Synthetic identity fraud: How to guard against a phantom attacker

Security tips
 | 
February 15, 2022

Got a social security number? How about a name and address?

With just a few pieces of personal information like these, a skilled fraudster can create a synthetic identity.

Synthetic identity fraud is a crime where bad actors create fake identities by combining bits of real information, like valid social security numbers, with fake information, such as fabricated names or birthdays.

As your customers continue to move virtually every facet of their lives online, it has never been more critical to keep their personal information safe—and guard their identities from bad actors.

The old measures of security—creating secure passwords, checking credit histories for fraudulent activity, limiting the amount of personal information shared online, and avoiding suspicious links and websites—are proactive best practices we should continue to share with our customers. However, we must now go further to keep them safe and earn their trust, as outlined in this article.

Even with steadfast vigilance in securing our customers’ personal information, fraudsters continue their relentless attacks aimed at stealing identities for profit. Synthetic identity fraud accounts for $20B in financial losses, with 25% of those losses coming from online lenders.

Not only is synthetic identity fraud one of the most damaging types of fraud, it’s also the fastest-growing fraud-related crime, according to the Federal Reserve. Synthetic ID fraud for unsecured U.S. credit products is expected to grow to $2.42B in 2023, a large jump from the 2020 $1.8B projection.

Synthetic identity fraud is a frustrating, devastating scheme that impacts businesses and individuals across industries and demographics. Also, because it takes place over an extended period of time and appears to be normal customer behavior, the damage is often done before victims are aware it's happening.

However, there is some good news: By learning the characteristics and current methods fraudsters often use, you'll be prepared to spot the warning signs when they appear. As a result, you can better protect your customers and keep their confidence in your platform.

What is synthetic identity fraud?

Unlike traditional identity fraud, where fraudsters pretend to be a real person, synthetic identity fraud uses a combination of real and fake personal information to create a new identity—essentially a fake “person”—to apply for lines of credit and loans, open new accounts, and make purchases.

Since the new identity isn’t tied to a real person, fraudulent activity becomes extremely difficult to detect and equally hard to resolve.

Synthetic ID fraudsters primarily target businesses or organizations with quick, easy, and low friction onboarding, sign-up, and approval processes. From there, they can build a seemingly legitimate credit history for their newly fabricated identity. Eventually, they can target and secure large payouts undetected.

Synthetic ID fraud is difficult to detect and eradicate because the manufactured identity appears as a legitimate customer or user for an extended period of time. Most fraudsters are adept at waiting for the ideal moment to reap the largest possible financial reward.

Synthetic identity fraud in the news

Given that it’s often difficult to distinguish a synthetic identity from a real one, it’s not always apparent when the tactic has been used to commit fraud. However, there are a few recent cases that demonstrate damage synthetic ID fraud can cause.

Consider these:

Notre Dame Federal Credit Union

A fraudster using a synthetic identity profile applied for a large credit loan with the Notre Dame Federal Credit Union. Because of how ‘real’ the profile looked, the credit union approved the loan. The fraudster ultimately stopped payments on the loan, which cost the firm $200,000.

DOJ discovers synthetic ID theft ring

The US Department of Justice found and charged 18 people in a credit card scam that netted $200 million dollars. The fraud ring used synthetic identities to create 7,000 different profiles and used credit cards to build legitimate-looking credit reports to commit fraud.

Dallas school breach

A recent data breach of a school district in Dallas, Texas, covered by NBC news, led to the compromise of social security numbers and other personal and medical information of students across 1,200 schools. NBC also reported finding student data for sale on the dark web following that breach.

The Dallas Independent School District later enabled a two-factor authentication feature to better protect its staff and students. Several factors, including an increase in social media use, data breaches, ransomware, and phishing schemes, contribute to the increased vulnerability of children’s data.

How fraudsters get away with synthetic identity fraud

They create a new identity

A fraudster creates a fictitious identity named “John Doe” and works to establish John as a real person. Once created, John combines stolen personal identifiable information (PII) purchased from the dark web with fabricated information. John then uses these credentials to obtain a real person’s SSN and date of birth.

