Trends in synthetic identity fraud

Tad Simons

Over the past few years, synthetic identity fraud has surpassed credit-card fraud and identity theft as the fastest-growing form of fraud in the world. Why? Because stealing with a synthetic identity is easy, it’s cheap, and the risk of getting caught is relatively low.

But from a criminal’s point of view, the best thing about synthetic identity fraud is that so many organizations and institutions are vulnerable to it. Many entities like governments, financial institutions, insurance companies, retail stores, and e-commerce sites have not sufficiently upgraded their customer-verification systems to detect and prevent synthetic identity thieves before they strike.

At financial institutions, it’s estimated that 95% of synthetic identities are not detected during the onboarding process. At many e-commerce and retail sites, losses due to synthetic identity theft are either never detected or simply written off as an unrecoverable cost of doing business.

No one knows precisely how much money is lost to synthetic identity theft — estimates range from $20 to $40 billion and growing — but one thing is certain: criminals know opportunity when they see it. Synthetic identity scams have been so successful in so many ways that they are now being used to facilitate all sorts of criminal activity, including romance scams, money laundering, illegal arms sales, human trafficking, and terrorism.

How synthetic identity theft is evolving

To understand how to prevent synthetic identity theft, however, it helps to understand how criminals perpetrate this form of fraud and how it is evolving and mutating to serve more sinister criminal purposes.

In its most basic form, synthetic identity fraud involves stealing a legitimate Social Security number (SSN) from someone — usually a deceased or homeless person — and building a fake identity. Thieves do this by using fictitious contact information and a few cleverly deceptive social media accounts. Then they use this phony identity to apply for a credit card. Over time, the thief builds credit by making small purchases, often gift cards that can be redeemed for cash, and paying off the balance until they max out the card in a massive buying binge and disappear, never to be seen again.

If synthetic identity fraud were only committed by a few unscrupulous individuals, it wouldn’t be such a huge problem. But the truth is that well-organized gangs worldwide are committing synthetic identity fraud, fueled by the ready availability of hacked personal information on the dark web. There, in the darkest corners of the internet, someone can buy a stolen Social Security number for as little as a dollar or two, and batches of hundreds or thousands of them can be purchased for less than the cost of a decent large-screen TV.

Fraud-as-a-service (FaaS)

In fact, synthetic identity fraud is so popular on the dark web that some enterprising criminals have developed a whole new business model known as fraud-as-a-service — literally a service to help people commit fraud. In addition to selling SSNs, credit card numbers, and health information, FaaS sites also sell pre-packaged synthetic IDs individually or in bulk and “bots” that can generate hundreds of e-commerce purchases and checkouts in seconds.

A single dedicated cyberthief armed with these tools may manage dozens or even hundreds of synthetic identities — curating, cultivating, and cashing them out all in a day’s work.

Mule accounts

Meanwhile, federal authorities are becoming increasingly concerned about the use of synthetic identities to facilitate money laundering, human trafficking, and financing terrorism.

One increasingly popular tactic is using synthetic identities to set up “mule accounts.” Criminals use these to launder money by transferring ill-gotten gains into the mule account, then cashing it out or moving the money to another account, making it harder to trace. Instant peer-to-peer payment platforms such as Venmo, Zelle, CashApp, and PayPal are vulnerable to this type of activity. The trend toward faster, easier payment systems makes online fraud prevention much more challenging.

Detection and prevention

Detecting and preventing synthetic identity fraud is difficult because so many aspects of online banking and e-commerce work in favor of fraudsters. In addition to being able to open an account without having to show up in person, criminals rely on financial institutions to be more focused on compliance than prevention — plus, they know that most fraud investigations occur after the fraud has been perpetrated, not before.

More importantly, fraudsters know that financial institutions and retailers, particularly smaller ones, are reluctant to invest in software tools that detect synthetic identities during the account setup, even though such tools are highly effective and widely available.

The best of these tools can distinguish between a synthetic identity and a real one in a matter of seconds. That’s possible because fraudsters only include enough information in a synthetic identity to circumvent standard know-your-customer (KYC) procedures, whereas real people tend to have much more complex and varied digital footprints.

To distinguish between the two, an effective identity verification tool will search public records for addresses, phone numbers, driver’s license information, and other data to verify a person’s authenticity. The best solutions go a step further. They use sophisticated analytics to identify abnormal behavior patterns, provide face recognition and liveness verification, detect forged signatures, recognize fake social media posts, and cross-reference various consumer and government databases to verify the identity of any person or business.

Using such a tool can easily detect synthetic identities during the onboarding process. That’s why criminals target institutions and companies that aren’t likely to have such tools at their disposal — and why such organizations are still so vulnerable to synthetic identity theft. Responsible organizations will invest in technology solutions to prevent harm before it occurs and, in the process, efficiently utilize resources to limit financial impacts.

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a “consumer report” as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning; establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing; or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.

End-to-end identity verification

Authenticate identities, confirm the legitimacy of documents, and quickly verify that they are who they say they are