Recently, we held a roundtable discussion where our trust and safety architect, Jeff, chatted with Brian Killeen, director of financial crime, fraud, and investigations at Guidehouse, and Ahmed Siddiqui, Branch's Chief Payments Officer, about why synthetic identity fraud (SIF) is such a threat and how to minimize SIF risk both immediately and going forward.
We’ll summarize the key takeaways below but recommend watching the recording to get the most out of the discussion.
What is synthetic identity fraud?
The panel began by discussing what synthetic fraud is. SentiLink defines it as “an identity where the combination of name, date of birth, and SSN do not correspond to a single real person.” For this reason, some refer to SIF as “Frankenstein fraud.”
What are some SIF trends businesses should know about?
Next, Brian discussed why SIF has become such a problem, which boils down to today’s market dynamics. “There's been a huge uptick in synthetics, and given what's happened with Silicon Valley Bank and other institutions, there's a sense of vulnerability. And bad actors will attack that vulnerability.”
Specifically, Brian pointed to four factors that have created a “perfect storm” for SIF:
- The fundamental shift toward digital, partially expedited by COVID.
- Data breaches: with close to billions of records being exposed, more information is accessible to fraudsters.
- Sophistication of fraud: it’s easier for nefarious actors to infiltrate the ecosystem thanks to easy access to bots and resources from the dark web.
- Structural changes that allow bad actors to focus on identity-based crimes. For example, the introduction of smart chips in 2015 pushed a lot of bad actors to digital channels.
When asked about current trends, Brian and Ahmed mentioned the following:
- Fraudsters are trying to blend in as much as possible, so they’re using popular names like “Michael Smith” to make them look like actual people.
- Synthetics are being written off as credit losses. In fact, one study estimates that synthetic identities account for slightly more than 20% of all losses in a given loan portfolio.
- Fraudsters are targeting children, as they have a clean credit history.
Why are synthetics so important now? What should we know about them?
Next, the panel went deeper into the shift to digital and the controls companies can put into place to help mitigate risk.
Ahmed began by sharing that Branch focuses on providing mobile-first financial services, as most of its users spend their entire lives on their phones. As such, Branch needs tools that can onboard these users quickly — while also protecting itself against synthetic fraud.
Then, Ahmed pointed out that asking for an individual’s SSN is just one component of mitigating fraud. “You need all these other signals to be able to verify that they are actually who they say they are — signals like their phone number, email address, those sort of things. They help create a profile for that user.”
While Ahmed ended by saying that synthetics can still get around these additional signals, Jeff added, “it's an interesting thought exercise where a real person should have access to these documents, or should be able to provide them to you based on your vertical or use case, but maybe the synthetic identity doesn't have that. Or if they're trying to figure it out on the fly, maybe the documents they provide to you aren't super polished yet.”
In other words, while collecting more signals might not necessarily be able to prevent 100% of synthetic fraud, these additional layers can help catch certain instances.
Finally, Brian ended by sharing that it’s estimated that SIF cost U.S. banks and financial institutions $20 billion in 2020 alone.
Why is SIF so challenging to fight? Brian called out two culprits:
- Corrupt credit bureau data. If an individual created a synthetic identity, applied for a line of credit, and was rejected, that synthetic would still be added as an identity within the bureau. As such, database verifications aren’t always 100% accurate.
- Manipulated identities. Some consumers are manipulating their own identities — whether intentionally or unknowingly at the advice of “credit repair agencies” — to try to get rid of prior derogatory credit history.
How can businesses identify and mitigate synthetics?
Unlike in the compliance world, where you’re told what to do, your approach to fraud usually depends on the market and how bad actors respond. “There’s no playbook — the lack of standardization in the market makes it a bit challenging,” said Brian.
While Brian mentioned that he’s seeing a shift in this trend, the fact remains that synthetics can still be hard to identify and mitigate. However, there are a few strategies organizations can take:
Bring in as much data as possible to make better decisions
First, compile as much as you can about each user. “If I want to know that Ahmed is a real person and Ahmed is the actual user signing up as Ahmed, I want to bring as much data together,” Brian said. “There's no silver bullet. There are just lead bullets, so how do we get as many lead bullets in this problem as possible? Bring in credit check history, bring in Social Security history, bring in that data.”
Brian also noted that utility data is really valuable. “If the synthetic was just created, they probably won’t have had a phone number for a long time, or have lived at an address and been with Ma Bell for a long time.”
Note: this doesn’t necessarily mean you should ask users to submit a ton of information — after all, the more you ask, the less likely they may be to convert. In addition to active data, you can also collect passive signals about the individual, such as their IP address and device fingerprint. “Bring that data together to make better, broader decisions. And not just at that point of identity proofing, but throughout the funnel,” said Brian.
