In early 2013, 18 people were charged in a $200 million international credit card scam which involved more than 7,000 fake identities and more than 25,000 fraudulent credit cards1.
This case is the cookie cutter template for the typical synthetic identity fraud scam, where fraudsters fabricate identities to obtain credit cards, build up the spending power of those cards, spend as much as they can, and then walk away from the debt.
If you deal with any kind of financial transactions, whether you are part of a financial institution, government, healthcare, or even retail ecommerce, you are probably asking yourself right now – what is synthetic identity fraud, how can I detect it, and most of all, how can I prevent it?
Synthetic Identity Fraud Can Be Difficult to Detect
By now, we’ve all heard about identity fraud. Between 2017-2018 the volume of personal information exposed in data breaches increased by 126% with more than 446 million records exposed2, making personal data such as bank account login credentials, drivers licenses, credit card numbers, social security numbers and other sensitive data readily available to fraudsters. With identity fraud, a fraudster uses this information to pretend to be another real person, often taking over a financial account, or using the victim’s credit. This type of fraud happens quickly and is detected & reported relatively quickly when a victim notices an unusual charge on their statement.
Synthetic identity fraud can be difficult to detect. Identities can be cultivated over a long period of time, sometimes years, but sometimes we also see synthetic identities targeting quick wins in markets like retail. In these latter cases, they don’t spend as much time curating their credit because the goal is to get smaller returns from a larger volume of activity, vs. higher returns from more targeted activity. Synthetic identity crimes often go unreported because there are no individual victims to alert financial institutions or businesses of the unusual activity.
Synthetic Identity Fraud occurs when a fraudster creates an identity by cobbling legitimate (and sometimes fake) information together, eg., name, address, social security number, date of birth, email and phone number. This new identity does not tie back to a real-person, and a fraudster may create many such identities to maximize their revenue potential.
Cleverly disguised, 85-95% of synthetic identities slip into the financial system undetected3, bypassing standard screenings. To financial institutions, they may look like a legitimate customer that is new to credit, like a young adult, or a new to the country. Unfortunately, once in the system, over time, as these fraudulent identities become established and mature, they even begin to appear as very desirable customers.
In this article, I’m going to focus primarily on professional fraudsters who manufacture synthetic identities. In a future article I will address more about consumers that manipulate their own identities to escape bad credit history, and get access to new credit and services. Those looking to escape bad credit history use similar techniques as the professional fraudsters.
How does synthetic fraud play out?
With manufactured synthetic identity activity, there is a common pattern of 4 critical steps:
- Create a synthetic identity
- Establish the legitimacy
- Increase creditworthiness and credit limits
- Bust out
#1 Create a Synthetic Identity
The first step for these criminals is to create a fraudulent identity. They could just make up elements, like 123 Rainbow Rd., Neverland, AM. But… fraudsters being the clever people they are, know that financial institutions are required by the US Patriot Act to do a process called KYC (Know Your Customer), where they are required by law to collect name, date of birth, address, and social security number or tax payer number for any user opening a new account. Often, the fraudster will cobble together legitimate names, addresses, and social security numbers, so they will pass a check when scrutinized for validity.
The social security number is one of the key elements that allows a consumer to establish credit. It is believed that one of the reasons behind the increase in synthetic identity fraud, was the change in 2011 to the way that the Social Security Administration issued Social Security Numbers. Rather than generating the number based on a person’s location and year of birth, they switched to random number generation4.
When fraudsters create a synthetic identity, they will commonly use the social security numbers of individuals less likely to notice the exploitation such as elderly, or homeless, and even children.
Children’s social security numbers are especially valuable because unused numbers can be paired with any name and birth date, and chances of discovery of this use is low. It often takes 10-15 years before the theft is detected, as parents don’t typically monitor their children’s identities. More than 1 million children were the victims of identity fraud in 20175 and child social security numbers are 51 times more likely to be used in synthetic identity theft6.
#2 Establish the Legitimacy
Once an identity has been created, the fraudster then has to bring it forth into the world. The easiest way to establish legitimacy, is to start to get this synthetic identity into the credit bureau. The most common ways to do this are:
- Apply for credit cards. The act of applying, whether online or at a branch, approved or denied establishes a record with the credit bureau, legitimizing the identity.
- Apply for secured credit card. This can be an easier path for the fraudster, as this is a product designed to help people establish credit.
- Piggybacking (a technique used by these fraudsters about 50% of the time7). By adding an authorized user on the account of another individual with good credit, the authorized user inherits the good credit history and positive credit score of the parent account and is a quick way to establish credit for the newly created synthetic identity.
#3 Increase Creditworthiness and Credit Limits
Once a synthetic identity has been planted in the financial system, they look and behave like normal consumers, and the identity can be nurtured for months and sometimes even years.
These accounts may even support the fostering of other synthetic identities, serving as the parent account for other synthetic authorized users on the same credit card.
Fraudsters will cultivate these accounts by making small purchases and paying these off to build good repayment histories. They will open new credit cards, bank accounts, transfer funds, pay bills (on time) so they can improve their credit history.
They may open personal loans, or take out auto loans, but their goal is to get as many lines of credit and increase their credit limits to as much as possible to maximize their eventual payoff. Through a technique called “loan stacking”, these fraudsters take advantage of lenders fast turnaround times and inability to verify multiple loan applicants in a short period of time. Financial institutions can be eager to provide these loans because they look like great customers to the bank.
