Why a "genuine" passport is now a security risk

What is a FOG document?

FOG stands for Fraudulently Obtained Genuine.

Unlike a fake passport, which is a counterfeit document created by a criminal, a FOG passport is a real document issued by His Majesty's Passport Office. It has the correct watermarks, the correct paper quality, and it exists in the government database.

The problem is that the details belong to a vulnerable person, but the photo belongs to the fraudster.

In the webinar, Alex explained exactly how they obtain them.

By exploiting vulnerable individuals (often addicts or the homeless), criminals can procure high-quality, government-issued ID that allows them to travel, open bank accounts, or instruct law firms under a stolen identity.

Why manual identity checks fail

The existence of these documents breaks the standard "checklist" approach to compliance.

If you are checking a FOG passport manually or even using basic electronic verification, it will pass - the document is genuine.

As Alex noted, this method is "frighteningly easy" and creates a document that works at borders and banks alike. Because the fraudster has inserted their photo into the application process before the document was issued, the physical photo on the page looks like the person standing in front of you.

To the naked eye, everything looks perfect.

Why NFC is essential - but not enough

When a passport is issued, the biometric data (including the holder’s facial image) is cryptographically signed and stored on the RFID chip. Reading this chip using a smartphone allows you to access that authoritative, government-signed source of truth.

NFC verification ensures that:

• The chip is genuine and unaltered

• The data was issued by the legitimate authority

• The person presenting the passport matches the biographical and biometric data stored within it

What NFC cannot do is detect a fraudster who successfully obtained a genuine passport under a false identity. If the government issues a passport containing the fraudster’s real biometrics, even if the name belongs to someone else, the chip will still validate correctly.

So NFC doesn’t prevent identity substitution at the issuance stage, but it does provide a level of cryptographic assurance that counterfeit or tampered passports simply cannot pass, something visual checks alone can never guarantee.

Enhanced AML controls beyond a passport check

As fraud tactics evolve, firms can not rely on the assumption that a genuine passport always equals a genuine client. A FOG passport shows the real risk: criminals can obtain authentic, government-issued documents that still represent a false identity.

That’s why modern onboarding requires more than simply “checking the passport”.

Modern NFC verification solutions, such as Thirdfort’s Enhanced NFC ID check, allow firms to read the cryptographically signed chip inside the passport, the same data used at border control. It confirms the document is genuine, untampered, and that the person presenting it matches the biometrics encoded by the issuing authority.

But that is only one piece of the defence.

To defend against identity substitution, impersonation, FOG passports, and complex fraud typologies, law firms must layer NFC verification with broader due diligence intelligence. The following list is not exhaustive, but highlights key points to consider:

1. Behavioural and situational red flags

These are critical in legal AML because they often reveal risk before any document does.

• Inconsistencies in the client’s behaviour or story (nervousness, evasiveness, rehearsed answers).

• Lack of expected knowledge.

• Unusual urgency or pressure to proceed quickly.

• Reluctance to provide information that would normally be routine.

• Third-party involvement, speaking on behalf of the client, or acting without clear authority.

2. Known information about the individual and the transaction

This is the AML core: understanding who your client is and why they are doing this transaction.

• Source of wealth (SOW) and source of funds (SOF) plausibility, not just documents.

• Whether the transaction aligns with what you know about the client’s profile, occupation, history, and financial means.

• Whether the client is newly connected to the area or an asset with no clear rationale.

3. Transaction characteristics and pattern red flags

• Complex, unusual, or opaque structures without a logical justification.

• Recently changed or multiple solicitors.

• Other risk indicators, high-risk jurisdictions, politically exposed persons, or sanctioned geography involvement.

• Use of funds from new/unknown sources.

4. Third parties and professional intermediaries

Firms must consider the wider ecosystem around the client.

• Relationship and legitimacy of witnesses, intermediaries, introducers, witnesses, and other professionals.

• Whether third parties are regulated, and whether their involvement makes sense.

• Geographic or personal connections between parties that don’t logically fit the transaction.

5. Identity consistency checks (Beyond Face/ID) “Does everything line up?”

• Identity characteristics vs the client’s visual appearance and declared profile.

• Newly issued IDs, especially passports or driving licences, obtained within weeks/months.

• Whether the individual has a legitimate footprint in the UK (credit, address, phone, email addresses, address history, more than one identification document).

• Previous addresses or phone numbers linked to known fraud networks.

6. Property Risk (for conveyancing):

• Unusual ownership patterns

• Inter-family transfers

• Vacant, high-value, or recently inherited properties

• Clients with no connection to the property

7. Screening and risk status

• Sanctions screening

• PEP screening

• Adverse media and corporate record checks to uncover unreported risk.

NFC protects you from forged, cloned, and altered documents, but only a multi-layered approach protects you from people using genuine documents to hide a false identity.

Don’t just check the passport. Know your client and verify the person beyond a passport, with every layer of data available.