“If you actively ask for four pieces of data, the question becomes how can you enrich and uplevel and learn from those four pieces of information?” Jeff added. “How can you turn four into 64 or 128, where you're getting these specific identifiers, which could be cross-comparisons, normalization, etc.? That really gives you a better chance to identify some of the synthetic fraud versus just accepting it as-is and pushing it into the system.”
Take advantage of information sharing
While some organizations are still hesitant about sharing information, the overall industry is getting better.
For example, Brian noted that the Social Security Administration offers eCBSV, which can help businesses confirm if the full name and birthdate provided matches an SSN in the official database. In addition, there are other third-party vendors that have consortium models to look broadly across their customer base. Businesses can then bring this information together with other enrichment to make decisions.
Explore new technologies, solutions, and verification types
Ahmed also reminded everyone that you don’t always have to stick with traditional methods. For example, many companies ask users to submit a picture of their driver’s license to help verify their identity, but driver’s licenses can be easily faked. Fortunately, a few years ago, Apple introduced driver’s licenses in Apple Wallet.
“This is really cool because it's not leveraging somebody's eyes to verify something, nor is it relying on some physical piece of plastic to verify somebody. It actually is doing some verification and carrying the device with it too,” Ahmed shared. “It's almost like all the cool things we hear about how secure it is to use Apple Pay is now being applied to identity, which I think is super fascinating. We've got a long way to go for it to be a lot more ubiquitous, but I think this is a really good first step to helping fight this kind of fraud.”
Partner with companies that specialize in identity verification
Ahmed also added that it’s important to partner with identity experts who can help you quickly respond to (and even prevent some) attacks — especially if you’re focused on building your business. “I'm busy building a digital payments business and offering great financial services to these workers. I don't necessarily have all the time in the world to dig into these attacks. Having other folks that do this all day and all night is really, really key.”
“There are companies that basically specialize in identity verification and synthetic verification. They live, eat, breathe, and sleep everything in this world,” he shared. “I like to think about how to best leverage these types of partners and companies — and how do you do it in a really flexible way so that as these types of fraudsters get even more and more clever, you know for a fact that there's somebody out there that is actually looking for this?”
Brian agreed, stressing the importance of partnering with vendors to maximize protection. “You can't just rely on them entirely. How do you invest within your organization and truly partner with the vendors to share insights? It's that concept of one plus one equals three.”
What are the next steps?
After the panel discussed mitigation tactics, they discussed next steps organizations can take from the discussion, including:
- Embrace flexibility. “There are other signals we can use to really identify that this is a real person,” Ahmed began. “So how do you find the right tech partner that can give you a platform that's really flexible so you can start adding all these parameters in? Because at the end of the day, for the 99% of good people, you don't want to create a bad experience for onboarding.”
- Partner with experts to continually adjust your strategy. “It's absolutely critical to find partners that know how to handle synthetic fraud because, again, you're just not going to be able to know how these people move and change at the rate that they're changing,” Ahmed shared.
- Be more proactive and strategic. “Many fraud programs are very reactive, but I think a lot of the synthetics are going to surface in the future, so it's only going to get worse from where things are currently. So to me, it's really investing in being more proactive and being more strategic,” said Brian.
- Partner with credit loss. “If you're working at an institution that provides lines of credit, partner with a credit loss group to understand the differences between synthetics and write-offs,” Brian advised. “That's a big issue right now — synthetics aren't even being realized because they're just seen as write-offs.”
- Create customer profiles. In other words, bring all the data you have about each user together — and continually collect data throughout the customer lifecycle — to make better decisions.
- Label your data. “Allow for investigative tools to label the data,” Brian advised. “Label with accuracy and be granular about it. This is a synthetic versus this is third-party identity fraud versus this is an account takeover. Then, use that data to provide feedback into the technology and the people and the process. The better equipped they are, the better decisions they’ll make.”
Key takeaways from the discussion
To wrap up the discussion, Jeff summarized the panel’s three main takeaways:
- Understanding synthetic fraud is the starting point. Partner with experts to build your strategy.
- Unlock data across your customer lifecycle and transform your fraud efforts from reactive to proactive.
- Act as if synthetic identity fraud is already a problem for you. Oftentimes, in the absence of a definition or label, people think the problem doesn’t exist since it’s not represented on their business card. Now that you know what you’re looking for, you can start identifying — and addressing — it.
Interested in learning more about identifying and mitigating synthetic fraud? Our experts stayed to answer some questions at the end of the discussion, and we’ve recapped the Q&A here.