Industry

What is identity fraud?

When someone uses a different identity to commit a crime, they’re engaging in identity fraud. Learn how to protect your business..

Image of an identity fraud flow chart
Last updated:
3/21/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Identity fraud, sometimes called identity theft, is fraud that involves a stolen or fictitious identity.
  • Common types of identity fraud include credit card fraud, account takeover fraud, medical identity fraud, and synthetic identity fraud. 
  • Organizations can help protect against identity fraud by implementing strong identity verification and authentication processes.

It seems like every few weeks there’s a data breach that exposes the personally identifying information (PII) of millions of people. Sadly, this may be our new reality. In its Account Takeover in 2022 report, Digital Shadows claims that over 24.5 billion usernames and passwords were exposed in 2022 — a 65% increase since 2020. 

However, a stolen identity is just the beginning. While some fraudsters and criminal organizations may move down the attack chain to monetize the PII they steal, others specialize in theft and then sell the stolen information. Bad actors can then purchase the PII and use it to commit various crimes, including different types of identity fraud. 

What is identity fraud?

Identity fraud is when a person or group uses an identity that isn’t their own to commit fraud. The specific type of fraud can range widely, from a teenager using a fake ID to buy alcohol to international criminal organizations creating identities to steal pandemic-related benefits and launder money

How is identity fraud different from identity theft?

Identity theft is the act of stealing an identity, while identity fraud is committing a crime using someone else’s identity. However, many use the terms interchangeably to refer to criminal activity involving stolen or fictitious PII.  

Identity theft and fraud often go hand-in-hand, but that’s not always the case. For example, rather than using someone else’s identity, a bad actor might alter aspects of their identity to commit a crime. That’s the case with the teenager, assuming their fake ID had their legitimate name and address, but a fake birthday. Bad actors can also create new identities and use these to commit crimes. 

Different types of identity fraud

Identity fraud can be the result of a precisely targeted attack, bad actors indiscriminately looking for weaknesses and opportunities that they can exploit, or the purchase and use of stolen PII. It can take different forms depending on the bad actor’s resources and goals, but some common examples include: 

Account takeover fraud

Account takeover (ATO) fraud is when an unauthorized person takes control of an account. 

Bad actors often use credential stuffing to attempt to break into accounts, which is when they use stolen or bought credentials to try to access accounts en masse. This type of attack often works because people tend to use the same password — or similar modifications of passwords — for multiple accounts. However, bad actors can also gain access to an account after a successful phishing attack or by installing malware on a victim’s device. 

Bank accounts are prime targets, as bad actors can transfer money out of them once they break in. However, ATO attacks can target other types of accounts, too. For example, bad actors with access to a social media account might blackmail account holders or try to get their followers and friends to click on malicious links. Loyalty accounts can also be juicy targets because the bad actors can cash out the accrued points, miles, gift cards, or rewards. 

While an ATO obviously hurts the account owner, businesses may bear the brunt of the financial cost as they work to make things right. In fact, some organizations might have a legal obligation to reimburse users or an internal commitment to reimburse customers and protect their brand’s reputation.  

Credit card fraud

Credit card fraud can refer to someone using stolen credit card information to make fraudulent purchases or using a stolen (or fake) identity to fraudulently open a new credit card. While federal laws and card issuer policies protect consumers from financial losses, depending on the situation, the merchant or the card issuer may need to cover the cost of unauthorized purchases. 

Medical identity fraud

Medical identity fraud is when a bad actor uses someone else’s medical information to get medical services, products, devices, or insurance benefits. For example, someone might use stolen medical and personal information to buy prescription painkillers. 

There is also insider medical identity fraud, which is when a healthcare provider fraudulently adds procedures or medications to a client’s records to collect insurance payments, and friendly medical identity fraud, which is when a person knowingly lets someone else (such as a family member who doesn’t have insurance) use their healthcare coverage. 

Medical identity fraud can be especially harmful because it can lead to errors in medical records that could result in harmful mistakes when someone legitimately seeks care. 

Synthetic identity fraud

Synthetic identity fraud is when someone creates a new identity, often by combining real information with fake PII, to commit crimes. 

For example, bad actors might use Social Security numbers that belong to incarcerated people, the elderly, or children (i.e groups who don’t frequently use or check their credit) with a fake name and date of birth to apply for credit accounts.

