Synthetic ID fraud is quickly becoming one of the most pervasive — and economically damaging — forms of fraud. In fact, the Deloitte Center for Financial Services predicts that synthetic ID fraud will generate at least $23 billion in losses by 2030.
To share strategies for mitigating synthetic ID fraud, we recently hosted a webinar with experts from Persona, SentiLink, and Tally. Below, we break down some key points from the webinar, including new ways fraudsters are carrying out synthetic ID fraud, and some key strategies companies use to protect themselves.
Want to watch the webinar? View it here.
What is synthetic ID fraud?
Synthetic ID fraud happens when a fraudster manufactures a fake identity to use online. Synthetic ID in particular occurs when the personal details of an online identity — name, date of birth (DOB), and Social Security number (SSN) — don’t all belong to the same real person.
There are two types of synthetic ID fraud: first-party and third-party. First-party synthetic ID fraud is when a fraudster uses some of their own personal identifying information (PII) when applying for different accounts and subscriptions, but replaces or randomizes one or more elements, like SSN.
Third-party synthetic ID fraud, on the other hand, is when a fraudster creates a wholly fabricated identity using a name, DOB, and SSN from several different people. Many fraudsters who commit third-party synthetic ID fraud do it on a large scale, running dozens or hundreds of fake accounts at once.
Why is synthetic ID fraud a growing problem?
Synthetic ID fraud is easy to carry out, in part because it’s easier than ever to access AI tools and personal information online. At the same time, it’s increasingly difficult to detect, for these reasons:
- Insufficient enforcement: Many companies lack the systems and software in place to flag indicators of potential synthetic ID fraud — like discrepancies in key identifying information across accounts.
- Lack of data sharing between relevant parties: Financial services companies, regulators, and government agencies all have different definitions of synthetic ID fraud. They also tend to have different compliance requirements. This means they’re usually not sharing the same type of data.
- Minimal reporting: Many people don’t know their PII is even stolen, and therefore don’t report anything. This makes it harder to identify when a fraudster is using stolen information to create a synthetic ID.
New trends in synthetic ID fraud
Like every digital threat, synthetic ID fraud is evolving rapidly. Our panel pointed out three patterns that are becoming more prominent:
1. GenAI is accelerating synthetic ID fraud
Although fraudsters can’t use GenAI tools to create a synthetic identity from scratch (yet!), fraudsters can use GenAI tools like voice cloning and deepfakes to bypass liveliness tests, for example, or to create supporting documents and images that make a synthetic ID look more convincing.
2. The scale of attacks has increased
Synthetic ID fraud isn’t just occurring on an individual level — it’s happening on a widespread scale. In addition to offering pre-built synthetic IDs for sale, a growing number of experienced fraudsters are using social media platforms like Darknet and Telegram to recruit people to join their elaborate fraud schemes.
There, fraudsters can teach newbies and veterans about different types of fraud, then coordinate efforts for maximum success.
3. Shift from synthetic individuals to synthetic companies
As synthetic ID fraud becomes more sophisticated, individual synthetic IDs no longer pose the biggest problem — synthetic companies do. Using synthetic IDs, fraudsters can create fictitious companies by the hundreds and thousands.
Once they’ve done that, fraudsters can not only spin up thousands of fraudulent transactions using manufactured spend, they can also engage in a variety of illicit activities once they have funds at their disposal.
How to prevent (or at least mitigate) synthetic ID fraud
Fighting synthetic ID fraud takes trial and error. Detection, deterrence, and prevention all take different tactics, as does dealing with a first-party synthetic ID versus a third-party one.
However, our webinar experts agree that these four strategies are critical to pinpointing synthetic ID fraud — and preventing it from escalating.
Want to watch the webinar? View it here.
1. Consolidate data and risk signals
Reducing synthetic ID fraud comes down to making more informed decisions about the customers you work with. To do that, you need to collect a wide array of data points and evidence to develop a nuanced understanding of every user's risk profile.
SentiLink, for example, can help by collecting a user’s application data, checking that user’s PII against their own internal database, running a number of behavioral checks, then producing a risk score that shows the probability of that user’s identity being synthetic, stolen, or legitimate.
Other helpful risk signals to collect include a user’s IP address and device type, as well as a user’s connection to other users. For example, if three different attributes in a user’s profile connect to other users, but their SSN doesn’t, this could be an indication of first-party synthetic ID fraud. For third-party synthetic ID fraud, the connections might be more subtle, like several different accounts having the same device IP address.
2. Orchestrate with Persona and SentiLink
Together, Persona and SentiLink can uncover bad actors faster, prevent large-scale attacks, and make the entire fraud detection and mitigation process more seamless.
SentiLink ensures an applicant is who they say they are, and that their PII is consistently and uniquely associated with their identity, including over time. And SentiLink’s comprehensive risk score informs the specific step-ups and screenings you can take using Persona.
If a risk score is higher than you would want, for example — but not so high that it’s conclusively fraudulent — you can run a step-up verification. Persona can assist with database verification, government ID verification and selfies, and eCBSV, which lets Persona call the Social Security database to verify that a user’s SSN is active and tied to their identity.
3. Customize your approach based on risk and constantly iterate
There’s no one-size-fits-all solution to detecting synthetic ID fraud. The most effective strategy is to take a multi-modal approach then measure and iterate, especially in situations where risk scores are inconclusive.
You might need to gather additional passive risk signals, for example, or change your threshold for sending users to different types of verifications. Using Persona and SentiLink allows you to keep all your solutions under one workflow, so you can reconfigure and refine your approach without having to write new code.
4. Use link analysis to fight fraud at scale
It’s crucial to have a plan for uncovering and blocking large-scale synthetic ID fraud and repeat offenders. Enter: Graph, Persona’s link analysis tool that identifies duplicate information across applications.
Graph investigates patterns in fraud rings, proactively stops fraud incidents with automated decision-making, and iterates new queries with a no-code query editor.
—-
Synthetic ID fraud is a growing problem, but you can take practical action to combat it. For a deeper dive into synthetic ID fraud mitigation tactics, watch our entire webinar here. For help detecting synthetic ID fraud, consider Dynamic Flow, a customizable workflow that lets you collect identity information and adjust friction based on real-time risk signals.
Need more support? Connect with Persona any time to ask questions and schedule a demo.