When people talk about the “ghost in the machine,” they aren’t usually thinking about synthetic identity fraud—but they might as well be.
The thieves who commit synthetic ID fraud are real, but they hide behind a phantom of their own creation—a fake identity (and sometimes hundreds of them) that they use to obtain loans and secure lines of credit, which they max out and eventually default on, leaving the financial institution to cover the loss.
Estimates about how much financial institutions lose to synthetic ID fraud range from $6 billion to $20 billion per year, but no one really knows, because the crime itself is difficult to detect and often goes unreported. In many cases, the only evidence a bank has of being defrauded is a loan default or an unpaid credit-card bill, which the institution eventually writes off as a credit loss.
How synthetic ID scams work
Synthetic identity fraud is a relatively new phenomenon, enabled by an increasingly digital and mobile financial landscape that remains relatively easy to exploit.
To create a synthetic identity, all a fraudster needs to get started is a Social Security number that isn’t yet recognized by credit bureaus, usually from an individual under the age of 18. Coupled with a fictitious name, date of birth, and an address accessible by the thief, the scammer then proceeds to add layers of credibility to this fictitious identity, sometimes going so far as to create fake social media accounts complete with photos and posts that look real. At some point the scammer starts applying for loans or lines of credit, and as soon as an institution takes the bait, the scam is off and running.
One of the reasons synthetic ID fraud is so hard to detect, however, is that the scammers are as familiar with Know Your Customer (KYC) protocols as banks are. In fact, the practice itself is in many ways the criminal class’s evolved response to the fact that banks have gotten so much better at detecting other types of fraud, such as stolen credit cards or actual identities.
In order to circumvent standard KYC protocols, synthetic ID scammers will go to extraordinary lengths to appear legitimate. Building credit is the game, and the con is a long one. For months or even years the thief may look like an ideal customer, one who makes small purchases every month and pays their bill promptly. As the bank extends this model “customer” more and more credit, or perhaps even an auto loan, everything may look perfectly normal on the surface—until one day the thief cashes out and disappears.
Why are synthetic IDs so hard to detect?
How do synthetic ID fraudsters get away with it, and what can banks do to protect themselves?
One reason synthetic ID fraud is so hard to prevent is that the federal government does not have an easy way for banks to determine whether a social security number, date of birth, or name belongs to a real person. Sometimes financial institutions themselves are reluctant to implement more thorough KYC protocols for fear of adding too much friction to the onboarding process and alienating legitimate new customers.
Furthermore, because banks are often unaware that they have been victimized by this type of fraud, they may be operating with a false sense of confidence in their existing systems and protocols. In other words, some banks don’t feel the need to protect themselves because there doesn’t seem to be anything to protect themselves against.
Of course, these are precisely the cracks in the system that synthetic ID fraudsters work so hard to exploit. Banks that only do basic public records and web searches when onboarding new customers are the easiest to fool. These types of search tools only graze the surface details of a person’s identity, and at that level a well-developed synthetic ID looks identical to a real one.
How to detect synthetic identity fraud
The only reliable way to detect a synthetic ID before it does any harm is to use a more sophisticated solution that pulls information from a variety of databases, both public and proprietary, and compares a broader range of data points to identify anomalies and inconsistencies. These more advanced tools work better because the most noticeable difference between a synthetic ID and a real one is that real people tend to leave behind messier and more diverse data trails.
For example, real people change addresses, phone numbers, and e-mail accounts every now and then; their social media feeds connect with family and other real people; they engage with public authorities through student loans, property records, traffic tickets, marriage licenses, motor vehicle records, and many other means. And as they age, the data trail of a real person tends to grow more consistent, so the same basic information shows up in different places.
When compared with these broader data points, the information connected with synthetic identities tends to be either strangely inconsistent or way too consistent. That is, either the data doesn’t match up or it doesn’t change in the way it should if it were a real person with a real life history.
Advanced search tools that flag these sorts of inconsistencies offer business institutions the best protection against synthetic ID scammers. No tool is perfect, but in the age of digital deception, working without one isn’t a risk worth taking.