What is Synthetic Identity Fraud?

We briefly mentioned how Synthetic Identity Fraud works in a previous article about how it affects banks and other financial institutions, in particular. However, many other businesses from casinos, to auto dealerships and other retailers, alike, are heavily impacted by this fast-growing form of fraud. Let’s take a closer look.

Synthetic Identity Fraud occurs when a fraudster combines some real identity attributes, such as an illegally obtained – but still genuine – Social Security Number, together with fake or mismatched Personal Identifying Information (“PII”), such as name and address, for the purpose of opening fraudulent accounts and conducting fraudulent purchases. Since the PII information used in synthetic identity fraud is fake, a real person cannot be held accountable like they might be if the fraud had been conducted against a real person.

Identity Theft occurs when a fraudster obtains a real person’s PII (social security number, name, address, etc) and uses it to conduct fraud or other crimes. Identity fraud has a “real” person who is the victim. The crook steals their identity and uses it to obtain access to something valuable – whether credit accounts, bank accounts or other valuable assets.

Due to the fact that synthetic fraud doesn’t affect an actual person in the same way that Identity Theft may, it is often thought of as a victimless crime. However, the institutions and retailers affected by Synthetic Fraud would beg to differ. In fact, according to a study conducted by FiVerity, retailers and banks, the true victims of this crime, paid heavily in 2020 as Synthetic Identity Fraud losses in the U.S. are thought to have amounted to $20 billion dollars that year. Studies also show that Synthetic Identity Fraud is often misreported as Credit Card fraud, meaning that $20 billion dollar amount could be even higher.

How does Synthetic Fraud work?

Step One: A fraudster creates a fake identity using a combination of stolen and fabricated PII information. This information is gained via a data hack, successful phishing, or purchased on the dark web. Typically, if a real social security number is used, it is one belonging to a child, a homeless person, or an elderly person.

Step Two: A fraudster uses the Synthetic Identity to apply for credit at a financial institution. This first application will likely fail as the fake identity does not have any credit history. However, it does succeed in establishing their identity and profile into the financial institution’s system.

Step Three: Additional loan applications are made after some time has passed. Once they can secure a loan, the fraudster is then able to slowly increase their credit limit by maintaining the account in good terms.

Step Four: To increase the rate of growth, fraudsters will piggyback synthetic identities off each other by adding another fake identity to the account as an authorized user. Once this is done, they can then get the credit score and credit limit benefits on the piggybacked synthetic identity as well as the original.

Step Five: The fraudster busts out! Once they can secure a large extension of credit, the fraudster will cash out with no intention of paying. They may use these funds for purchases at business or move it around. Unfortunately, since they are using a synthetic identity, they are rarely caught.

In a 2019 study, the Federal Reserve found that Synthetic Identity Fraud was the fastest-growing type of financial crime, and predictions show that it will likely continue to grow.

The Federal Reserve “Synthetic Identity Fraud in the U.S. Payment System, 2019”

Why is Synthetic Identity Fraud so common?

A couple factors in our U.S. financial system make it possible for criminals to create synthetic identities.

Social Security Numbers

Social Security numbers were originally created in 1936 to track earnings for individuals to calculate their Social Security benefit entitlement. Starting in 1972, each number included an area code, group number, and serial number.

The system has since grown and serves almost as a catalogue of U.S. citizens, albeit a fallible one. In 2011, the Social Security office moved to switch the numbers to a randomized system for the first three numbers, making it easier for fraudsters to make up their own numbers when creating synthetic identities.

Data Breaches

Data breaches have become increasingly common among some of the largest companies over the years. As a result, valuable PII is leaked onto the dark web and into the hands of fraudsters. In FiVerity’s 2021 report they found that 1.4 billion PII elements had been leaked in the past three years alone. These PII elements can be purchased by criminals for as little as $1 per social security number and $20 for a driver’s license.

For a closer look at some of the most impactful breaches, check out this visualization from Information is Beautiful.

How to prevent Synthetic Identity Fraud

One of the best ways to prevent Synthetic Identity Fraud is to ensure that you Know-Your-Customer (KYC). Using an advanced Identity Authentication solution can help you KYC and safeguard your business against these tricky fraudsters.

FraudFighter’s PALIDIN Mobile Solution for example, allows you to remotely authenticate customers or loan applicants by sending a prompt to the user’s phone requesting them to authenticate their government issued identity document (driver license, passport, state ID card, etc). Your potential client will then go through the authentication process using their personal device.

First, they will be prompted to take photos of the front and back of their ID document so that an in-depth forensic examination can be automatically conducted to ensure that the document is genuine. Next, they will be required to take a “selfie” image of their face. This will be used to perform a direct facial match comparison on the ID document that was just authenticated. PALIDIN Mobile will also test for real-time “liveness” to check that the selfie picture was an actual “live” person, not someone wearing a mask or holding a still photo.

Results are given instantly to your business showing an easy PASS or FAIL on the customer. For many of our clients, this process has been shown to deter the fraudster using a synthetic identity from even attempting the transaction or application in the first place.