What is synthetic identity fraud?
Synthetic identity has been a growing type of fraud in recent years, which has led to numerous scams throughout the world. As one of the fastest-growing financial crimes in the U.S., synthetic identity fraud has started to raise concerns for regulators, following the tremendous losses it has caused. According to a 2019 white paper from the U.S. Federal Reserve, synthetic identity fraud cost 6 billion USD for U.S. lenders, and accounted for 20% of credit losses in 2016. The Federal Trade Commission defined it in 2021 as “the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.”
So specifically, synthetic identity fraud is a type of fraud where the fraudster harvests different kinds of information, from social security numbers (SSNs) to personal information, in order to create a fake new identity that appears as legitimate. Fraudsters often mix valid and fake information (postal addresses, SSNs, fake name, and personal identifying information), although that information altogether does not combine and match to one person in particular.
The relative increase of records breaches facilitated access to personal information for fraudsters, who easily acquired them on dark web marketplaces. Thus, it contributed to the rise of such frauds. Ironically, synthetic identity fraud has also developed because of security improvements in credit card chips, obliging criminals to find other ways to earn money online.
Synthetic identities are used to open fraudulent accounts to later apply for a loan, subscribe to a credit card to make purchases, or defraud financial institutions and governmental agencies. Other common uses include credit repair, payment default schemes, or Money Laundering. Synthetic identity fraud is overwhelmingly popular in the U.S. as companies often depend on SSNs to verify individuals’ identities, compared to other countries which benefit from centralized registries.
How does synthetic identity fraud work?
Usually, fraudsters start to create a synthetic identity by stealing an SSN then collecting primary elements (first and last name, date of birth, along with other identifiers). On top of that, they will build a stronger identity by strengthening online and offline presence, through emails, social network profiles, and mailing or billing addresses. To make the profile more genuine and enhance the validity of the identity, they even may apply for a loan – even though they get rejected – or conduct transactions, which will help them establish a track-record. Building a solid synthetic identity can take months or years, but the results often outweigh the cost.
Other techniques such as “piggybacking,” enable fraudsters to add a synthetic identity to a valid account belonging to another individual or a synthetic identity, thus benefiting and “free riding” on the already existing good credit record. In the end, the user of the synthetic identity “busts out,” by maxing out cards and disappearing.
Because of its relative low cost, synthetic identities are quite easy to establish. This fact contributed to the spread of this fraud, and had a major impact on financial industries, as well as other businesses and governments. The U.S. Federal Reserve in a 2020 white paper reported that criminal organizations may also collide with related merchants in order to cash in the fruit of their synthetic identity frauds.
Criminal organizations conducting synthetic identity fraud are able to curate automatically tens or thousands of accounts at the same time, at scale, without victims noticing. Indeed, as only one element from a person’s identity is usually stolen to compose a synthetic identity, victims are less likely to identify that some of their personal information was compromised. When it comes to SSNs, fraudsters often target elders, children, and homeless people, because this population is less likely to use their credit as frequently as any other persons. A dedicated study reported that in 2017 alone, one million children were victims of identity fraud. In the U.S., the SSN randomization led by the Social Security Administration in 2011 impacted on how identifiable this nine-digit code is, and helped fraudsters to leverage this element even more.
How to identify and prevent synthetic identity fraud as a financial institution
When tracking synthetic identities, different characteristics can help determine whether it is a legitimate or synthetic one:
- Information that is not correlated or is inconsistent (e.g.: email addresses with name, name pattern, etc.);
- Different identities with the same SSN;
- Multiple accounts having the same phone number, mailing address, or IP address;
- Multiple authorized users on the same account;
- Credit history inconsistent with the profile (e.g.: multiple loan applications although customer is below 18 years old).
It is important to understand that those characteristics must be combined in order to apprehend a potential synthetic identity, otherwise it might lead to false positives.
For mitigating those risks, financial institutions must steer away from traditional fraud prevention models and adopt a more comprehensive framework to clearly pinpoint synthetic identities and stop them.
As synthetic identity fraud is relatively new, the financial industry must raise awareness about this type of fraud, and train relevant agents who tackle fraud on a day-to-day basis. Moreover, a layered approach involving KYC checks, collecting additional identity elements, conducting link analysis through third-party data and proceeding to credit review is a strategy that would pay off and provide better results rather than traditional fraud prevention means. Such models can be built by associating a team of experts, from data scientists, compliance experts, and fraud specialists.
Finally, several fraud experts called for a greater collaboration and information sharing between actors. Banks may leverage technology solution providers which offers a first line of defense against a wide range of identity frauds.