May 19, 2022
In the past few years, synthetic identity theft has become the most prominent form of identity fraud in the US. According to a recent report by FiVerity, estimated losses to synthetic fraud hovered around $20 billion in 2020, rising from around $6 billion annually just five years earlier.
You’re probably wondering: how does a $14 billion spike in losses affect your bottom line? We’re about to find out.
In this article, we’ll discuss what synthetic identity theft is and how it works. We’ll also explain why it matters and how both consumers and merchants can avoid it altogether.
What is Synthetic Identity Theft?
Synthetic identity theft, also known as synthetic identity fraud, occurs when cybercriminals use compiled stolen data to create new identities (instead of stealing and using existing accounts). They can use these synthetic identities to carry out fraud attacks.
Other attack methods like account takeover fraud or clean fraud are based around established identities. The fraudster gains access to a cardholder’s account or personal information, then purchases as much as possible within the limited window prior to discovery.
Synthetic fraudsters take a bolder approach with an eye to the long term. They’re creating fictional identities by combining a stolen Social Security number with a legitimate address (often a PO box). Posing as these “synthetic” customers, the fraudsters begin applying for credit accounts.
Of course, banks commonly reject credit requests for persons with no credit profile on record. Ironically, however, inquiring about an account leads credit bureaus to believe a faux customer exists. The odds are good that, eventually, some lender will approve credit for an applicant.
Once the fraudster decides the credit limits are high enough—a process that can take years—they will “bust out,” maxing out all the accounts associated with the fake customer before discarding the identity altogether and disappearing.
How Does Synthetic Identity Theft Work?
There’s not a lot of information available to help accurately identify a case of identity theft before an attack. Merchants can easily recognize one after the fact, though. Once the dust settles, and the fraudster has abandoned the account in question, it’s just a matter of determining which method was used.
There are two main categories of synthetic identity fraud:
MANUFACTURED SYNTHETIC IDENTITIES
Sometimes called ‘Frankenstein’ identities, they are composed of data cobbled together from multiple sources’ personally identifiable information (PII). For example, fraudsters can craft a false identity that features verifiable data points by using the SSN from one individual, the address from another, and the account information from a third user.
A more recent incarnation of this type of syn fraud. This involves a manufactured identity that doesn’t feature verifiable data points aside from a randomized SSN. Building a PII profile from scratch means that this information is solely in the fraudster's control. Therefore, it’s very difficult to discern from a real customer.
MANIPULATED SYNTHETIC IDENTITIES
Identities based on a real person are less likely to throw up red flags, which is why this type of synthetic fraud is popular. To perpetrate this, fraudsters will make limited changes to an SSN in order to hide a past credit history and gain access to credit.
This type of synthetic fraud is more identifiable than manufactured identity fraud, since it often intersects with the real identity they are attempting to ‘borrow’. It is, therefore, more likely to fail a validity check.
Why We Should Be Paying Attention
Synthetic fraud is so concerning because it doesn’t require a specific consumer target. With other third-party fraud tactics, a person’s whole identity is subsumed by a fraudster to defraud others. With synthetic fraud, however, the fraudster pulls data from multiple sources, making it less likely that any one individual will discover the threat.
Without a specified victim, two major challenges present themselves:
- Criminals can keep synthetic accounts open for years, increasing credit lines, building scores, and stockpiling these resources only to max out each line and then cash out of them altogether.
- In these instances, there is no obvious indication of fraud nor any sign of fraudulent activity until it’s too late. This makes it extremely difficult to diagnose when and where breaches occur and also develop strategies to combat them.
Another contributing factor complicating the risks associated with synthetic identity is SSN randomization. Randomizing Social Security numbers has been the policy of the Social Security Administration since 2011. Randomization was intended to increase safeguards for the public. Instead, it’s only made it more difficult for fraud tools and detection systems to pinpoint a false SSN.
These are just a few examples of why synthetic identities are something to be aware of and prepared for. Aside from these, the term itself lacks a clear definition, contributing to a definite lack of inter-agency cohesion for action. If you can’t really agree about what a synthetic identity is and does, how can you cooperate to fight back?