Synthetic identity fraud is the fastest-growing financial crime in the United States, posing significant risks for both businesses and consumers.
What is synthetic identity fraud?
Unlike traditional identity theft, which involves stealing someone’s real identity, the most insidious form of synthetic identity fraud creates a completely false identity using a combination of real and fake details, making it a complex challenge for legacy fraud detection systems.
Sometimes referred to as manufactured or “Frankenstein” identities, fraudsters use real pieces of someone’s personally identifiable information (PII), which is increasingly accessible due to data breaches – which exposed 353 million US customer records in 2023 alone.
How are synthetic identities created?
There are a few methods used to create synthetic identities but one of the most common and hardest to detect involves a fraudster using a real person’s personally identifiable information (PII), either stealing it themselves or purchasing from the dark web, altering it slightly, and attempting to pass it off as a legitimate person. The altering of information is where this method diverges from traditional identity theft, making it more difficult to detect.
These identities can be bolstered by AI tools which can generate supplemental data, images, or even IDs, in order to make the synthetic identity seem more legitimate.
We looked at over 1 million identity verification transactions to pinpoint which pieces of a synthetic identity were most likely to be fraudulent versus tied to legitimate PII. Our findings were that birth date, name, and address were the most commonly faked data points.
While these findings were not surprising, we wanted to dig a little deeper into what reason a cybercriminal may have for altering these particular identifiers.
Why are birth dates altered for synthetic identity fraud?
We found birth dates to be the most commonly flagged data point on fraudulent IDs, showing up in over half of flagged IDs. It is clear that cybercriminals are altering birth date for a majority of their fraud attempts, but some reasons birth date specifically may be altered are for benefits fraud. By changing the birth date on an otherwise legitimate identity, cybercriminals can access social security benefits or commit pension fraud.
Why are names altered for synthetic identity fraud?
First name was the second most commonly flagged data point, appearing in almost half flagged IDs. Altered first names can be used to defraud systems that rely on last name for identity verification, giving cybercriminals access to existing accounts.
While last name was flagged slightly less often than first name, both first and last name are commonly used to create a completely new identity, not linked to any real individual. This ensures that no papertrail is left once the crime has been committed, leaving businesses on the hook for any losses.
Like birth date, it is clear that businesses should be on the lookout for fraudulent names as a red flag for identity theft.
Why are addresses altered for synthetic identity fraud?
Addresses are one of the more nuanced pieces of PII present on an ID. Each part of the address could be altered in an attempt to fly under the radar of fraud detection systems. Often, entire addresses are fraudulent on synthetic identities attempting to access mail – tax returns or insurance claims mailed to the fraudster, who collects and promptly disappears, often having access to the address through fraudulent means, too.
Synthetic identity fraud is being used in a myriad of ways not specifically covered above – loan and credit card applications, evade sanctions, exploit medical records, submit fraudulent claims. Businesses across industries should be aware of the potential impacts of synthetic identity fraud.
How does synthetic identity fraud impact businesses?
Cybercriminals often use these fraudulent identities at financial institutions, but banks and credit unions aren’t the only businesses at risk. Synthetic identity fraud can be used to obtain any goods or services the fraudster chooses without paying and with no papertrail. Even government benefits and social programs have been exploited by criminals using synthetic identity fraud tactics.
Challenges in detection
The evolving nature of synthetic identity fraud makes it challenging for traditional fraud prevention systems to detect. Unlike cases of stolen identities, which typically leave a clear trail, synthetic identities don’t have a credit history or any ties to a real individual. This means that financial institutions or service providers are often left to absorb the losses.
Thomson Reuters estimated that 95% of synthetic identities go undetected during account creation at financial institutions. This figure is especially alarming when taking into account the rigorous KYC regulations within this industry that should, theoretically, ensure strong identity verification within the industry.
Long-term exploitation
Fraudsters can leverage synthetic identities to open new accounts, build credit over time, and then capitalize on them for financial gain. They may use these false identities for months or even years before vanishing, leaving behind significant financial damage for businesses.
Undermining customer trust
The widespread impact of synthetic identity fraud can erode consumer confidence in the financial system. People quickly become skeptical and reluctant to provide their personal information when they learn that a business has been a victim of fraud.
How can businesses detect and prevent synthetic identity fraud?
While traditional identity fraud systems are unable to detect synthetic identity fraud, leaders in the fraud-prevention space have found reliable methods of detecting synthetic identities to prevent losses to businesses and financial institutions. The core issue of synthetic identity fraud detection is in verifying the legitimacy of an identity beyond the few pieces of legitimate data present.
The Federal Reserve recommends a multi-layered approach:
- Verifying primary elements – government issued identifiers
- Verifying supplemental elements – address or digital footprint
A solution like VeriScan Authentication completes both of these actions within seconds – verifying the legitimacy of the government-issued ID and running third-party database checks against information like the address. There is even an option for Knowledge Base Authentication (KBA) checks to ensure the identity matches the person presenting the information. This approach is one of the most methods to detect synthetic identity fraud.
For digital transactions, where the ID cannot be fully authenticated using specialty hardware, it is essential to employ robust identity verification solutions to achieve the multi-layered fraud prevention approach. While third-party database checks can be used for both in-person and digital transactions, verifying primary elements is still an essential step in the process.
With VeriScan’s Digital Identity Verification solution, submitted IDs are verified using machine learning algorithms, analyzing high volumes of data to identify patterns associated with synthetic identity fraud. The AI-powered system can detect imperfections and indicators commonly seen on fraudulent identity documents to instantly flag fraudulent identity documents.
Our solution combines document verification with facial matching, equipped with liveness detection and anti-spoofing to ensure the person submitting the ID matches the document.
