The British identity-fraud market is not collapsing, and it is not exploding. It is reorganising. Cifas, the not-for-profit that runs the National Fraud Database, has logged around 230,000 cases of identity-related fraud each of the last several years, with a slow upward drift through 2024 and 2025. The 2026 picture, judging by first-quarter data from member banks, looks much the same: a steady tide, not a wave.

That stability hides a lot of movement underneath. Attacks that defined the 2010s have effectively died. Others, barely imaginable five years ago, are now routine. The useful question for anyone living in the UK in 2026 is not is identity theft worse, but which version of it is currently aimed at me.

The numbers, briefly

Cifas' 2025 Fraudscape report counted roughly 232,000 cases filed to the National Fraud Database, over 70 per cent of them identity-related. Action Fraud took in losses north of £2.3 billion across all fraud categories in the same year. UK Finance puts authorised push-payment losses alone at over £450 million annually. Most of that money is never recovered.

Two things stand out underneath. Victims are getting younger: under-21s now make up the fastest-growing demographic in Cifas' identity-misuse data, mostly through money-mule recruitment dressed up as part-time work. And the average value per fraudulent application is climbing — fewer attempts, larger asks.

What is rising

Three categories are driving almost all of the growth, and they share a common ingredient: they require detailed personal data that has to come from somewhere upstream.

Synthetic identity fraud. A fraudster pairs a real National Insurance number with a real address the legitimate holder no longer lives at, attaches a plausible date of birth, and applies for credit as a person who does not exist. The file is built deliberately over twelve to eighteen months — small loans paid on time, a phone contract, a basic credit card — before being cashed out in one coordinated push. Cifas began breaking this out as its own category in 2024 and the volume roughly doubled into 2025.

AI-cloned voice phishing of elderly relatives. Thirty seconds of audio scraped from a TikTok or a voicemail greeting is enough to clone a convincing voice. The script — Mum, I've lost my phone, can you send the money to this account — has not changed. The delivery has. Forces in the West Midlands and Greater Manchester both flagged sharp increases through 2025.

BEC against small Ltd. companies. Business email compromise was once a FTSE 250 problem. In 2026 it is squarely a small-business one: a five-person consultancy, a family construction firm, a single-director Ltd. doing six-figure invoicing. The fraudster sits on the inbox for weeks, learns the cadence, then intercepts an invoice and substitutes the bank details. Average loss per incident, per UK Finance, is now well above £20,000.

The stable headline number hides a sharp rotation underneath. The frauds that worked in 2018 are mostly dead. The frauds working now did not exist then.

What has died

It is worth naming the threats that no longer warrant much of your attention, because the consumer-press narrative has not caught up.

Physical bank-card cloning is effectively over. Chip-and-PIN, contactless tokenisation and the migration to mobile wallets have killed the magnetic-stripe skimmer as a meaningful UK threat. The few remaining cases tend to involve tourists' US-issued cards cloned and used in jurisdictions that still accept stripe-only transactions.

Crude email phishing barely lands. Microsoft, Google and the major UK ISPs filter out the vast majority of generic phishing before it touches an inbox. What gets through and works is targeted — a fake HMRC self-assessment reminder in late January, a fake DVLA refund in March — and works because it is specific and seasonal, not because email security is broken.

What to watch in 2026 and 2027

Two emerging vectors deserve attention now, before they become next year's headline.

Deepfake video bypass of remote KYC. Several UK neobanks rely on a "video selfie" liveness check to open accounts. The 2025 generation of open-source video models can already defeat the simplest of these given a few real photographs of the target. Veriff and Onfido have responded with active-challenge protocols, but the arms race is live.

Companies-House data as an attack input. Director names, partially redacted dates of birth, service addresses and historical filings are all public. Combined with a leaked email and a stolen utility-bill PDF, they are enough to open a business bank account in a real director's name at a challenger bank with thinner controls. The Economic Crime and Corporate Transparency Act tightened verification in 2024, but legacy data remains exposed.

The defensive baseline that still works

None of the defences below are new. All of them remain genuinely effective in 2026, which is the only reason to repeat them.

  • Passkeys, not passwords. Where a service offers one (Apple, Google, most major banks, increasingly HMRC), use it. Phishing-resistant by design.
  • App-based 2FA, not SMS. SIM-swap fraud has not gone away. An authenticator app or hardware key removes your mobile carrier from the security model.
  • Cifas Protective Registration. If you have already been victimised, lost your wallet, or had a breach involving your full name and date of birth, the £30 two-year registration adds a manual verification flag to applications made in your name. The single highest-leverage defensive purchase available to a UK consumer.
  • Freeze your credit file. Experian, Equifax and TransUnion all offer it. Free, reversible, and largely unknown to the British public.
  • Annual credit-report check. Twenty minutes once a year catches almost every synthetic-identity attempt before it matures.

Where data brokers fit in

Each of the rising threats — synthetic ID, voice cloning, BEC, KYC bypass — relies on raw material the fraudster did not generate themselves. They bought it, scraped it, or pulled it from a breach corpus, but somewhere upstream it came from a marketing data broker, a people-search site, or an identity-resolution feed.

Removing yourself from those feeds will not stop a determined attacker who has already chosen you. It does take you out of the bulk-prospect lists that fuel the volume end of the market — the cold-call scripts, the SIM-swap target packs, the synthetic-ID seed sets. It is not a silver bullet. It is a quiet, structural reduction in the surface area someone else is selling on your behalf.

If you would rather have that done for you, Nox Æterna handles 150+ UK and US brokers in one £89 payment, with PDF proof at 90 days. No login, no subscription, no future emails.