They build a digital presence

To build a more complete picture of his identity, John creates fake information such as bogus addresses, phone numbers, and social profiles. John’s goal is to establish a digital presence using his fabricated PII, while taking advantage of accounts that require minimal verification to create.

They establish a credit profile

Now that John is entrenched in the digital world, he makes himself known to the credit bureaus. He uses the SSN he purchased on the dark web to apply for a credit card. Because he has no credit history, he expects to be denied—but he knows he needs to start somewhere. As expected, John’s application is instantly denied, but now in the eyes of the credit bureaus, John Doe is a real person. Now that John has a credit profile, he can further legitimize himself.

They continue to build a digital presence

As John continues to establish his digital presence, the types of accounts he creates require more verification and interaction. Now, John might sign-up at a local gym, purchase rental insurance, or have a partner add him as an authorized user to their credit card. Because John is playing the long game, he makes payments and demonstrates sound financial habits. John often runs soft credit checks to track his progress. His goal is to establish a credit history, increase his credit limit, and boost his credit score.

They commit fraud

John now has a reasonable amount of credit established for his identity to be used for financial fraud. He then applies for credit cards, business or personal loans, government benefits, bank accounts, and more. Depending on John’s level of sophistication, he can now make more expensive purchases, take out cash/loans, and receive secured card advances before abandoning the profile.

This long-form, costly scheme leaves creditors with significant losses they’re unable to recoup or trace back to the perpetrator.

Who suffers most from synthetic identity fraud?

With synthetic identity fraud, the losses vary from case to case and victims are both individual consumers who have their PII stolen and businesses targeted by the fraudsters.

There are patterns that show which consumers are likely to be victims of synthetic identity fraud. Victims are commonly individuals who don’t regularly check or access their credit. Because of this, children and the elderly are targeted often. In fact, over 1.25 million children were victimized in 2020 alone.

Another targeted demographic is homeless people. One in three homeless people are not able to access the internet, making them vulnerable to attacks.

In addition to individuals who’ve had elements of their identity stolen, it’s the business that suffers the financial consequences. While financial institutions have the most financial risk, synthetic ID fraud impacts organizations across multiple verticals.

  • Commercial enterprises: In addition to financial fraud, people with less-than-desirable backgrounds may use synthetic identities to gain legitimate employment.
  • Healthcare: Fraudsters use synthetic identities to "purchase" expensive treatments or services and bill their own fake shell companies. These claims are filed with insurance companies or government programs, and the thief takes the reimbursements for the fake claims.
  • Tax services: Bad actors present credit histories that appear excellent, which they then use to file bogus tax returns.
  • Financial institutions: Under a false identity, bad actors take out loans or credit cards, often undetected.
  • Social media/dating sites: As the popular Netflix documentary, The Tinder Swindler, demonstrates, fraudsters use synthetic identities on dating apps to defraud customers on online platforms, leading to financial losses and damaged brand reputations.

Protect your customers from synthetic identity fraud

With synthetic identity fraud on the rise, some institutions have incorporated filters to detect potential fraud and suspicious activity. However, more is needed to abate fraudsters altogether. Luckily, we have some ideas to help you combat this issue.

Here are a few tips to protect your customers and your business:

Protect your customers and your business

  • Rework your customer’s onboarding process to match the agility and sophistication of fraudsters
  • Use dynamic risk scoring and digital identity solutions designed to stop fraud before it starts
  • Use machine learning in your fraud assessment to look deeper into customer behavioral trends and patterns
  • Check to see if certain data from accounts align with information shared across other organizations
  • Invest in a trusted identity verification service

How Telesign can help

Using advanced AI capabilities in combination with machine learning, Telesign offers unique developer-friendly APIs that defend against synthetic fraud by adding an additional layer of protection and security superior to traditional fraud detection services.

As the leaders of authentication and digital identity, Telesign works to protect platforms and consumers globally against fraud before it happens.

If you want to learn more about stopping synthetic ID fraud, reach out and chat with us today.

Related posts