Synthetic Identity Fraud Calls for a New Approach to Identity Verification in Government
Whatever method bad actors employ to create synthetic identities, synthetic identity fraud has become the fastest growing type of financial crime in the US according to the Department of Justice.
In 2022, US financial institutions and the credit card sector lost an estimated $4.88 billion to synthetic identities through falsified deposit accounts and unsecured credit cards. That’s because legacy fraud prevention procedures often come up short in the effort to defend against this growing threat.
As a result, increasingly sophisticated crime rings are using these techniques to not only target financial institutions, but also government agencies and enterprises as diverse as telecom firms, online gaming businesses and property management companies.
The many faces of synthetic identity fraud
Synthetic identity fraudsters’ tactics vary widely, as do definitions of the crime itself. In fact, there is no universally accepted definition of synthetic identity fraud, in part because this type of fraud often overlaps with first-party fraud and identity theft. However, the common denominator is the creation of fictitious identities — either developed from scratch using entirely fabricated data elements or (more frequently) by manipulating or combining various stolen identity elements to form new identities, which are then used to engage in fraudulent activities.
In a typical example, a fraudster might steal a genuine Social Security number (from a deceased person, or from a child or older adult who is unlikely to check their personal credit report) and combine it with another person’s contact information to apply for credit. Although the first request will likely be denied, that denial will create a profile for the fake person in the credit reporting system, thereby legitimizing the synthetic identity.
The fraudster will then keep trying until someone – maybe a retailer or a small financial institution with less sophisticated identity verification processes – grants the request. From there, organized crime rings will patiently build up these new identities over time, using the initial credit responsibly to steadily raise their credit scores and gain access to more and more credit until they “bust out” and disappear with the funds.
There are also a few other entry points into the credit reporting system. These include:
Applying for a rental property or mobile phone (both of which have the added advantage of helping the fraudster pass stepped-up authentication measures)
Adding an authorized user to an existing credit line (known as springboarding), or
Applying for a secured credit card (which often involves less rigorous risk assessment by the issuer).
Deposit accounts are targeted by synthetic identity fraudsters as well, not only to commit deposit or ACH fraud, but also to access credit products. Fraud controls on deposit accounts are often less rigorous, and once a criminal has established a deposit account, they may be offered a credit account with little identity verification.
Once a synthetic identity’s credit line is on an organization’s books and the fraudster “busts out,” the fraud is usually written off as a credit loss — a loss that’s exacerbated by the waste of resources trying to collect from someone who doesn’t exist. For financial institutions, the situation also represents a Know Your Customer compliance risk, as regulators may view organizations with many synthetics on their books as having inadequate identity verification processes.
Reducing the impact of synthetics
What can be done to tackle the scourge of synthetic identity fraud? At the industry level, lenders and credit bureaus must come together to develop a standard approach for identifying, classifying and reporting synthetic identities. Targeted businesses also need to share data, as criminals use their synthetic identities at (and often defraud) many different organizations as they build their credit histories. Forming a consortium to share intelligence could bring suspicious patterns of activity to light sooner, likely reducing the risk of massive losses.
On an organizational level, a multi-pronged detection strategy is highly recommended. Enterprises need to implement identity verification solutions that combine online and offline data to comprehensively examine risk signals, such as device behavior biometrics, device identity and reputation, email tenure and reputation, mobile phone tenure and reputation, usage patterns of personally identifiable information, and tenure and activity on social media platforms.
Sophisticated fraudsters do create and curate – sometimes for many years – social media profiles for their synthetic identities to beat the fraud risk-assessment processes of lenders that evaluate applicants’ social media presence. But synthetic identities still have characteristics that can generate red flags, such as a lack of typical linear consumer history elements (say, a driver’s license) or no evidence of real-world contacts with the supposed family and friends in their social media profiles.
The traditional approach of checking individual identity elements is inadequate because each piece of data may be technically correct on its own (a legitimate Social Security number, address, phone number, etc.) or may be easily manipulated (an IP address that is merely near the claimed physical address). Instead, organizations need to evaluate each identity marker in combination with all the others and assess the strength of the linkages between them. Identifying how frequently the various pieces of data connect to each other, and how long those linkages have been in existence, helps enable a risk score to be correctly assigned to each interaction.
If all the data points consistently link to a single identity that has been stable over time, the organization can score the interaction as low risk. If the connections are more tenuous, the organization can flag the interaction for closer examination.
These solutions help organizations protect themselves more effectively against synthetic identity fraud not only at account origination, but throughout the lifetime of the customer relationship — and can thus help combat account takeovers based on traditional identity theft, as well.
And as an added benefit, a more integrated understanding of identity can improve the user experience for legitimate customers. Enabling the immediate behind-the-scenes positive identification of returning customers allows them to likely avoid cumbersome and time-consuming authentication processes.
A preventable crime
Synthetic identity fraud is one of the most challenging issues faced by fraud prevention professionals, but with the right tools and an updated approach — and, ideally, enhanced coordination between lenders and credit bureaus — even the most painstakingly created fictitious identities can be detected. Organizations that move beyond the “checklist” approach to verification and embrace an integrated view of identity will be much better positioned to understand who is on the other side of any given transaction, allowing them to quickly flag suspicious interactions and prevent credit losses.