Synthetic identity fraud is an increasingly prevalent form of financial fraud that poses a significant risk to financial institutions (FIs), businesses, and individuals. Unlike traditional identity theft, where a criminal uses another person’s identity, synthetic identity fraud involves creating a new, fictitious identity to commit financial fraud, often by combining real and fake information.
In this article, we take a closer look at how criminals use synthetic identities to defraud businesses, why this type of fraud is so difficult to identify, and what businesses and individuals can do to minimize the risk.
How Does Synthetic Identity Fraud Work?
In the most common form of synthetic identity fraud, criminals amalgamate real and fabricated information to create a new identity. They often use real Social Security numbers from minors, the elderly, or deceased individuals and combine them with fictitious names, addresses, and other personal details.
Once a synthetic fake identity is created, it is used to open bank accounts, apply for credit, and engage in fraudulent activities. Over time, the perpetrator builds up the identity’s creditworthiness, eventually maxing out its credit lines and disappearing, leaving the creditors at a loss.
Synthetic vs. Traditional Identity Fraud
Traditional identity theft and fraud occur when an individual’s personally identifiable information is stolen and used for unauthorized financial transactions or other illegal activities. The stolen information may include Social Security numbers, bank account details, or credit card information.
Once the information is acquired, the perpetrator assumes the victim’s identity to make unauthorized purchases, apply for credit, or conduct other financial activities, often causing immediate and long-term damage to the victim’s financial standing.
In contrast, synthetic identity fraud involves the creation of a new, fake identity. While both are forms of identity theft, they differ in their methods, impact, and detection challenges. Here are some of the key differences.
In traditional identity fraud, the direct victim is an individual whose personal information has been stolen and misused. This person experiences immediate financial loss and may suffer long-term impacts on their credit score and reputation.
In contrast, synthetic identity fraud does not have a direct individual victim, at least not initially. The synthetic identity’s activity doesn’t impact anyone’s existing accounts. The ultimate victims are FIs left with “orphaned” accounts that accumulate debt.
Traditional fraud is easier to detect because it involves activities that are directly linked to an individual’s existing accounts. Unusual transactions or activities trigger alerts or are noticed by the individual, leading to quicker detection and action.
Fraud that uses synthetic identities is much more challenging to detect because it creates a separate and seemingly legitimate financial profile. The fraud may go unnoticed for months or even years as the criminal gradually builds the synthetic identity’s creditworthiness.
Method of Operation
Traditional identity thieves need to access an individual’s existing accounts, which may require bypassing security measures, such as passwords and security questions. The perpetrator may engage in activities like phishing or hacking to gain the necessary information, leaving a trail that aids detection.
Synthetic identities are built from scratch, constructing a new identity with no previous financial history. Perpetrators don’t have to hack into existing accounts and bypass security measures. They instead focus on creating and nurturing a new set of accounts until they can exploit them for financial gain.
Both types of fraud result in financial losses, but the impact can be more diffuse in synthetic identity fraud. Other forms of fraud, such as account takeover and authorized push payment fraud result in immediate financial losses for the victim and, subsequently, their bank or credit institution. Synthetic identity fraud often culminates in larger aggregate losses, which may only be discovered when the synthetic identity “busts out” after accumulating significant credit.
Types of Synthetic Identity
Synthetic identities can be broadly categorized into two types:
- pure synthetic identities
- manipulated synthetic identities
Each type has its own set of advantages and disadvantages for criminals engaged in synthetic identity fraud.
Pure Synthetic Identities
Pure synthetic identities are created using entirely fictional information. Every piece of data, including the name, Social Security number, date of birth, and address, is fabricated. Since the identity is entirely fictional, it is less likely to set off immediate red flags or alerts. On the other hand, FIs may be more skeptical of identities with no traceable history, making it harder to build credit.
Manipulated Synthetic Identities
Manipulated synthetic identities involve altering a real identity by changing one or more elements, such as names, dates of birth, or Social Security numbers. These are partially real identities that have been manipulated to serve fraudulent purposes. The use of real data elements can make the identity appear more authentic, reducing suspicion and making it easier to pass various verification checks. However, there’s a risk that the target will notice and report unauthorized activities, leading to quicker detection.
