Your identity is for sale. Your name, address, Social Security number – all the personally identifiable information (PII) you rely on to introduce yourself online, open an account or apply for a loan has a price tag. And these identity attributes, although precious to you, won’t cost criminals much to acquire.
Across the dark web, thousands of sites offer bargain bundles of identity data from the billions of data records stolen worldwide through cyberattacks and data breaches every year. All the data needed to pretend to be someone else is readily available and driving one of the fastest-growing phenomena in financial crime – synthetic identity fraud.
Synthetic identity fraud is a global and growing concern across markets and multiple industries. Surveys of fraud patterns continue to report a year-on-year increase in the scale of concern and reported losses relating to this type of scam.
In the United States, synthetic identity fraud is the fastest-growing financial crime. In 2023, varied estimates predict synthetic identity fraud will result in losses of $2.42bn in unsecured credit products and as much as $6bn in total loses to the banking sector. Even these reported figures may miss the true cost of this fraud, however, with many cases recorded as bad debt rather than financial crime.
Synthetic Identity fraud is the use of an identity which has been entirely manufactured or created using a combination of genuine, stolen PII and manufactured identity data in order to illicitly obtain goods or services. The intent of the fraudster is to monetise a fabricated identity, before silently disappearing, untraceable and unlikely to be caught.
Synthetic identity scammers will often mix real and manufactured identity attributes to achieve their deception, such as a real name and address blended with a different date of birth. Sophisticated scams go beyond data to include the creation of fake identity documents, fake photos and videos and even other biometric characteristics, like fingerprints.
Around the world, different regulatory jurisdictions have evolved digital identity constructs that rely more on one type of identity attribute than another. Wherever they are, fraudsters exploit the weak spots where they find them, so even though there are regional nuances in how the scam works, synthetic identity fraud is a global issue.
The origins of synthetic identity fraud are in the United States. The typical US scam blends a genuine Social Security Number (SSN) with fake PII. A fraudster applies using the synthetic ID and, even if declined, the act of application adds those details to the credit reference databases used in application vetting. Subsequent application attempts using that identity are then more likely to be successful as the identity has been seen before.
Synthetic fraudsters playing the long game will attempt to give their newly created identity credence by applying for low-friction accounts that will increase its credit history. Utility or mail order services are often targeted as these involve limited or no checks at onboarding. Sometimes referred to as ‘sleeper fraud’, by opening accounts and completing legitimate transactions, criminals build their credit rating and acquire access to greater funds.
Sometimes, innocent application activity can appear a lot like the pattern of new account creation in a synthetic identity scam. Unfortunately for anyone moving abroad and setting up life in a new country, the absence of a local credit history and the need to open several new accounts at once can send fraud signals.
In countries without a national ID number, the scam plays out differently. In the United Kingdom, credit reference agencies typically run searches on an applicant’s address, parsing the records retrieved to determine which are associated, directly or indirectly, to the applicant. So synthetic identity fraudsters need to use a genuine address. The other identity data in the mix can be entirely fictitious or relate to a real person who does not live at that address, combined with contact details concocted for the scam.
The age and reputation of contact data can be one ‘tell’ of fraud. Typically, the contact details used to commit synthetic identity fraud and identity theft will have been created solely to support the scam. Disposable webmail addresses and pay-as-you-go mobile sim cards providing a mayfly mobile number will feature predominately in fraud. A Gmail account will most likely be 15 minutes old, rather than a enjoy a traceable consumer history over 15 years.
The fabric of digital identity is complex and synthetic identity fraud seeks to exploit that complexity, mixing real and manufactured identity attributes in order to avoid detection. Methods of detection must embrace that complexity and the breadth and depth of digital identity data available in the search for fraud signals.
The pool of potential credit data is huge, made up of past and present credit relationships for every individual. Searching in credit bureau databases for the identity data supplied by an applicant to discover credit header data matches is a good way of corroborating identity. The type of accounts referenced in a credit footprint, whether they are active or inactive, and if they are referenced by more than one agency can provide valuable insights into the provenance of an identity.
The depth and quality of relationships an identity presents are key factors in detecting synthetic identity fraud.
When looking at credit bureau data, it is not just the presence of accounts containing that identity that is important, but also the types of account that are associated with the identity. An identity that only has connections to utility and mail order accounts, that present a lower bar to identity verification at customer onboarding, is more likely to be manufactured - a synthetic identity in development with a fraudster behind it.
Prevent synthetic identity fraud before onboarding by putting identities to the real customer test with the GBG score for synthetic identity.
Does this person have accounts that require low or no identity checks or strong identity verification, like a mortgage or bank account?
Are the accounts that appear on this person’s credit file active, or are there only historic, closed accounts?
