In Mary Shelley’s pioneering 1818 Gothic horror novel Frankenstein, a mad scientist assembles a monster from human remains, animating life into it with a surge of electricity. The miserable monster eventually busts out and causes widespread mayhem and destruction.
The financial, retail, and loan worlds have a Frankenstein of their own: synthetic identity fraud. Like Dr. Frankenstein, fraudsters assemble a new identity from parts: perhaps a Social Security number (SSN) from a child or a deceased grandparent, fused together with a name and birth date of someone within the prison population. The fraudster then adds their own details and applies for under-the-radar credit — something with a lower bar to entry, like a starter credit card.
Slowly and patiently, they build credit history — adding credit cards or consumer loans, making reasonable purchases and paying off the balances to increase their credit lines. Since they behave like good customers, these synthetic identities remain under the radar until they “bust out,” maxing out the credit line with no real person to pursue.
Once established, synthetic identities are very difficult to detect and root out, and many institutions have no idea of their true risk exposure. Institutions can better understand their risk and improve their ability to combat it, but they must first know the factors driving this synthetic identity fraud epidemic.
What is synthetic identity fraud?
While synthetic identity fraud may be well understood, institutions have no agreed upon system for classifying the loss when these accounts default.
They may lack the capabilities to make an accurate determination of whether a credit loss is really a credit loss, or whether it is a fraud loss and they are simply unable to establish a synthetic identity problem. This lack of visibility limits most organizations’ abilities to understand the threat’s scope and scale, impacting loss prevention strategies.
Compounding the challenges associated with synthetic identity fraud is that bad actors have no single way they perpetrate this fraud. Once an account is created with a synthetic identity, fraudsters may take the money immediately or keep the account in good standing while patiently building up credit history until they’re positioned to capitalize on a bust-out target, like high-end auto purchases.
These creditworthy identities are prized by organized crime syndicates because they enable them to operate in volume, cultivating complete identity profiles with established credit backgrounds that they match with fake documents to support real world schemes – like laundering illicit funds or making large purchases like real estate and luxury cars – separate from their true identity. Once an identity profile has been used in a bust-out scheme, fraudsters can employ a technique known as credit washing to resurrect it to be used again.
What does a synthetic identity attack look like?
Synthetic identity fraud can be difficult to spot. One coordinated attack involved 13 individuals and three businesses. They obtained over $1 million in fraudulent loans from 19 U.S. banks and credit unions over 18 months. First, they compiled dozens of synthetic identities using SSNs stolen from people unlikely to access credit (minor, incarcerated and elderly individuals), appending new names, addresses and dates of birth to them. They then applied for accounts with minimal identity verification requirements (email accounts, mobile phones and loyalty points) to give the identities a foothold and use the tried-and-true tactic of springboarding, which adds synthetic identities to existing established credit card accounts as authorized users. The crime ring also created shell companies to report credit histories on their synthetic identities, backdating them for validity.
How do synthetic identities happen?
Several factors contribute to the rise of synthetic identity fraud:
- Data breaches: According to TransUnion’s 2023 State of Omnichannel Fraud Report, data breaches in the U.S. increased 83% over the past two years. With tens of billions of records breached over the past decade, organized crime rings have an unprecedented amount of personally identifiable information to fuel their identity compilation and manipulation efforts.
- SSN randomization: In 2011, the Social Security Administration (SSA) moved away from issuing sequential SSNs — where the first three digits represented a location of the SSA office that assigned the number — and began randomizing them, eliminating a useful tool for validating SSNs during the account onboarding process.
- Loosening credit: Following the Great Recession, U.S. financial services firms relaxed credit requirements, making it easier for synthetic identities to take hold and build from a thin file to an established credit holder.
- Proliferation of credit repair agencies: These agencies sell credit profile numbers (CPNs) to consumers with bad credit to “get a fresh start.” The intent is to obfuscate creditors’ inquiries to credit bureaus and establish new records for the consumer.
How much is lost to synthetic identity fraud?
The financial impact of synthetic identity fraud is substantial. In a Datos Insights survey of North American fraud executives, one respondent reportedly found 15% of their organization’s existing accounts were tied to synthetic identities. According to a recent TransUnion report, U.S. lenders faced nearly $3 billion in exposure, with auto loans representing over 60% of total exposure ($1.8 billion).
Not only are these losses painful, so is the fact much of synthetic identity fraud is written off as a credit loss—meaning valuable time is spent trying to collect from someone who doesn’t exist. Many executives interviewed by Datos believe synthetic identities represent an anti-money laundering issue, as well as a fraud issue: If you have a bunch of synthetics on your books, how well do you really know your customer?
All synthetic identities behave like good customers until the very end, making them difficult to detect. Some organizations may opt not to actively seek them out or turn a blind eye because these are revenue-generating accounts that are helping them to meet business objectives and there is no loss apparent on the horizon. But ignoring a suspected or understood synthetic identity problem is not only negligent – it may be illegal.
Qualifying and quantifying the synthetic fraud issue
Credit risk officers may not be fully aware of issues surrounding synthetic fraud, or they do not view it as their remit, so they rely on their fraud risk counterparts. However, unidentified fraud risk exposure can negatively affect their bottom line and be attributed incorrectly as a credit risk problem, which has negative downstream impacts ranging from wasted collections efforts to overfitting new credit-risk strategies.
They may also perceive their fraud issues as losses, such as a growing credit loss problem; customer experience challenges, such as friction in the application process that leads to high application abandonment rates or delayed credit decisions due to fraud controls that lead to consumer application abandonment; or operational setbacks, such as poor fraud detection that leads to a high volume of false alerts or that allows the opening of fraudulent accounts.
Combating synthetic identity fraud will require an enterprise-wide effort wherever customer accounts exist. A multi-pronged strategy to stop new account fraud is needed, with institutions closely monitoring and reviewing customer portfolios. This effort must be powered by modernized identity proofing — combining identity verification with active digital identity, device reputation and synthetic identity assessments — that enhances detection capabilities at the front door and helps prevent future losses.
In the battle against synthetic identity fraud, awareness, collaboration, and a multi-faceted approach are essential. Just as in Mary Shelley’s tale, understanding the monster’s creation is key to overcoming the havoc it wreaks.
