verify the latest data before making decisions.

Who's really renting your car? Identity fraud, fake IDs and deepfakes in 2026