What is synthetic identity fraud?
Synthetic identity fraud is a type of identity theft in which a criminal combines both real and fake personal information to create a new, fictious identity that can then be used for various identity-related schemes, such as credit card fraud, bank fraud, and more.
Most often, the fraudster uses a real, stolen Social Security number (SSN) as well as other fake information or personal details, such as a name, address, and date of birth, to assemble a synthetic identity, which can be used to apply for and open bank accounts, credit cards, student loans and more.
These criminals often spend years building a positive credit history to increase their credit limits and establish trust with various lending institutions. The ultimate goal of synthetic fraud schemes is to max out the accounts and abandon the identity without repaying accumulated debts — a process known as “busting out.”
What do fraudsters use a synthetic ID for?
While most synthetic fraud cases are financial in nature, synthetic identities can also be used to:
- Overcome a troublesome or poor credit history and regain access to credit through a new identity
- Surreptitiously support or enable criminal activity, such as terrorism, drug trade or human trafficking
- Create a new identity for a convicted criminal or fugitive
- Establish work and residence permits for undocumented immigrants
- Access social services and collect payments for various benefits, such as Social Security, disability or Medicare
Exploring the synthetic identity fraud scheme
Most synthetic identity fraud schemes follow the same basic process:
Step 1: Building the synthetic identity
Formulating a synthetic identity usually starts with purchasing a real SSN that has been compromised in a data breach or other cyberattack. Most often, this transaction takes place via an online marketplace on the dark web, which is a subsect of the internet where people can access unindexed and encrypted web content anonymously.
Once an attacker has a SSN to anchor their identity, they then go about establishing other aspects of the persona. This can include registering a phone number, setting up an email account, creating social media profiles, adding their name and address to online shopping profiles, submitting their identity to public databases, using their synthetic identity details on websites or apps to download material, and applying for library cards or other community services.
This process creates multiple digital touchpoints that the criminal hopes will be sufficient proof of existence when opening financial accounts.
Step 2: Applying for credit
In the second part of the scheme, the criminal begins to open bank accounts, credit cards, loans and other lines of credit using their fake identity. This is often done over a period of several months or even years to avoid triggering alerts or arousing suspicion with relevant institutions.
During this phase, the fraudster’s goal is to establish a good credit rating and increase their credit limit. This is done using the same methods a legitimate account holder would. For example, synthetic ID users may use their available credit to make reasonable purchases and repay the debt on time to gain the trust of the financial institution. Over time, this will help to establish their creditworthiness and expand their line of credit, which will ultimately increase the potential payout.
Step 3: Busting out
In the third and final phase of the attack, the synthetic fraudster “busts out” – or maxes out all credit lines associated with the identity and abandons the persona. The individual has no intention of repaying the debt and the financial institution assumes the cost. Since the identity is based at least in part on fake personal information, it is extremely difficult for financial institutions to track down the parties responsible for synthetic fraud.
It is not uncommon for attackers to work on multiple synthetic identity schemes at once. This helps to ensure a steady source of income for synthetic fraudsters since it takes years to carry out any one scheme.
Challenges associated with detecting synthetic identity fraud
According to the FBI, synthetic identity fraud is one of the fastest-growing forms of fraud in the United States, with total losses reaching $6 billion annually according to some estimates. Part of the reason the market is so lucrative is because synthetic identity fraud is difficult to monitor and detect. Reasons include:
Most synthetic identity fraudsters commit to playing the long game and meticulously lay the foundation for their scheme for years. As part of this process, they will establish their persona’s credit rating and open several lines of credit with different banks and financial institutions. During this time, the fraudster typically uses available credit in a reasonable and responsible way, which further establishes a positive reputation with the bank or lending institution. It is only after years of work that attackers will rapidly rack up huge amounts of debt before “busting out.”
Unlike most cases of identity fraud, there is no single real person associated with the synthetic identity. While the fraudster may use an individual’s SSN, they add fake personal details, such as a fictious name and address. This combination of identifying information often fails to show up on credit reports or other traditional detection tools used by consumers. This means that the activity almost always goes unnoticed by the victim, who is usually a first line of defense in identity theft cases.
