How to protect your business against synthetic fraud

Synthetic identity fraud is a fast-growing problem. Learn why it’s important and how to proactively guard your business against it before it’s too late.

Table of contents

A new type of fraud is becoming more common and causing problems for businesses, especially those in the United States: synthetic fraud. In 2019, the U.S Federal Reserve found synthetic fraud was the fastest-growing financial crime.

Read on to understand what synthetic fraud is, how it works, and what safeguards you can use to protect your business against its impacts.

What is synthetic fraud?

Synthetic ID fraud occurs when someone creates a fake identity by combining real information (such as a Social Security number, or SSN) with fake personal identifiable information (PII) such as birth dates, addresses, or phone numbers.

The criminal then uses this synthetic identity to open fraudulent accounts, access credit, and make purchases with no intent of repayment.

As the fastest-growing crime in the US, synthetic fraud totaled $1.8 billion in 2020, and experts estimate that it will increase to $2.42 billion by 2023.

Synthetic fraud vs. traditional fraud

Synthetic identity fraud is different from traditional fraud, where a criminal wrongfully assumes a real person’s identity. With synthetic fraud, the criminal creates a whole new identity by piecing together real and fake PII.

It’s more difficult for organizations to identify and protect against synthetic fraud because:

  • It’s harder to detect. Traditional fraud is usually discovered when the victim realizes and reports it. Since synthetic fraud combines pieces of a real person’s identity with fake information, the crime often goes unnoticed and unreported.
  • Accounts associated with synthetic IDs appear normal for some time. Traditional fraud happens quickly as the criminal attempts to take action before the victim catches on. But when using synthetic identities, fraudsters may use accounts legitimately for months or even years, appearing to be real customers and lulling businesses into a false sense of security.

How does synthetic fraud work?

Step 1: The fraudster obtains a real SSN.

The first step bad actors take when creating a synthetic identity is locating an SSN to use for fraud. This became easier in 2011 when the government began randomizing SSNs — since these identifiers are no longer connected with an individual’s date or place of birth, fraudsters can try random combinations until they stumble upon a legitimate SSN.

Often, bad actors choose SSNs that belong to children, elderly folks, homeless people, or even the deceased. These groups are less likely to notice fraudulent activity since they typically don’t use or check their credit regularly.

Step 2: The fraudster combines real and fake PII to create a full identity.

Next, the fraudster uses the SSN as a foundation to create a synthetic identity. This can take various forms:

  • Manipulation: The criminal uses real but slightly modified PII. For example, they might change “William” to “Bill,” or hyphenate a last name.
  • Manufacturing: The fraudster combines real PII from multiple people or mixes it together with completely fake information, creating a “Frankenstein identity.” The criminal might even create fake social media profiles to make this identity appear real.

Step 3: The fraudster applies for credit.

Using their new synthetic identity, the criminal applies for credit from a bank or other financial institution. This first application is usually rejected since the identity has no background or credit history.

However, even if rejected, the application creates a credit file: a crucial step in making the synthetic identity appear legitimate.

Step 4: The fraudster obtains credit.

The fraudster continues to submit applications and add to their credit file. They’re usually able to obtain some form of credit eventually, often by an organization used to dealing with high-risk clients.

Unlike with traditional fraud, the criminal does not take advantage of this credit right away. Instead, they make purchases and pay them off promptly, appearing to be a typical customer and building reputable credit over weeks, months, or years. This helps them gradually get approved for new accounts and increase their credit limits — ultimately allowing them to borrow more money.

Some criminals use a technique called piggybacking to improve their credit score faster. With this strategy, they set up the synthetic identity as an authorized user on someone else’s account or card. The synthetic identity then passively builds credit as the victim uses their account.

Step 5: The fraudster “busts out.”

Once the fraudster has built up enough credit, it’s time to take action. They’ll max out the credit using their synthetic identity, then “disappear” with no intent to pay back the loan.

Some criminals create multiple synthetic identities and maximize their profits by “busting out” several accounts at once.

Who does synthetic fraud affect?

Synthetic fraud is not a victimless crime. The biggest impact is on those who have their SSNs stolen, especially children. Sadly, 1.25 million children have been victimized by child identity fraud in the past year, costing families almost $1 billion. Many of these affected individuals have no idea there’s an issue until they try to apply for credit or check their credit score, only to realize it’s been compromised.

Banks and financial institutions can also suffer major consequences from synthetic fraud — it’s estimated to cost banks $6 billion annually. If they fail to identify fraudsters before issuing loans, they have no choice but to write off significant losses as bad credit.

How to protect your business and customers from synthetic fraud

As synthetic fraud becomes more common, it’s up to your organization to implement strategies and safeguards to protect your business.

One of the best options for synthetic fraud detection is to use the eCBSV (electronic consent-based verification service) provided by the Social Security Administration. With this service, you can verify that a given SSN matches the name and birthdate of a person in the Social Security Administration’s records, as well as whether the person is alive.

However, while eCBSV can catch the majority of synthetic identities, it requires customer consent and can be cost-prohibitive if used for every customer.

A better synthetic fraud solution is to use progressive risk segmentation, especially for new users creating accounts. With this strategy, your business can dynamically insert checks into the identity verification process and add extra friction when appropriate.

For example, you could run every user through a typical KYC flow — such as collecting and verifying a standard government-issued ID and selfie. Then, if they have thin or no credit history, or there are any risk factors or red flags in the data (such as multiple accounts being opened from the same location or device), you can use an additional eCBSV check to verify the SSN.

In this scenario, the typical user will have a streamlined experience, but you’re more likely to catch fraudsters using synthetic identities.

There’s no silver bullet to identity verification. Since no method is foolproof, it’s important to layer different types of verification to offset the tradeoffs of each method without adding too much friction. Known as the “Swiss Cheese Model,” each additional layer is another chance to identify a fraudster and prevent them from damaging your business.

Identify synthetic fraud before it’s too late with Persona

If you’re concerned about identifying synthetic fraud in your business, Persona can help. Our system is fully customizable and offers a wide range of verification components, including eCBSV, AAMVA, and other issuing and authoritative database checks.

Protect your business and customers with dynamic verification workflows that meet your unique risk tolerance and internal guidelines. Get started today.

Frequently asked questions

No items found.

Continue reading

Continue reading

What is KYB, and why does it matter?

What is KYB, and why does it matter?

If you work with other companies, you may be required to implement KYB verification. Learn more.

Decentralized exchanges and KYC

Decentralized exchanges and KYC

It's important for decentralized exchanges to get ready for KYC and AML regulations now so they will be prepared if and when they find themselves subject to the rules.

5 best practices for securing health data

5 best practices for securing health data

Healthcare organizations must prioritize data security to protect patient information and ensure regulatory compliance. Learn how.

Ready to get started?

Get in touch or start exploring Persona today.