A new type of fraud is becoming more common and causing problems for businesses, especially those in the United States: synthetic fraud. In 2019, the U.S Federal Reserve found synthetic fraud was the fastest-growing financial crime.
Read on to understand what synthetic fraud is, how it works, and what safeguards you can use to protect your business against its impacts.
What is synthetic fraud?
Synthetic ID fraud occurs when someone creates a fake identity by combining real information (such as a Social Security number, or SSN) with fake personal identifiable information (PII) such as birth dates, addresses, or phone numbers.
The criminal then uses this synthetic identity to open fraudulent accounts, access credit, and make purchases with no intent of repayment.
As the fastest-growing crime in the US, synthetic fraud totaled $1.8 billion in 2020, and experts estimate that it will increase to $2.42 billion by 2023.
Synthetic fraud vs. traditional fraud
Synthetic identity fraud is different from traditional fraud, where a criminal wrongfully assumes a real person’s identity. With synthetic fraud, the criminal creates a whole new identity by piecing together real and fake PII.
It’s more difficult for organizations to identify and protect against synthetic fraud because:
- It’s harder to detect. Traditional fraud is usually discovered when the victim realizes and reports it. Since synthetic fraud combines pieces of a real person’s identity with fake information, the crime often goes unnoticed and unreported.
- Accounts associated with synthetic IDs appear normal for some time. Traditional fraud happens quickly as the criminal attempts to take action before the victim catches on. But when using synthetic identities, fraudsters may use accounts legitimately for months or even years, appearing to be real customers and lulling businesses into a false sense of security.
How does synthetic fraud work?
Here’s a step-by-step look at how fraudsters typically create a synthetic identity:
Step 1: The fraudster obtains a real SSN.
The first step bad actors take when creating a synthetic identity is locating an SSN to use for fraud. This became easier in 2011 when the government began randomizing SSNs — since these identifiers are no longer connected with an individual’s date or place of birth, fraudsters can try random combinations until they stumble upon a legitimate SSN.
Often, bad actors choose SSNs that belong to children, elderly folks, homeless people, or even the deceased. These groups are less likely to notice fraudulent activity since they typically don’t use or check their credit regularly.
Step 2: The fraudster combines real and fake PII to create a full identity.
Next, the fraudster uses the SSN as a foundation to create a synthetic identity. This can take various forms:
- Manipulation: The criminal uses real but slightly modified PII. For example, they might change “William” to “Bill,” or hyphenate a last name.
- Manufacturing: The fraudster combines real PII from multiple people or mixes it together with completely fake information, creating a “Frankenstein identity.” The criminal might even create fake social media profiles to make this identity appear real.
Step 3: The fraudster applies for credit.
Using their new synthetic identity, the criminal applies for credit from a bank or other financial institution. This first application is usually rejected since the identity has no background or credit history.
However, even if rejected, the application creates a credit file: a crucial step in making the synthetic identity appear legitimate.
Step 4: The fraudster obtains credit.
The fraudster continues to submit applications and add to their credit file. They’re usually able to obtain some form of credit eventually, often by an organization used to dealing with high-risk clients.
Unlike with traditional fraud, the criminal does not take advantage of this credit right away. Instead, they make purchases and pay them off promptly, appearing to be a typical customer and building reputable credit over weeks, months, or years. This helps them gradually get approved for new accounts and increase their credit limits — ultimately allowing them to borrow more money.
Some criminals use a technique called piggybacking to improve their credit score faster. With this strategy, they set up the synthetic identity as an authorized user on someone else’s account or card. The synthetic identity then passively builds credit as the victim uses their account.
Step 5: The fraudster “busts out.”
Once the fraudster has built up enough credit, it’s time to take action. They’ll max out the credit using their synthetic identity, then “disappear” with no intent to pay back the loan.
Some criminals create multiple synthetic identities and maximize their profits by “busting out” several accounts at once.
What are the common uses of synthetic fraud?
