Shining a Light on Synthetic Identity Fraud
March 14, 2022
By Greg Woolf, CEO of FiVerity
Cyber fraud is not only one of the fastest-growing crimes plaguing financial institutions, it’s also one of the most elusive. Of all forms of cyber fraud, none is more difficult to detect than synthetic identity fraud (SIF).
For those unfamiliar with SIF, criminals are creating synthetic identities composed of personally identifiable information (PII), including names, addresses and social security numbers, stolen from multiple people and combined together to form an entirely new persona.
These personas are built using intimate knowledge of fraud detection rules and can bypass legacy anti-fraud systems with ease. Criminals then play the long game, accruing increasingly large lines of credit before eventually busting out — stealing tens of thousands of dollars. Their sophisticated methods ensure that 85% of SIF goes undetected by legacy systems.
SIF’s profitability has helped it become one of the fastest-growing financial crimes in the U.S. The 2021 Synthetic Identity Fraud Report, utilizing data from FiVerity’s Cyber Fraud Network™, estimates that $20 billion was lost to SIF in 2020.
The Sophistication of Synthetic Identity Fraud
The creation of synthetic identities begins on the dark web, where criminals can find the 1.3 billion identity elements that have been exposed over the last five years. According to research firm Comparitech, “personal information from US citizens found on the dark web — ranging from social security numbers, stolen credit card numbers, hacked PayPal accounts, and more — is worth just $8 on average.”
Fraudsters use automation to assemble these identity elements and submit credit card, auto and personal loan applications to a range of consumer lending institutions. Next, they use machine learning to analyze how loans are approved and declined, gaining an understanding of the rules-based systems used to approve credit applications. Using data to mimic legitimate consumer profiles, criminals create synthetic profiles that have a high chance of avoiding detection.
Based on FiVerity data, a typical synthetic identity has these traits:
- Credit rating: The average SIF identity has a high FICO score of 742. According to Experian, the average FICO Score in the US in 2020 was 710.
- Credit limit: SIF profiles start with an average initial credit limit of $12,000 per institution. At the time of bust out, the aggregate credit exposure across multiple institutions nears $97,000.
- Trade lines: The typical SIF identity quickly opens five accounts - typically at different institutions. Upon busting out, these profiles will have opened eight to ten accounts on average.
Criminals Play the Long Game
While the high-tech approach to creating synthetic identities is a hallmark of this crime, so too is the level of patience and restraint exhibited by fraudsters. They eschew immediate monetary gains in favor of smaller loans that consistently build up incremental increases in credit. Typically, these individual loans are valued at less than $15K and often start with low-balance cash cards obtained through lenders with generous credit standards. As a result, these transactions don’t set off alarms at financial institutions.
The payment activity of these fake identities mirror those of a typical customer — they maintain a relatively low balance and pay their bills on time. It’s a systematic process that keeps them out of the spotlight until they are ready to strike — this generally occurs anywhere from 6 to 18 months from the beginning of the synthetic identity’s credit history to its ultimate default. At this point, they bust out with $81,000 to $97,000 in stolen proceeds. Their crime then goes undetected when financial institutions attribute the theft to bad underwriting.
The Human Cost of Synthetic Identity Fraud
Despite rarely attracting the attention of mainstream media outlets, the Federal Reserve and others have confirmed SIF’s link to organized crime, with profits being used to fund human trafficking and even terrorism.
Indeed, when the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) released its latest Anti-Money Laundering and Countering the Financing of Terrorism National Priorities, the rise of SIF was among the top ten crimes highlighted as a threat to national security.
A Call for Collaboration
From a regulatory standpoint, the fight against SIF is being led in part by the Federal Reserve. Its 2020 Payment Fraud Insight white paper noted that “no single organization can stop synthetic identity fraud on its own,” calling for a collaborative approach between industry and government to combat this threat.
Until recently, financial institutions have been hesitant to collaborate due to competitive concerns and privacy regulations. However, the industry is increasingly recognizing that sharing information on synthetic identities is the only way to turn the tide against highly sophisticated cyber criminals.