How long has this person had a credit history and is that credit history and its constituent accounts consistent with his or her age?
When probing credit bureau data, an identity can meet Know Your Customer (KYC) regulatory requirements in most jurisdictions by simply having the requisite number of electronic proofs of identity and address. The history of an identity, however, is also an important determining factor in helping to highlight cases of synthetic identity fraud.
How long have the accounts associated with an identity existed, five years or five days? Are the accounts active or inactive – a potential indicator of credit history manipulation? And are the accounts presented consistent with the age profile for the identity? We might expect to see 23-year-old associated with a 5-year-old bank account, for example. All these signals from past activity can be indicators of the presence or absence of synthetic identity fraud.
“The fabric of digital identity is complex and synthetic identity fraud seeks to exploit that complexity, mixing real and manufactured identity attributes in order to avoid detection.”
Contact metadata can be extremely useful in detecting signals of any type of identity fraud, including synthetic ID scams. An email address with a suspiciously short history, popping up just prior to an application, indicates a higher risk of synthetic identity fraud. A real email address from a real customer is likely to have a longer history.
Similarly, a newly connected and unregistered pay as you go mobile number, evidence of recent SIM-swap or call forwarding should all ring alarm bells that a scam could be in play. Knowing that a person is the registered owner of a contract mobile number is a robust way of using mobile intelligence to validate digital identity and prevent synthetic identity fraud.
Traditional scams that rely solely on the hijacking of an individual’s real identity are referred to as identity fraud or identity theft.
Unlike synthetic identity fraud, these crimes tend to target individuals with an extensive credit footprint. Identity theft involves the fraudulent use of a real person’s genuine identity data, such as, name, date of birth and address history, without their consent. Like synthetic identity fraudsters, identity thieves are likely to create new contact details or seek to take control of the target’s contacts.
As synthetic identity fraud becomes increasingly sophisticated, businesses have to keep pace, deploying a combination of trust-building technologies and techniques.
A good digital identity verification solution designed to operate and scale with your business is an essential first step to customer due diligence.
Knowing your customer is best practice for any growing business and a regulatory requirement for some. In jurisdictions that benefit from a strong digital identity construct, such as Australia, staying on the right side of compliance offers a strong defence against synthetic fraud. In less rigorous regulatory environments, more needs to be done.
To prevent synthetic identity fraud, or any fraud, a multi-layered approach to identity data verification and fraud protection typically produces the best results.
A combination of credit bureau data checks, email and mobile intelligence, and biometric identity document verification can provide the breadth and depth of intelligence needed to build a comprehensive defence against synthetic identity fraud.
Digital identity scores and identity graphs provide neat methods of analysis and interpretation of a digital identity that has been presented to your business.
The GBG Score for Synthetic Identity, for example, is designed to help fraud professionals manage the vast amount of available identity data, reduce manual processing in synthetic identity fraud risk assessment, and streamline onboarding journeys to improve the customer experience for identities that pass these tests.
Scoring for risk using both positive and negative signals remove subjective decision making and also promotes consistency. The end result is that faster and more accurate decisions can be made, and investigative resource can be focused in the right areas.
Deploying machine learning technologies can provide much improved accuracy in detecting all types of fraud, including synthetic identity fraud
Onboarding systems that orchestrate identity proofing and fraud prevention technologies, can deliver greater speed or security where it matters, automatically adjusting customer journeys to the absence or presence of fraud signals.
Platforms that orchestrate the onboarding process, plugging into the latest technologies offer a nimble response to the sophistication and evolution of fraud without putting too much friction in the way of genuine customers.
Digital identity is at the heart of trusted transactions in eCommerce. The fabric of digital identity is complex and synthetic identity scammers seek to exploit that complexity, fabricating fake identities from the billions of data records stolen in cyberattacks every year.
But with the right trust-building technologies and techniques It is possible to detect and prevent synthetic identities before they are onboarded to your business.
A synthetic identity is an identity which has been entirely manufactured or created using a combination of genuine, stolen PII and manufactured identity data in order to illicitly obtain goods or services. Skilful synthetic identity fraudsters seek to monetise a fabricated identity before silently disappearing.
Businesses successfully targeted by synthetic identity fraud are at risk of incurring unrecoverable losses. When a new ‘customer’ fails to pay and it becomes evident that the digital identity does not belong to a real person, there is no recourse to debt recovery activity.
Synthetic identities can be entirely manufactured or a blend of fake and genuine data, often obtained through data breaches from cyberattacks. By successfully applying for accounts and services with low or no identity checks, fraudsters establish a credit footprint for a fake ID and use it to apply for higher value goods.
Webinar
Learn how business can beat synthetic identity fraud with the latest trust-building technologies and techniques.