The Process of Creating a Synthetic Identity
Creating synthetic fake identities is a meticulous process. Each stage is designed to build upon the credibility of the newly crafted identity, making it increasingly difficult for FIs and law enforcement agencies to detect fraud. Here’s a detailed, step-by-step example of a manipulated synthetic identity scam.
Step 1: Data Collection
Criminals begin by collecting personal information, such as Social Security numbers, which are often obtained from the dark web, data breaches, or public records. They may target vulnerable populations whose credit reports are less frequently monitored. They also generate fictitious names, dates of birth, and addresses using software designed for the purpose.
Step 2: Identity Assembly
The real and fake information is then assembled to create a synthetic identity. For instance, a Social Security number from a minor could be paired with a fictitious name and date of birth, creating a new, blended identity that partly exists in the system due to the real Social Security number but doesn’t match any living individual.
Step 3: Initial Account Creation
The next step is to build a financial footprint for the synthetic identity. The criminal may start with something as simple as opening a prepaid mobile phone account or applying for a secured credit card, activities that often don’t require an established credit history. These initial activities help to establish records with credit reporting bureaus.
Step 4: Building a Credit File
To make the synthetic identity more convincing, the criminal will engage in a series of financial activities to build a credit file. They may use the secured credit card to make small purchases and then pay off the balance diligently to establish a history of responsible credit use. Over a period of months or even years, this behavior contributes to a growing credit score for the synthetic identity.
Step 5: Expanding Credit
Once a sufficient credit history is built, the bad actor applies for additional lines of credit, such as auto loans or more credit cards. Each successful application and the subsequent responsible financial behavior adds to the credibility of the synthetic identity. By now, the synthetic identity may have a credit score good enough to qualify for high-limit accounts.
Step 6: The Bust-Out
This is the final stage, where the criminal fully exploits the synthetic identity’s established creditworthiness. They max out all available credit lines, draining bank accounts associated with the synthetic identity. Then they disappear. The creditors are left with significant losses, and because the identity was synthetic, there is no individual who notices the fraudulent activity on their personal accounts.
Step 7: Covering Tracks
Sophisticated perpetrators go to great lengths to cover their tracks. They may close accounts or change addresses to make it harder for authorities to trace the fraudulent activities back to them. In some instances, they even file a death certificate for the synthetic identity, effectively erasing it from the system.
How Do Synthetic Identities Pass Identity Verification Checks?
Perpetrators employ advanced techniques to pass identity verification checks, including:
- Establishing a Credit File: By engaging in small but consistent transactions, they create a credit history that appears legitimate.
- Using “Mules”: Some criminals use individuals (“mules”) to act as the synthetic identity for in-person verification.
- Document Forgery: High-quality fake documents are produced for verification processes.
- Exploiting System Weaknesses: Criminals often exploit loopholes in identity verification systems, such as using IP spoofing to mask location.
Preventing Synthetic Identity Fraud
Like with most fraud, prevention lies in early detection. FIs must be able to distinguish between real accounts created by individuals who are who they claim to be, and synthetic accounts. This requires the implementation of a robust identity verification and KYC solution for client onboarding and continual monitoring. FIs must verify biometric information and government-issued identification, and match it against public records and proprietary database verification.
In addition to identity verification solutions, solutions that analyze various forms of data, including public data records, such as Alessa’s 360° View of Client Risk, can help FIs detect whether an account is fraudulent or legitimate.
Synthetic identity fraud is a complex and evolving threat that requires sophisticated methods for detection and prevention. Understanding its mechanics, types, and the methods used for identity verification can empower institutions and individuals to better safeguard against it. Emerging technologies and analytics offer promising avenues for combating this form of fraud.
Alessa provides a range of fraud management solutions to help businesses reduce their fraud risk, including:
To learn more, talk to a fraud management professional today.