Once attackers have created a synthetic identity, they can use it in several ways. Some of the most common uses include:
Employment fraud
In employment fraud, a bad actor applies for a job using a synthetic identity that they have either purchased or created. Critically, this synthetic ID makes use of a real Social Security number that belongs to somebody else. Once hired, the bad actor is able to get paid — leaving the SSN’s real holder on the hook for income taxes.
Sometimes, a bad actor will also choose to defraud the business that hired them, leaving the real owner of the SSN at risk of criminal investigation.
Terrorist financing
Bad actors often use synthetic IDs to open illegitimate accounts with banks and other financial institutions. Once these accounts are open, they can be used for a variety of nefarious purposes — such as financing terrorist activities.
Since the person doing the funneling isn’t real, attackers can simply shut down accounts and create new ones if their actions are uncovered.
“Bust out” fraud
In a bust out scheme, criminals play a longer game. After creating a synthetic ID, they will use that ID to obtain credit cards or open other lines of credit. They’ll then use those accounts responsibly for months or even years — building up their credit rating and earning higher credit limits.
Once these higher limits have been established, the bad actor will then “bust out” by making large purchases or borrowing large sums of money and then vanishing.
Who does synthetic fraud affect?
Synthetic fraud is not a victimless crime. The biggest impact is on those who have their SSNs stolen, especially children. Sadly, 1.25 million children have been victimized by child identity fraud in the past year, costing families almost $1 billion. Many of these affected individuals have no idea there’s an issue until they try to apply for credit or check their credit score, only to realize it’s been compromised.
Banks and financial institutions can also suffer major consequences from synthetic fraud — it’s estimated to cost banks $6 billion annually. If they fail to identify fraudsters before issuing loans, they have no choice but to write off significant losses as bad credit.
How to protect your business and customers from synthetic fraud
As synthetic fraud becomes more common, it’s up to your organization to implement strategies and safeguards to protect your business.
If you are a financial institution or fintech, one of the best options for synthetic fraud detection is to use the eCBSV (electronic consent-based verification service) provided by the Social Security Administration. With this service, you can verify that a given SSN matches the name and birthdate of a person in the Social Security Administration’s records, as well as whether the person is alive. To use the eCBSV in such a manner, you must be a financial institution or fintech company and apply to become a permitted entity.
However, while eCBSV can catch the majority of synthetic identities, it requires customer consent and can be cost-prohibitive if used for every customer.
A better synthetic fraud solution is to use progressive risk segmentation, especially for new users creating accounts. With this strategy, your business can dynamically insert checks into the identity verification process and add extra friction when appropriate.
For example, you could run every user through a typical Know Your Customer (KYC) flow — such as collecting and verifying a standard government-issued ID and selfie. Then, if they have thin or no credit history, or there are any risk factors or red flags in the data (such as multiple accounts being opened from the same location or device), you can use an additional eCBSV check to verify the SSN.
In this scenario, the typical user will have a streamlined experience, but you’re more likely to catch fraudsters using synthetic identities.
Remember: there’s no silver bullet to identity verification. Since no method is foolproof, it’s important to layer different types of verification to offset the tradeoffs of each method without adding too much friction. Known as the “Swiss Cheese Model,” each additional layer is another chance to identify a fraudster and prevent them from damaging your business.
Finally, link analysis can also help you catch synthetic identities by identifying how user accounts are connected to each other. This means if a bad actor creates 10 different accounts using different names and emails but the same SSN, you can easily identify these linked fraudulent accounts and block them both now as well as in the future by performing real-time checks on any accounts that reuse these confirmed fraudulent pieces of information.
Identify synthetic fraud before it’s too late with Persona
If you’re concerned about identifying synthetic fraud in your business, Persona can help. Our system is fully customizable and offers a wide range of verification components, including eCBSV, AAMVA, and other issuing and authoritative database checks. Our fraud investigation and link analysis tool, Graph, also makes it easy to expose hard-to-catch instances of synthetic fraud and block repeat fraudsters — all with minimal engineering investment.
Protect your business and customers with fraud solutions and dynamic verification workflows that meet your unique risk tolerance and internal guidelines. Get started today.