Synthetic identity fraud is a growing threat in the US. Traditional methods of fraud detection are falling short and failing to catch it. Read on to find out why your business should consider a new approach to fraud prevention.
Synthetic identity fraud: definition and explanation
Synthetic identity fraud is a type of fraud where criminals combine fake and real information, such as Social Security Numbers (SSNs) and names, to create a new identity. This new identity is used to defraud financial institutions, government agencies or individuals by opening fake accounts and making fraudulent purchases.
Synthetic identities are generally more common in the US. This is because identity verification in the US often relies heavily on personally identifiable information (PII) such as SSNs. McKinsey estimates that synthetic identity fraud is in fact the fastest growing type of financial crime in the US.
But this type of fraud is difficult to detect. Victims are typically individuals who are less likely to access their credit information regularly, such as children, the elderly or homeless. Plus, fraudsters often nurture these identities over time, gradually applying for more and more credit and building up a positive online payment history. They often go years before ‘busting-out’ the credit line and disappearing. So the fraud goes unreported and undetected for longer periods of time.
Large payouts and the ability to go undetected for so long are some of the reasons synthetic identity fraud is so attractive to fraudsters and crime rings. It’s expert-level fraud which is carried out by some of the most sophisticated identity thieves.
What is synthetic identity theft?
Synthetic identity theft is when someone combines real and fake identity information to fraudulently create accounts or make purchases. The real information is often stolen, such as photos or Social Security Numbers, and combined with fake information, like a fake name, date of birth or address. Fraudsters use this new, synthetic identity to open credit cards or make fraudulent purchases. It’s even sometimes referred to as a “Frankenstein identity” because of the way different identity information is cobbled together.
A fraudster likely uses this synthetic identity to first open accounts, or other actions that help them build up credit and seem real. Then, when they’re considered highly qualified borrowers and appear lower risk, they may make a large purchase or take a large loan, and disappear.
These synthetic identities may be hard for basic fraud detection to catch because they use an element of real identity (like a SSN). Businesses need to use identity proofing services with more robust, multi-signal fraud detection to catch synthetic identity theft. As more people quickly move online and into digital transactions, online fraud is also on the rise, in traditional banking, crypto, and others.
Synthetic identity theft cases
Synthetic identity theft can cause millions in criminal damage. In 2020, four Florida men were charged with bank fraud conspiracy for allegedly defrauding banks and stealing what turned out to be $24 million from government COVID economic relief payments. Prosecutors said in 2021 that the men used fake identities and fake companies they had set up in the past, to receive millions of dollars from the Payroll Protection Program.
In many other cases in the media, fraudsters or a fraud ring create multiple – or hundreds – of new synthetic identities. In most cases, it is the lenders who are the victims since they extend credit and funds to criminals using synthetic identities. Individuals can also be victims of these cases if their real information is part of the synthetic identity caught up in fraud crimes.
Quite often in these cases, it is a “long con” since it takes time and work to build up a fictional credit profile that allows the theft of large amounts of money.
Synthetic vs traditional identity theft
What’s the difference between synthetic and traditional identity theft? With traditional identity theft, most often a fraudster steals the full real identity of someone and quickly maxes out their credit cards or some other fast-moving theft, hoping to maximize what they can take before the victim notices. In other words, they are posing as someone else, which will draw the attention of victims and authorities quite quickly.
With synthetic identity theft, the identity is created from different pieces of information, and a real person does not exist. This becomes much more difficult to detect.
How does synthetic identity theft work?
A fraudster needs some real, and some fake information to create a synthetic identity, and then uses that new fraudulent identity to start applying for and building up credit. Once they have established strong credit, they can then defraud a financial or commercial institution with the fabricated identity and disappear.
How to create a synthetic identity step by step
A fraudster creates an identity
Synthetic identity theft requires some real identity information that is combined with made-up information to create a fake, new identity (sometimes called a “Frankenstein identity.”) They often use real Social Security Numbers which are stolen, or purchased from the dark web. Often, fraudsters use SSNs assigned to people who don’t have a credit history, like children, homeless people or the elderly. They start building a profile with that SSN and fake names, dates of birth, etc.
They apply for credit
Using the newly created synthetic identity, a fraudster applies for credit online. The financial institution they’ve applied to then submits the query to credit bureaus for checking. This first application is normally rejected, as the synthetic identity will not have a credit history. However, the application alone is enough to start a credit file.
They continue to apply for credit until they are successful
The fraudster applies for credit repeatedly at various financial institutions until finally approved. Often it will be a high-risk lender which grants this first approval. They continue to use this line of credit, making timely repayments and building up a solid credit record. In time, they can gain access to other lower-risk lenders and higher credit limits. They nurture this new credit profile over months or years. In these records, the fraudster looks just like any other credit user.
They boost a positive credit score
Some fraudsters will accelerate the process by piggybacking. This means they are added as an authorized user to an account with good credit, in return for compensation to that existing account holder. The fraudster will use a variety of tactics to make the synthetic identity appear real, so as to ensure higher credit lines and payouts. For example, they may create additional false identity documents, create a social media presence, or list fake businesses. Sophisticated crime rings use these tactics at scale.
