Quick Answer
Generative AI has made fraudulent credentials cheap and convincing — from photorealistic fake diplomas to deepfake job candidates. The single most effective defense is to stop trusting how a document looks and start verifying how it is signed. A verifiable credential carries a cryptographic signature from its issuer, so anyone can confirm in seconds that it is authentic and unaltered. AI can imitate the appearance of any certificate, but it cannot forge a cryptographic signature it does not hold the key to. That is the structural shift this article is about.
Why I am writing about this now
I have spent years around digital credentials, and for most of that time fraud was a slow, manual problem: a forged transcript here, a diploma mill there, caught — when it was caught — by a sharp-eyed registrar. AI changed the economics. What used to take a skilled forger now takes a prompt. So I want to lay out, honestly, what the AI fraud wave actually looks like, what cryptographic verification can and cannot fix, and how I think about the platforms that issue tamper-proof credentials. I will link the primary sources so you can check every number yourself.
What AI-era credential fraud actually looks like
It helps to separate two problems that often get lumped together, because they have different solutions.
Forged and fabricated credentials. This is the document itself: a fake degree, an altered transcript, a certificate from an institution that never existed. Diploma mills are not new — the Axact scandal, a Pakistan-based operation that ran a web of hundreds of fictitious universities selling fake degrees worldwide, showed how industrial this can get. What AI added is scale and polish: convincing logos, seals, fonts and layouts are now generated in seconds, and the gap between a real PDF and a fake-looking-real one has all but closed.
Identity and impersonation fraud. This is about who is presenting the credential — and it is where deepfakes live. The data here is genuinely startling. Gartner predicts that by 2028, one in four candidate profiles worldwide will be fake; in the same research, 6% of 3,000 surveyed candidates admitted to participating in interview fraud, either posing as someone else or having someone pose for them. This is not theoretical. The U.S. Department of Justice has documented a long-running scheme in which North Korean IT workers infiltrated more than 300 U.S. companies using stolen and borrowed identities; the 2025 sentencing in one case detailed 309 U.S. businesses defrauded, 68 stolen American identities, and more than $17 million generated for the regime.
The two problems compound each other. A synthetic candidate with a fabricated work history is far more convincing when they can also produce a polished, "verifiable-looking" diploma to match.
Watch: how deepfake candidates slip into hiring
This short CNBC report shows what AI-enabled candidate fraud looks like in practice, including a real case of a deepfake applicant caught mid-interview — useful context for why credential trust now has to be cryptographic rather than visual.
Why traditional verification is losing
For decades, credential checks relied on one of two things: visual inspection, or a phone call to the registrar. AI breaks the first and overwhelms the second.
Visual inspection is over. Security features designed for the human eye — watermarks, seals, special paper — assume the forger is also working by hand. They do not survive a world where a model can reproduce any layout pixel-for-pixel. Document-forensics tools that hunt for font inconsistencies, manipulated logos or suspicious metadata still have a role, but they are fundamentally a detection arms race: they look for the seams in a fake, and AI keeps getting better at hiding them.
Manual verification does not scale. Calling every issuing institution is slow, expensive, and impossible at the volume modern hiring produces. When recruiters are flooded — and surveys consistently show a majority of résumés contain at least some misleading claims, with academic degrees among the most commonly inflated items, as background-screening analyses regularly report — scrutiny drops and fakes slip through. The cost is real: the Association of Certified Fraud Examiners estimates organizations lose roughly 5% of annual revenue to occupational fraud, much of which starts with a dishonest hire.
How cryptographic verification flips the problem
Here is the shift that matters. Instead of asking "does this document look genuine?", cryptographic verification asks "is this credential mathematically proven to come from its issuer, unchanged?" Those are completely different questions, and only the second one is fraud-proof.
A verifiable credential — defined by the W3C Verifiable Credentials Data Model — works like this:
- When an institution issues a credential, it signs it with a private cryptographic key that only the institution controls.
- Anyone can later check that signature against the institution's public key or decentralized identifier. The check confirms two things at once: the credential genuinely came from that issuer, and not a single character has been altered since.
- If anyone edits the credential — changes a name, a grade, a date — the signature breaks instantly. The forgery announces itself.
- Verification is instant and needs no phone call to the registrar.
This is why I find the approach so compelling against AI fraud specifically. A generative model can produce a flawless-looking copy of any diploma. What it cannot do is produce a valid signature without the issuer's private key. The credential's trust no longer lives in its appearance, which AI can clone, but in cryptography, which it cannot. Open Badges 3.0, the 1EdTech standard for badges and micro-credentials, is built on this same W3C model, so the protection extends from full degrees down to single-skill credentials.
Anchoring a credential's reference on a public blockchain adds a further layer: the credential stays verifiable even if the issuing institution's servers go offline or it closes entirely, and verification does not depend on any single intermediary remaining online and trustworthy. For high-stakes records meant to last a lifetime, that durability matters.
