March 11, 2022
By Kindra Cooper
In 2007, an Arizona man discovered that his Social Security number had been stolen and used to create more than 30 fake identities with different names and addresses. One of these phony identities went by the name Gaylord Focker, a character played by Ben Stiller in the 2004 comedy Meet the Parents.
According to the McKinsey Institute, synthetic identity fraud (SIF) is one of the fastest-growing forms of financial crime. It occurs when a cybercriminal creates a fake identity using a real person’s information—such as their Social Security number or home address—combined with made-up information. Unlike traditional identity theft, which entails a wholesale appropriation of another person’s identity, SIF methods are optimized for untraceability. It’s a fast-growing problem. According to the Federal Trade Commission, synthetic identity fraud makes up 85% of all fraud right now, while traditional identity theft accounts for just 10-15% of identity fraud.
By using pieces of someone’s personally identifiable information (PII) and weaving it together with false identifiers, cybercriminals make it harder for financial institutions to detect identity theft and alert the victim.
“Synthetic identity fraud is just as the name implies: it’s a combination of real and fake information,” said Mark Adams, a mentor for Springboard’s Cyber Security Career Track. “For example, fraudsters will take a real name, address, and birthdate, and then combine that with a fake SSN. SSNs usually come from people in prison, children, and the deceased.”
Fraudsters overwhelmingly target these vulnerable groups, including those experiencing homelessness, because they are less likely to actively monitor their credit score.
SentiLink, an identity verification software company, estimates that SIF cost US lenders $1-2 billion in losses in 2019. The problem worsened in 2020, when the losses to financial institutions grew to $20 billion, according to a report from fraud detection company FiVerity.
“With synthetic fraud, unlike identity theft, there’s not oftentimes a direct consumer victim, however, it’s a cost to the entire financial services ecosystem,” Naftali Harris, CEO of SentiLink, said in an interview with KVUU during Identity Theft Awareness Week, a weeklong series of events run by the FTC to raise awareness about identity fraud. “The very things that banks and financial institutions do to prevent identity theft often don’t work for synthetic identity fraud.”
Fraudsters can purchase Social Security numbers on the dark web for as little as $1 (a fake driver’s license costs $20), or invent one. Since 2011, SSNs have been assigned on a randomized basis rather than reflecting the area number of the state, making it easier to fabricate a nine-digit combination that actually belongs to a real person. And in the past three years alone, a series of data breaches revealed 1.4 billion PII elements, giving cybercriminals their pick of real SSNs, home addresses, and other information to co-opt as their own.
According to LexisNexis, there are two types of SIF:
- Manipulated synthetics – A fake identity that uses the SSN and other elements of a real person’s identity but with slight manipulations. For example, someone might create a quasi-fake identity using a real SSN and a fake name to hide a poor credit history to secure a loan for legitimate purchases that they intend to repay. Manipulated synthetics are not always used for malicious purposes.
- Manufactured synthetics – A fake identity that uses a mish-mash of legitimate PII from various individuals—often referred to as a ‘Frankenstein’ identity—with the intention of committing financial crime.
How Does Synthetic Identity Fraud Work?
With cases of synthetic identity fraud, cybercriminals will often build a fake credit profile over the course of several months or years. During this time, they’ll open a bank account, obtain credit cards, and make timely payments to build good credit. As their credit limit rises, they’ll apply for increasingly large lines of credit, only to disappear in what’s known as a “bust out.”
A fraudster might steal someone’s information or buy it on the dark web, then combine it with a fake identity. An estimated 40% of SIF identities were constructed using information stolen from children born after 2011, according to a recent white paper from GIACT, a leading fraud prevention company.
Some criminals even use a single SSN to create multiple identities. They can then open new accounts using the stolen Social Security number. In some cases, fraudsters also use a stolen SSN to apply for benefits like Medicare, Medicaid, unemployment insurance, and SNAP benefits. Fraudsters can also use bots to create hundreds of thousands of credit card applications in a short timespan using a single SSN.
After opening a bank account or obtaining a credit card using a fake identity, criminals will replicate normal credit behavior, making timely repayments and maintaining a good credit record, only to disappear after applying for a large loan or maxing out several credit cards.