The fraudster ‘busts out’
As they nurture the synthetic identity’s credit score, they can secure larger credit lines. Eventually, they will ‘bust out’. They max out the credit line and then stop payments, before disappearing. It’s also possible for the fraudster to double the payout by claiming identity theft in order to remove charges. Or, they might use fake checks to pay off the balance before maxing out the credit for a second time.
What is the impact of synthetic identity fraud?
Synthetic identities have a far-reaching impact in the US. And they can affect a variety of sectors, including financial services, healthcare, government entities and individual consumers.
The impact on individuals
Children are more likely to be a target of synthetic identity fraud because it will often be years until they discover their SSN has been compromised. One million children were victims of synthetic identity fraud in 2017 alone. And in 2020, almost half (47%) of U.S. consumers experienced some form of identity theft. This can create severe problems for them down the line. Imagine turning 18 and applying for a student loan, only to find out you’ve been a victim of identity fraud.
And it’s generally assumed that the first individual to open a line of credit under an SSN is the true owner of that SSN. So the real individual whose SSN is compromised faces the difficult task of proving to credit bureaus and financial institutions that they are in fact the true SSN holder. Not only will they need to prove their identity, but they’ll need to clean up their credit history.
The impact on businesses
While it’s difficult to measure the exact impact of this type of fraud in the US, estimates suggest that US credit-card accounts lost $820 million to synthetic identity fraud in 2018, and losses are projected to climb to $1.25 billion by 2020. But this doesn’t take into account the millions of dollars lost in personal time and aggravation for the victims.
Synthetic identity fraud is costing businesses billions of dollars, as well as the countless hours they spend chasing down people who don’t even exist. The question is: why aren’t businesses conducting more rigorous screening and onboarding methods to identify potential cases of synthetic identity fraud?
Clearly synthetic identity fraud is a growing threat, so businesses need a more efficient process to confirm the identities of their users. Given the scale of data breaches, compromised PII and ease of access to the dark web, it’s no longer enough to rely on social security numbers and credit bureaus alone. Traditional tools which are meant to help reduce identity fraud, aren’t able to catch synthetic identity fraud.
How to detect synthetic identity fraud
There are multiple ways to detect synthetic identity fraud. A basic one includes using ML (machine learning) and AI (artificial intelligence) to understand customer behavior patterns and spot anomalies. Alternatively, businesses can analyze and connect a multitude of data including 3rd party data, looking at data not only across accounts and portfolios, but also across organizations. Establishing customer identities is also one of the first steps to preventing fraud.
Businesses need to invest in more sophisticated methods of identity verification, such as document verification and biometric verification powered by AI algorithms. While a synthetic identity which combines a real SSN with fake data can bypass a credit bureau check, it’s less likely to get past a document check.
By introducing document verification, the fraudster will have to submit a fabricated identity document. They won’t have a genuine identity document which matches the synthetic identity. Onfido’s document verification uses data consistency checks, image analysis, and font anomalies detection, among other methods, to identify fraudulent documents.
Government sources of truth are a key part of a layered approach to catching and stopping synthetic identity fraud. Without them, identity proofing is ultimately trying to guess at information the government already knows.
The US government’s first identity attribute validation service is eCBSV. It was created to stop synthetic identity fraud by matching a name, date of birth, and Social Security Number and provides a death indicator.
For their part, businesses need to deploy strong fraud prevention tactics.
In the context of synthetic identity fraud, you cannot rely on a single way to detect fraudulent identities. It requires a combination of document verification, biometric identification, passive fraud signal verification and database verification to be effective.
When considering data verification, largely financial crime and compliance databases—these are markers of “physical identity” such as name, date of birth, government sources of truth.
The basic approach:
- Verify the PII data based on an identity document
- Verify a biometric, for example a face or a fingerprint
- Leverage databases to verify credentials
- Leverage passive fraud signals, such as geolocation or IP address
How to prevent synthetic identity theft
Synthetic identity fraud is a growing threat and increasing each year, so businesses need a more efficient process for identity verification of their users. Given the scale of data breaches, compromised personal identifying information (PII) and ease of access to the dark web, it’s no longer enough to rely on Social Security Numbers and credit bureaus alone. Traditional tools which are meant to help reduce identity fraud, aren’t necessarily able to catch synthetic identity fraud.
Businesses need to invest in more sophisticated methods of identity verification, such as document verification and biometric verification powered by AI algorithms. While a synthetic identity which combines a real SSN with fake data can bypass a credit bureau check, it’s less likely to get past a document check. And a fraudster is unlikely to want to put their face to a fake identity with a biometric check.
Onfido document verification lets a user scan an identity document from any device, and the document is then checked to see if it’s authentic or fake. Combined with Onfido’s biometric verification, a business can seamlessly anchor a customer’s real identity to an account. A use simply takes a photo of their ID, and then a selfie, and Onfido’s hybrid system checks if they match with a fast response time.