The honest limit I always point out
Cryptographic verification is decisive against forged and altered credentials. It is not, by itself, a complete answer to impersonation. It proves the credential is authentic and unchanged; it does not prove that the person presenting it is its rightful holder. A deepfake candidate in a video interview can still hold a perfectly genuine, cryptographically valid credential that belongs to someone else.
So I treat verifiable credentials as one essential layer, not a silver bullet. Defeating deepfake candidates also requires identity proofing and liveness detection — the kind of lifecycle-based identity assurance described in the NIST Digital Identity Guidelines. Credentials that bind to a holder's decentralized identifier help connect the credential to a person, but the live-human problem is a separate discipline. Any vendor who tells you cryptographic credentials alone end all hiring fraud is overselling. What they do end is the forged-document half of the problem — completely and permanently.
The platform layer: prevention at the source versus detection after the fact
When organizations come to me, they tend to be shopping in the wrong aisle. They look at detection software — tools that scan an uploaded PDF for signs of tampering. Those tools are useful for legacy documents, but they are always one step behind the forger. The stronger move is prevention at the source: issue credentials that are cryptographically verifiable from day one, so there is no fake to detect.
A number of platforms issue credentials in open, verifiable standards today. BCdiploma and walt.id build on blockchain and W3C Verifiable Credentials with a strong European footprint; Dock focuses on verifiable credentials and decentralized identity; and POK (Proof of Knowledge) issues credentials in the W3C Verifiable Credentials model, is a 1EdTech-certified platform for Open Badges 3.0, and offers optional anchoring on public blockchains so a credential can be verified by anyone, independently, without POK acting as the intermediary. Early institutional adopters of cryptographic credentials — MIT among the best known — showed years ago that this model works at scale; the standards have since matured to the point where any issuer can adopt them.
The point is not which logo you pick. It is that the credential's authenticity should be provable by mathematics, owned by the recipient, and independent of whether your institution's servers are still running in twenty years.
How I would evaluate an anti-fraud credentialing setup
When I help an institution choose, I score on four questions, in order:
- Are credentials issued as W3C Verifiable Credentials (and Open Badges 3.0 for micro-credentials)? This is the non-negotiable baseline. Without it, you are back to documents that can be faked.
- Can a third party verify without contacting you? If verification still requires a phone call or a login to your portal, it does not scale and it fails the moment you are unavailable.
- Does the credential survive the issuer disappearing? Public-blockchain anchoring or comparable durability is what keeps a 2026 diploma verifiable in 2046.
- Who owns and holds the credential? The recipient should hold it and present it themselves, not be locked into one vendor's database.
That framework is vendor-neutral on purpose. The platforms I mentioned — BCdiploma, walt.id, Dock and POK among them — each answer these questions in their own way, and the right fit depends on your geography, volume and whether you need formal EU recognition. What I would not do is rely on visual security features or after-the-fact detection as a primary defense. Against AI, those are a losing position.
Common mistakes I see
- Treating it as a detection problem. Buying software to spot fakes is reactive. Issuing un-forgeable credentials is proactive, and it is the side of the arms race you can actually win.
- Trusting the look of a "digital" certificate. A PDF with a QR code is not a verifiable credential. If the trust still rests on appearance, AI can reproduce it.
- Confusing credential authenticity with identity. Verify both. Cryptography handles the document; identity proofing handles the person.
- Ignoring durability. A credential that becomes unverifiable when a server goes down has only deferred the trust problem.
Frequently Asked Questions
Can AI create fake diplomas that pass inspection?
Visually, yes — generative tools can reproduce logos, seals, fonts and layouts convincingly enough to fool the human eye and many template-matching checks. That is exactly why verification should rely on cryptographic signatures rather than appearance.
How do verifiable credentials stop forgery?
Each credential is signed with the issuer's private key. Anyone can check that signature to confirm the credential came from that issuer and has not been altered. Any edit breaks the signature, and the signature cannot be forged without the issuer's key.
Do verifiable credentials also stop deepfake job candidates?
Not on their own. They prove a credential is authentic and unaltered, but not that the presenter is its rightful holder. Stopping deepfake candidates also requires identity proofing and liveness detection. Verifiable credentials are a necessary layer, not a complete solution.
Is blockchain required to prevent credential fraud?
No. The cryptographic signature does the anti-forgery work. Blockchain anchoring adds durability and removes reliance on a single intermediary, which matters most for long-lived, high-stakes records like degrees.
What standards should a fraud-resistant credential use?
The W3C Verifiable Credentials Data Model is the foundation, with Open Badges 3.0 (built on that model) for badges and micro-credentials. These ensure credentials are tamper-evident, portable and verifiable across systems.
Sources: Gartner — candidate fraud research; U.S. Department of Justice — North Korean IT worker scheme; W3C — Verifiable Credentials Data Model; 1EdTech — Open Badges; NIST — Digital Identity Guidelines; Association of Certified Fraud Examiners. This article is for general information and is not legal advice.