When criminals fail to repay their loans, financial institutions are forced to declare a charge-off. A charge-off occurs when a creditor declares that a debt is unlikely to be collected. While this is usually done due to the debtor defaulting or declaring bankruptcy, when it comes to synthetic identity fraud, creditors are forced to declare a loss because the borrower never existed in the first place.
Research by SentiLink found that synthetic identities that have been built to a “prime”-level credit score tend to charge off 75% of the time within 23 months for an average loss to a financial institution of $13,000, compared to legitimate consumers who would be expected to charge off at a rate of 1.5% during the same time. A 2021 report by Experian found that fraudsters even create fake faces for biometric verification. These “Frankenstein faces” use AI to combine facial characteristics from various people to create a new face and foil facial recognition technologies.
Why Is Synthetic Identity Fraud So Effective?
For security reasons, financial institutions have limited access to the Social Security Administration’s records, which makes it difficult to validate a specific combination of PII and determine if someone is using a partially fake identity.
Oftentimes, victims of SIF will see a fragmented file or sub-file added to their main credit file. A fragmented file happens when additional credit report information is tied to your SSN, but with someone else’s name and address. Consequently, when a criminal uses your SSN but not your name, their activities appear on a sub-file of your credit report, not on your regular credit report. Consequently, credit monitoring companies will not discover it with routine searches. Even a credit freeze will not help.
As long as the fake identity exists in a credit bureau record, most financial institutions accept this record of identity as proof of a person’s existence, and will allow them to open an account using those credentials.
“When a new type of cyberattack shows up, it takes time for security experts to recognize it, analyze it, and develop countermeasures,” said Adams. “That is where we are now. The current controls we have are not well-designed to catch this mode of attack.”
However, new federal regulations may help financial institutions crack down on synthetic identity fraud. In February, the Social Security Administration began to allow “permitted entities” to enroll in the SSA’s new electronic consent-based verification service (eCBSV)—a database for comparing fraud protection data. Approved financial institutions can use the database to verify if an individual’s SNN, name, and date of birth combination matches Social Security records. The eCBSV then returns a match verification of “yes” or “no.”
The Dangers of Synthetic Identity Fraud
Because cybercriminals create a composite identity, rather than stealing a real one, synthetic identity fraud is far less traceable than garden-variety identity theft. This raises a few problems:
- Traditional identity theft is easier to detect. When a real person’s identity is stolen, financial institutions can alert them to any unusual activity on their account, such as a login from an unfamiliar IP address. However, fraudsters can use synthetic identities to keep accounts open for months or even years, building up their credit score and gaining access to increasingly large lines of credit, only to eventually max out the credit line and disappear without a trace.
- With SIF, there is no clear evidence of fraudulent activity. This makes it difficult to identify a fraud problem and even harder to know if new defenses are proving effective.
- Children are the most likely victims of SIF because years can go by before the problem is recognized. A study by Carnegie Mellon’s CyLab indicated children’s SSNs are 51 times more likely to be used in SIF than adults’. This is because children don’t have credit reports. When someone applies for a credit card or other form of credit, the creditor will search the files of the three credit reporting bureaus to determine creditworthiness. If no file is found, as is the case with SIF, a new file will be established.
Signs You’ve Been a Victim of Synthetic Identity Fraud
While it’s difficult to tell if parts of your identity have been stolen, one red flag is a sudden drop in your credit score or being denied credit even if you have a good credit history. “Maybe your bank statement doesn’t look right–there are unknown or unauthorized charges–or you’re getting calls from debt collectors,” said Adams. “Or maybe you can’t file your tax return because someone else already filed one in your name.”
Here are some other things to look out for.
- Being contacted about an account you never opened or a debt you didn’t incur
- Aliases appearing on your credit report
- Dramatic lowering of your credit score, plus a lack of negative information on your primary credit report
- Higher fees and interest rates and/or having trouble getting credit
If you have become a victim of SID, notify the three credit reporting agencies—Equifax, Experian, and TransUnion—and ask them to investigate the matter and remove the false information from your sub-files.
To guard against SIF, Adams advises vigilance and abstaining from sharing too much information on social media.
“Monitor your credit report, check your mail for Social Security statements or preapproved credit offers for a child,” he advises. “You can also restrict access to your credit reports using a credit freeze or credit lock.”