In many cases, victims are chosen specifically because they are unlikely to monitor or access their credit. Some of the most targeted groups for synthetic identity fraud include children, the elderly, recent immigrants, homeless people, incarcerated or institutionalized people or even deceased individuals.
Legacy fraud detection limitations
The majority of identities are confirmed today through documentation submitted by the applicant. Banks and other financial institutions use a combination of digital tools and manual processes to review and verify these documents and associated identities.
However, traditional fraud prevention systems and measures are not designed to detect the use of a synthetic identity. In most cases they simply are not capable of identifying this type of fraud. Organizations that are still relying on legacy systems or manual processes alone are at heightened risk for opening a fraudulent account and falling victim to a costly synthetic identity scheme.
Changes to the SSN numbering scheme
In 2011, the Social Security Administration (SSA) began issuing new Social Security numbers at random. While this change was implemented to offer enhanced protection to the public in light of a steep increase in identity theft, the approach has actually fueled synthetic identity fraud. This is because the random numbering scheme makes it more difficult for existing fraud detection systems to electronically check and verify a SSN with a name and birthdate.
Further, unlike the traditional numbering scheme, the current approach does not follow any general format to denote where or when a person is born. This also makes it more difficult for banks, credit card issuers and other lending institutions to identify suspicious or potentially fraudulent applicants.
Who bears the cost of synthetic identity fraud?
As in most cases of identity theft, individuals whose personal information has been compromised are not responsible for fraudulent activity associated with their information – assuming they can prove no personal wrongdoing or involvement, which can be a complex and time-consuming process.
In most cases of synthetic identity fraud, banks, credit issuers and other financial institutions bear the brunt of the cost of the fraud.
U.S. consumers: How to minimize the risk of synthetic identity fraud
Even though individuals may not be financially responsible for paying for fraudulent activity carried out using their Social Security number, it is still important to practice strong identity security to avoid being the victim of such an attack. Consumers can reduce the risk of being a target of synthetic identity fraud through the following steps:
- Freeze credit with at least one of the main credit bureaus for yourself and your children, as well as family members who cannot manage their personal finances, such as elderly relatives, incarcerated individuals or homeless people.
- Consider opening an identity protection service that offers complete fraud protection.
- Review all official correspondence from banks, government agencies, credit providers, insurance providers or other institution that requires the use of your SSN.
- Regularly monitor the media for news of data breaches that may affect your personal information.
- Review corporate user agreements to understand how your personal information is stored and used by companies and what measures they have in place to ensure your data privacy and protection.
- Encrypt any digital files that contain sensitive personal information.
- Shred all sensitive documents before throwing them away.
Financial institutions: How to prevent synthetic identity fraud
Synthetic identity fraud is one of the fastest-growing forms of financial crime in the U.S.
One effort that may help to address this problem is the Social Security Administration’s electronic Consent Based Social Security Number Verification Service (eCBSV).
Introduced in 2021, the eCBSV enables banks and other financial institutions to cross reference and verify all information submitted to the institution, including name, date of birth, and SSN with the personal details on file with the SSA. At present, the rollout is limited and is expected to expand in the coming years.
In the meantime, that leaves the burden on banks, lending institutions and other financial service organizations to reduce and mitigate the risk associated with synthetic identity fraud. Because traditional fraud prevention systems and measures were not designed to detect the use of a synthetic identity, organizations must employ new strategies and tools to help thwart such fraud.
One of the most effective means is to leverage advanced technology, including artificial intelligence (AI) and machine learning (ML) to identify high-risk or potentially fraudulent activity more effectively and supplement manual fraud detection processes through automation and digital tools.
Fighting synthetic identity theft and fraud with Inscribe
As one of the fastest growing types of financial crimes, organizations must consider how to protect themselves from synthetic identity fraud. Lenders can fight back against synthetic identity fraud with the right technology.
Inscribe is a technology partner that helps businesses detect fraudulent customer information through advanced technology and automation. Our rules-based fraud detection capabilities and machine learning helps banks, financial institutions and other organizations generate a full analysis of the legitimacy of an application document.
To learn more about the latest features available with Inscribe, please view our recent article, 5 new Inscribe features to help you fight fraud in 2022, or schedule a personalized demo.