Identity fraud isn’t new, but it is constantly reinventing itself. The acceleration of digitization has also led to a dramatic increase in rates of synthetic identity fraud. Synthetic identity fraud is sophisticated, hard to track, and even harder to stop- making it a top concern for many businesses in their fight against fraud.
How Synthetic Fraud Works
The roots of synthetic fraud are actually nearly 20 years old, which may come as a surprise. Companies began detecting significant numbers of these identities in the mid-2010s. But in the past several years, synthetic identity fraud has skyrocketed, making it a top concern for businesses, especially those in the financial sector.
While many traditional fraud types rely on stealing an existing identity, synthetic identity fraud creates entirely new identities built from both stolen, real information and fabricated information. The result is a new, synthetic identity that does not exist.
Bad actors use stolen Social Security numbers with little or no credit history and pair them with Personal Identifiable Information (PII) of one or more different, real individuals. Fraudsters can “tumble” an SSN: manipulate it repeatedly over many account applications with different combinations of PII. These fraudsters then create phone numbers, email accounts, and other accounts– even library cards or store rewards cards are good targets– and put these newly-created, synthetic identities into public databases. They can create social media profiles for their synthetic identities and enroll in other services. Synthetic identity theft is a long game: fraudsters will use these identities to apply for credit and build a credit history. They can obtain credit cards, personal loans, and other forms of credit. With small purchases and on-time payments, fraudsters can build a good credit score.
Once fraudsters build their credit score, the purchases escalate, typically using a “bust out” technique. Bad actors will apply for more credit or loans, can run up a huge balance with no intention of ever paying, and abandon the identity and account without making a payment. They’ll disappear with the money with a cast-away identity that never existed in the first place.
Crime rings and individual bad actors use these techniques to target many types of financial institutions like lenders, banks, and fintechs, as well as government agencies, telecommunications companies, online gaming, and property management companies. Companies usually write this fraud off as a credit loss. Tracing the fraud is costly, as investigators must try to collect from someone who doesn’t even exist. Synthetic fraud is also risky for KYC compliance: with too many synthetic identities on their books, these companies could be seen by regulators as not having adequate identity verification processes or standards.
The impact of synthetic identity fraud is growing. According to the Aite-Novarica Synthetic Identity Fraud Report, synthetic identity fraud losses will grow to $2.42 billion in 2023.
Why Synthetic Fraud is So Hard to Stop
As the digital era has relied less on verifying an in-person identity, fraudsters have jumped on a variety of opportunities to use synthetic identities to commit fraud. These criminals put forth a great deal of effort to create convincing and verifiable identities. And in the United States, an emphasis on static PII to verify identity means it is more prevalent in this country than in the rest of the world.
The information these bad actors use can cover several levels: public record demographic data, social media profiles, documentary evidence, credit data, and more. The result is a highly convincing fake identity. And because the identity is not built from just one person, there may not be an alert to charges on an account; these charges aren’t tied to a real person, and institutions are often the first victim of fraud. The length of time fraudsters take to finally commit “bust-out” fraud also makes it difficult to detect. The Federal Reserve reported that over 70 percent of suspected cases of synthetic identity fraud temporarily exhibit typical consumer purchase and payment patterns.
What’s more, the plethora of major data breaches in the last five to ten years has given fraudsters a treasure trove of compromised PII to choose from.
Other recent events have also created a perfect storm for synthetic identity fraud in the US. In 2011, the Social Security Administration changed how it assigned Social Security numbers. While in the past the first three numbers were associated with the geographical location of birth, the SSA began randomizing these assigned numbers to protect them and make a bigger pool of available nine-digit numbers. As a result, agencies could no longer use geographic checks for newly-issued SSNS, which made it more difficult to detect these synthetic identities.
This blend of information makes it difficult to realize the crime and locate the culprit. And synthetic identity fraud tactics are also changing: for instance, fraudsters are now using these synthetic identities and stolen payment or credit cards to create online shopper profiles, according to Experian, which has huge ramifications for retail and ecommerce businesses. What’s more, these bad actors are also now targeting deposit accounts.
How Companies Can Prevent Synthetic Fraud
Catching up to synthetic identity fraud techniques is difficult, but a number of companies and techniques are on the way to help. Several key tactics are central to fighting synthetic fraud: better identity verification and identity proofing techniques and software, threat intelligence sharing, increased communication among organizations, and public-private partnerships between fraud investigators and cyber security experts. Fighting synthetic identity fraud requires a holistic, collaborative approach.
eCBSV for SSN Verification
In 2021, the SSA launched its Electronic Consent-Based Verification Service (eCBSV). This service allows permitted organizations to verify if an SSN and PII combination matches the SSA records. While this isn’t a magic bullet, it does offer another verification tool for financial institutions both to comply with KYC and fight synthetic fraud, and could be expanded in the future to be part of the tools needed to fight synthetic fraud.
The Role of Credit Bureaus
Lenders and credit reporting agencies also must collaborate to create a solution for identifying, classifying, and reporting synthetic identities. Targeted businesses also need to share data, as criminals use their synthetic identities at (and often defraud) many different organizations as they build their credit histories. Forming a consortium to share intelligence could bring suspicious patterns of activity to light sooner, likely reducing the risk of massive losses.
According to the Federal Reserve, certain gaps in the credit process also create opportunities for synthetic fraud. In one example, a bad actor can use a synthetic identity to apply for credit at any institution. While that institution could reject this application, it will create a credit profile associated with that synthetic identity- providing “proof” of the identity in the process. Credit bureaus as well as financial institutions must address these gaps in addition to organizational-level checks.
Identity Proofing and Authentication as a Weapon
Fighting synthetic fraud has been especially critical in the financial sector. Often, many financial services companies’ customer identification programs (CIP) are not enough to remove the threat of synthetic fraud. This is where proper identity proofing and identity verification come in. Companies should employ an end-to-end synthetic fraud detection solution that utilizes machine learning for fraud detection and prevention, including automatic monitoring of all transactions for any sign of fraud. Leverage global data-sharing networks t
At the company or organizational level, businesses must frequently assess and recalibrate their fraud prevention and identity verification tools so that they can properly validate an identity. To do so effectively, using a multipronged detection strategy is necessary. Each piece of new customer information should be verified during account creation and at various stages along the customer journey.
For many companies’ onboarding and account creation processes, if these processes do not include in-person verification of documents or biometric screening, you are exposed to synthetic ID fraud. Your identity authentication processes should consider:
- Biometrics, especially those with liveness detection to ensure a user is present during authentication
- Document verification with liveness detection
- Device-specific information and behavior (device identity and reputation, email tenure and reputation, mobile phone tenure, usage patterns of PII, etc.)
- Holistic evaluation of data. Evaluate each identity marker in combination with all others, as well as identify how frequently any piece of data links to another, and how long those links have been in existence. Ensure data is being shared across an organization.
A proper identity proofing solution will not only help protect against synthetic identity fraud at account opening, but throughout the customer journey. Thus, these solutions can help combat other fraud types, including account takeovers, as well.
Synthetic Fraud is a Huge Threat, But Stopping It Is Possible
Synthetic fraud is not just a skyrocketing, sophisticated type of fraud- it’s a longstanding technique that has continued to evolve just as fraud protections and consumer habits have. Collaboration across industries, as well as proper identity proofing and verification, will be key to stopping the damage this dangerous fraud poses to both consumers and banking. Traditional approaches to identity will not fight synthetic fraud.
For expert advice on identity proofing solutions that will help your organization fight fraud, contact us.