An initial application could lead to a new credit file for the synthetic identity, and bad actors can then build up credit for the identity. Once they’ve established good credit, they can use the synthetic identity to apply for loans and credit cards before “busting out” by maxing out the accounts and taking off with the funds. Bad actors also use synthetic identities to commit other crimes, such as opening money mule bank accounts to launder money

Synthetic identity fraud is a rapidly growing type of fraud that’s difficult to detect. Once an account is open, the activity often looks legitimate and it can be hard to distinguish between credit losses and synthetic fraud losses. 

Survey report
See how your fraud challenges and strategies compare to other orgs

What can you do to prevent identity fraud?

Detecting and preventing identity fraud is a pervasive challenge for businesses. Implementing strong identity verification and authentication is important — and a legal requirement for some organizations. But bad actors are also quick to change tactics when they discover a new weakness or type of attack, so you need systems and vendors that can react quickly. 

Identifying bad actors at account creation is ideal. But you have to find the right balance between fighting fraud and converting good users. Automating checks and processes based on your goals can help, as can dynamically adjusting friction based on each user’s risk signals. 

For example, synthetic identity fraud is tough to detect because bad actors know and can confirm all the identifying information related to the fake identity they’re using. However, you can now detect if someone is using a stolen SSN to create a new identity by running eCBSV (electronic consent-based verification service) checks to verify the name and date of birth associated with an SSN. To limit customer drop-off and costs, use a rules-based approach to determine if and when an eCBSV check is appropriate.

Monitoring and authenticating existing customers is also important. Multi-factor authentication (MFA) can help protect accounts from takeovers, even if the bad actor has the correct credentials. But again, to minimize disrupting legitimate customers, you can trigger MFA checks based on specific conditions — such as when someone attempts to log in from a new device or location.  

You can also use the user’s actions (e.g., placing a large order or transfer), passive signals, and behavioral signals to trigger additional verification and authentication checks. 

At Persona, we understand how important it can be to fight identity fraud while creating an outstanding experience for your legitimate users. We’ve created a unique Verification solution that you can use to automate and customize your users’ verification journey based on your organization’s specific needs. 

You can learn more and get started for free or request a demo today.

Published on:
3/7/2023

Frequently asked questions

What qualifies as identity fraud?

Identity fraud is when an individual or organization steals or creates an identity and uses it to commit a crime. There are many types of identity fraud, including credit card fraud, medical identity fraud, and synthetic identity fraud. 

Can organizations recover from identity fraud?

While identity fraud can be costly — both monetarily and reputationally — for organizations, it is possible for them to recover. Investing in detection and prevention measures can also help limit the risk of losses from identity fraud. 

How can you report identity fraud?

Individuals can report identity theft and fraud to the Federal Trade Commission (FTC) at IdentityTheft.gov and to their local police department. The FTC will create a custom recovery plan based on their situation and type of identity fraud and create an FTC Identity Theft Report that consumers can use to dispute resulting errors in their credit reports. 

Continue reading

Continue reading

3 ways to fight chargeback fraud with IDV
3 ways to fight chargeback fraud with IDV
Industry

3 ways to fight chargeback fraud with IDV

Chargeback fraud is a growing problem for e-commerce companies, but there are practical ways to mitigate it.

Refund fraud: what it is, why it’s increasing, and how to stop it
Refund fraud: what it is, why it’s increasing, and how to stop it
Industry

Refund fraud: what it is, why it’s increasing, and how to stop it

Discover the many ways refund fraud shows up — and learn how to stop it.

Are marketplaces responsible for AML?
Are marketplaces responsible for AML?
Industry

Are marketplaces responsible for AML?

Learn who’s responsible for complying with AML regulations, and what your marketplace can do to prevent fraud.

What is account takeover fraud?
Industry

What is account takeover fraud?

Account takeover fraud can negatively impact both your customers and business. Learn what it is, how to prevent it, and more.

How to protect your business against synthetic fraud
Industry

How to protect your business against synthetic fraud

Synthetic identity fraud is a fast-growing problem. Learn why it’s important and how to proactively guard your business against it before it’s too late.

What is account creation fraud?
Industry

What is account creation fraud?

Learn what account creation fraud is, what it can look like, how it typically works, and how to protect your business and legitimate users.

Ready to get started?

Get in touch or start exploring Persona today.