Risk Management Solutions Group Risk Management Solutions Group
Thought Leadership

Synthetic Identity Fraud: Artificial Credit that Poses Real Concerns for Financial Companies

The term identity fraud (also known as identity theft) was first used in the mid-1960s. It involves the unauthorized use of another person's personal information, which is then shared with others and/or used for financial gain.

Identity fraud was easier to get away with in the pre-internet era. Criminals primarily targeted personally identifiable information (PII) of individuals who were or felt limited in their ability to file a formal complaint with the authorities. For instance, criminals often stole the PII of people who were recently deceased. Over the next few decades, criminals improved their methods of collecting PIIs by evolving from being dumpster-divers to being spammers.

Synthetic identities use inactive or fake Social Security numbers

Synthetic identity fraud uses fake PII to create new credit profiles, pump-up credit scores, and buy (aka steal) goods and services. There are two main variations, but it always starts with the social security number (SSN). A new credit file must be "planted" into the credit bureau system to commit synthetic fraud, and that requires an SSN not previously in the system.

The most common method involves using a child's or infant's inactive SSN and substituting a real adult's name to apply for credit. Another method involves creating a completely fake SSN and a fake name to go with it. One contributing factor to synthetic fraud was introduced in 2011 when the Social Security Administration began randomizing SSNs. It sought to provide higher safeguards for the public, but ultimately backfired because:

  1. The existing communication infrastructure between private and public sectors did not allow for verifying the authenticity of SSN of an individual
  2. Fraud detection systems used by financial institutions and credit bureaus could not distinguish a fictitious SSN from an authentic one

Unlike traditional identity fraud in which an entire identity is stolen and used to defraud enterprises and consumers, synthetic fraud has no specific consumer victim. That can sound like a good thing, but not for financial institutions that chase fictitious identities until they must write off the uncollectible credits as losses. Sometimes, the presence of consumer victims, albeit unfortunate, can help catch the true perpetrator. The lack of a clear victim presents two challenges for financial institutions:

  1. No consumer victims mean there are no alerts to warn the affected financial institution of fraud. Criminals can use synthetic identities to keep accounts open for months to years, only to eventually max out the credit line and disappear without a trace.
  2. Once the account charges off, synthetic frauds are often categorized as bad credits, since there is no clear evidence of fraudulent activity. This makes it difficult to identify the root of synthetic fraud problem - and even harder to know if new defenses are proving effective.1

How synthetic identities are created

  • A cybercriminal buys personal information like an SSN on the dark web, which provides users with anonymity through encryption and hides their tracks by routing online content through multiple web servers. An SSN on the darknet costs as little as $4.
  • A cybercriminal uses the resulting identity to apply online for credit, which will trigger an event that pulls credit reports from all three major U.S. credit bureaus. This "planting" stage is how fake/synthetic information is introduced into the system.
  • A cybercriminal will wait days or weeks to apply for a credit card. Once secured, a cybercriminal diligently makes on-time monthly payments while making purchases with the new card without exceeding a certain credit threshold in order to "build credit".
  • After building credit, the cybercriminal applies for loans to their limits with the intention of cashing out. An average cash-out amount using a single synthetic profile is between $81,000 and $98,000.

Protecting against synthetic identity fraud

In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act was passed. It includes a provision directing the SSA to facilitate the verification of SSNs, upon request by a certified financial institution. The implementation, however, has been slow.

Recently, the Federal Reserve developed a synthetic identity fraud mitigation toolkit,2 which offers information about fraud detection technology and data sharing. It also discusses the value of fraud information sharing within the industry to help fight synthetic identity fraud.

RMSG agrees with the Fed that combating synthetic fraud should not be done in a silo. It calls for an effective way to pull information from a variety of databases, both public and proprietary. We also encourage our clients to compare a broader range of data points to identify anomalies and inconsistencies. Our research in this subject revealed that the most telltale sign of a synthetic profile when compared to a real profile is that real people tend to leave behind more diverse data trails - a random collection of activities that seem to occur naturally.

Real people change addresses, phone numbers, and e-mail accounts. Their Facebook or Instagram feeds connect with family and other real people. They engage with both public and private entities, whether applying for a loan, buying real estate that leaves a public record, buying a car, etc. Plus, as they age in real time, the data trail of a real person tends to grow more consistent, so the same basic information shows up in multiple places.

The results of our analysis have consistently revealed that when compared with multiple broader data points, the information connected with synthetic identities tends to be either strangely inconsistent or overtly consistent. The data does not match up or change as it should if it were a real person. Also, detecting synthetic identities entails looking at more than a single factor, like the length of credit history. Aggregating multiple data sets and connecting multiple customer characteristics can help defend against synthetic identity fraud.

If you have questions on this subject or are interested in learning more about how we can assist, please reach out to our consultants at RMSG.

Contact us for a complimentary risk management needs assessment Let's Connect
1
According to the Federal Reserve, synthetic identity fraud was the fastest-growing type of fraud in the U.S. in 2019 - while 85-95% of all synthetic ID fraud cases were not flagged by legacy security systems. Source: The Federal Reserve, "Synthetic Identity Fraud in the U.S. Payment System A Review of Causes and Contributing Factors," (July 2019) - https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-july-2019.pdf

2
https://www.frbservices.org/news/fed360/issues/041522/industry-perspective-synthetic-identity-fraud-mitigation-toolkit