#4 Bust Out
Once the fraudster has built up what they deem adequate credit payoff, they execute a “bust out” – maximizing all their credit lines at one time with no intent to repay. If an auto loan is involved, they could drive away with a brand-new car, and the lender would have no one to pursue.
And then to make matters worse, they may try to multiply their payouts by filing a claim with the financial institution, indicating that they (their fictitious entity) were the victim of identity theft, and dispute the loss. This “credit washing” technique could result in charges being reversed and credit lines reopened.
Under the Fair Credit Reporting Act, banks are required to respond to these disputes in a set period of time. They may trigger a flood of claims, to reduce the chance that the financial institution can complete a full investigation within this window. If they are able to successfully close a dispute, their credit won’t be negatively impacted, and they can continue to use their synthetic identity.
This Is Happening at Your Financial Institution
According to the Federal Reserve, synthetic identity payments fraud is the fastest-growing type of fraud in the US, and it is only going to keep increasing. In 2016, this represented more than $6 billion in losses, a big hit for financial institutions.
To understand the impact this may have on you, understand that synthetic identity fraud represents more than 5% of charged-off accounts AND 20% of credit losses. At an average charge-off balance of $15K per instance of synthetic identity fraud, you can see how this can quickly add up. This number doesn’t even take into account any expenses associated with trying to recover funds from a person that doesn’t exist.
What can you do about it?
Detecting synthetic identities can be a tricky matter. One of the steps you can take is to reframe the questions you ask about these customers. For example, instead of asking “Is this really the applicant?”, you can ask “is the applicant real?”
There are common indicators of Synthetic identities to look out for:
- Synthetic identities appear out of nowhere: First appearance is with the credit bureau
- Depth of relationships: They will have no parents, no family, no friends, no associates
- Identity consistency: Has the PII asserted on a new account application always went together? Have we seen multiple identities share information like SSN that should have a unique relationship, or an identity use multiple dates of birth?
- Behavior history: Has the identity been seen safely managing credit relationships for an extended period of time (multiple years)?
- Identity history: They have no history – no birth records, no driver’s license or other DMV records, no passports, no house or property ownership, no utility bills, no professional licenses, etc.
- Authorized users: They may have an unusually large number of authorized users on an account
- Email tenure history: Length of history or lack thereof can often be an indicator. Is the email associated with a number of users – fraudsters want to keep tabs on their accounts, and will often recycle email addresses
As an example, a product manager is likely to have worked at a couple of different companies (employment history), have a cell phone (telecom records), have an email that was set up years ago (email records), may have lived at multiple residences (address records), may even own property (property records), could have had a student loan 10 years ago (financial records), probably drives a car (DMV records), and has social media accounts.
Basic best practices for detecting fraud include, using machine learning and artificial intelligence to learn customer behavior patterns and identify anomalies. Analyze and connect a multitude of data sources including 3rd party data. Look at data not only across accounts and portfolios, but across organizations, as fraudsters will typically target multiple organizations with the same data.
Be sure to also look at the individual’s digital identity or profile as well as their physical identity information to understand a complete view of the customer behavior patterns. When checking personally identifiable information, don’t only check to see if the information is legitimate, but make sure it all belongs together, and that there isn’t any fraud associated within the elements.
Check for unusual occurrences, and patterns such as –
- A high volume of account applications for credit products from the same IP address, device, or associated with the same social security number, particularly across organizations
- Multiple names or addresses tied to same IP address, device, email, phone, or social security number
- Individuals or authorized user on the same account that have different surnames or cities associated with them
If that sounds like a long list of best practices, it’s because the key to detecting synthetic identities effectively relies on a multi-layered approach. Any of the above indicators have a high association with legitimate consumers – young people lack credit history and heavily use authorized user accounts for example, while new immigrants will initially lack history U.S. family and document history. By looking for a combination of these risk indicators in a multi-tiered approach, an effective defense quickly emerges.
Combating synthetic fraud should not be done in a silo. Connect with other industry partners and law enforcement to share information, identify trends, behaviors, and threats. By leveraging these best practices, you can help improve your ability to detect and mitigate synthetic fraud.
1. Qureshi, B. (2013, February 5). Retrieved from United States Department of Justice: https://www.justice.gov/usao-nj/pr/eighteen-people-charged-international-200-million-credit-card-fraud-scam
2. Lacey, C. (n.d.). 2018 End-of-Year Data Breach Report. Retrieved from Identity Theft Resource Center: https://www.idtheftcenter.org/2018-end-of-year-data-breach-report/
3. Slipping through the cracks: How synthetic identities are beating your defenses. (n.d.). Retrieved from ID: Analytics: https://www.idanalytics.com/wp-content/uploads/2018/11/Synthetic-Identity_Slipping-through-the-cracks_Executive-Summary.pdf
4. Social Security. (n.d.). Retrieved from Social Security Randomization: https://www.ssa.gov/employer/randomization.html
5. Child Identity Fraud Hit More Than One Million U.S. Victims in 2017 According to New Javelin Strategy & Research Study. (2018, April 24). Retrieved from Javelin: https://www.javelinstrategy.com/node/59561
6. Power, R. (2011, March 9). Child Identity Theft. Retrieved from Carnegie Mellon CyLab: https://www.cylab.cmu.edu/_files/pdfs/reports/2011/child-identity-theft.pdf
7. Cunha, J. (2019, October). Detecting Identity Fraud in the US Payment System. Retrieved from Federal Reserve: https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-october-2019.pdf