Any time you see a number of followers/fans on a social media account, do you wonder how many are real? It raises an interesting question: How can you tell if someone online is real, or if they’re a bot or some other synthetic identity? While these deceptive accounts often pose no real issues, bad actors are increasingly turning to synthetic identity fraud to commit financial crimes. Synthetic identities wreak havoc on traditional validation and authentication methods, costing businesses significant time and money.
The concept is to create fake identities usually based on combining fake information with actual ID data. One example of a fake identity is one that contains personal information, such as a real social security number (SSN), along with a fake address and other synthetic data points. The fraudster can then use this fake identity to acquire a driver’s license, passport or other form of real ID, in addition to credit cards and other accounts.
The fastest growing type of financial crime
Unfortunately, synthetic identities are a growing problem. Data breaches are allowing more personally identifiable information (PII) to leak out, which makes it easier to start these scams. The speed of online and mobile commerce is generating demands for quicker onboarding and credit processes, taking human interaction out of the process. And, the anonymous nature of synthetic identities also decreases the risk to fraudsters, increasing their interest.
The losses are substantial; in its 2021 Future of Fraud Forecast, Experian stated that synthetic identity fraud was the fastest growing type of financial crime. According to the Auriemma Group, “Up to 5% of charged-off credit card accounts could be linked to synthetic identity fraud. With the average unpaid debt totaling more than $15,000 per account, that equates to $6 billion, or 20%, in credit losses industry-wide.” This emphasizes other research from Equifax, which found synthetic ID fraud accounts for 80% of credit card fraud losses, nearly 20% of card charge-offs.
COVID-19 has caused synthetic identity to increase, as more and more people move to transacting with businesses and banks online, and undertake more aspects of their daily lives digitally. In addition, prominent large-scale customer data leaks and cybersecurity breaches have exposed millions of identities and huge amounts of personal data for fraudsters to exploit. To put it in perspective, an Identity Theft Resource Center report indicated that 471 million customer records were exposed in 2018. Savvy fraudsters use all of this personal information to take advantage of the vulnerable, especially the young and elderly. Fraudsters even use identities and SSNs of dead people.
Department of Justice, R. Sean McCleskey states:
When criminals use a blend of different people’s data, as well as some entirely made-up information, it becomes harder for law-enforcement officials to both realize the crime and then locate the culprit.
And the losses aren’t just financial. Oftentimes, criminals will use the SSNs of children to apply for government benefits, open bank and credit card accounts, apply for loans or utility services, or rent a place to live. Children are targets of identity theft because the crime can go undetected for years, often until they first apply for credit or check their credit score.
More than one million children were victims of identity theft or fraud in a single year. While that number covers the various different types of identity fraud, synthetic identity fraud is increasingly used by fraudsters as those accounts offer a blank slate and are better suited for opening accounts that go unnoticed. According to Carnegie Mellon CyLab, children’s SSNs are 51 times more likely to be used in synthetic fraud schemes than adults.
Adapted from Payments Fraud Insights report (2020), Federal Reserve System.
Credit bust-out fraud
Synthetic identities are often used to open new accounts, as a form of application fraud. As the identity data elements are reusable, it becomes a tool for application flooding, which are attempts to open large numbers of accounts. The fraudsters understand it’s a numbers game, with many accounts being rejected. However, accounts that are opened can then look more legitimate over time.
To maximize returns, synthetic fraudsters play a long con with a credit bust-out fraud, also known as sleeper fraud. This form of fraud is where a fraudster establishes a normal usage pattern and solid repayment history to build up their credit line so they can acquire more cards and higher credit limits, before a final “bust out” of charges where they max out all the cards with no intention of paying the bills. While it takes patience, the financial gain is often substantial. One fraud ring in New Jersey built up 7,000 credit profiles in a scheme that created over $200 million in fraud losses.
Stopping fake identities
There are steps that your business can take to limit synthetic identity fraud. Just as using data is the key to creating a synthetic identity, data is the solution to combating the fraud. Initial Know Your Customer (KYC) checks are an obvious starting point, as they are often a compliance requirement.
Unfortunately, fraudsters can abuse gaps in the Know Your Customer (KYC) protocols of financial institutions. Bypassing weak KYC protocols and traditional, manual processing procedures, once accounts are opened, these synthetic identities can go undetected for many years. Further complicating detection efforts, synthetic identity profiles generally have strong credit scores. This results in fewer (or no) red flags during credit underwriting and credit checks.
Adding in additional identity layers in a risk-based approach builds more security hurdles for the fraudster to overcome, as they need to synthesize a more robust profile.
Adapted from Payments Fraud Insights report (2020), Federal Reserve System.
Equifax mentions these three points to watch out for:
- SSN can’t be matched to the specific consumer, based on comparison algorithms
- SSN matches to a different consumer, while no credit file is available for the requested applicant
- SSN matches to a different consumer, and a credit file is available for the name and address provided; however, the SSN on that file is different from the SSN provided on the inquiry
While good, those three points only consider one data source.
By using multiple data sources, you increase the opportunity to find non-matches and detect red flags for potential fraud. As pointed out by the U.S. Federal Reserve in Payments Fraud Insights: Mitigating Synthetic Identity Fraud in the U.S. Payment System:
A multi-layered approach that employs both manual and technological data analysis gives organizations the best chance to identify and mitigate fraud caused by synthetics.
There are also other data sources that are coming into the picture that will further limit the effectiveness of this type of fraud. These include data points like:
- IP address
- Physical location
- Social media information
- Mobile identifiers
To effectively mitigate synthetic identity fraud, you need a system that can appropriately consider the totality of the data and not rely on limited views. Adaptability to new data parameters and sources is the key; the more independent and reliable data sources you can leverage, the more you can do.
One further step is implementing link analysis processes, which analyze the connections between different identities and data. For example, different identities might use the same address or SSN, or have some other relationship that can indicate a fraudulent pattern. The use of sophisticated fraud analytics systems helps spot suspicious patterns, without affecting the customer onboarding experience.
It’s an emerging threat to businesses and implementing an effective identity verification and authentication system to spot fake identities is your strongest defense to help protect your business from the fastest growing type of ID fraud, which currently accounts for 80-85% of all identity fraud.
Originally published: March 22, 2017, updated to reflect the latest industry news, trends and insights.