Synthetic Identity fraud has cost the U.S. an estimated $30-35 billion in losses, according to some reports.[1] Synthetic identity fraud is difficult to estimate because a large amount of the fraud goes undetected or may be mischaracterized as another type of fraud or simply as a credit write-off. Synthetic identity fraud is widely assessed to be one of the fastest-growing type of fraud in the United States.
Synthetic Identity Fraud is the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.[2]
The elements incorporated into a synthetic identity can comprise of a combination of PII that is fabricated and PII taken from actual people and entities. The elements can be described as primary and secondary and are described in the chart below, which was provided by The Federal Reserve, FedPayments Improvement.
|
Element Type
|
Element Type Description
|
Examples
|
|
Primary
|
Identity elements that are, in combination, typically unique to an individual or profile
|
• Name
• Date of birth
• Social security number
• Other government-issued identifiers (e.g., passport or tax identification number)
· Photographs
· Unique biometric identifiers (e.g., fingerprints or an iris scan)
|
|
Secondary
|
Elements that can help substantiate or enhance the validity of an identity but cannot establish an identity by themselves
|
• Mailing or billing address
• Email address
• Phone number(s)
• Digital footprint (e.g., device ID or IP address)
|
[3]
How is Synthetic Identity Fraud different from Traditional Identity Fraud?
Traditional identity fraud target's identity elements from a specific individual with a readily identifiable victim. When traditional identify fraud occurs, the victim may be notified of suspicious activity through a bank alert or random charge. Synthetic identity fraud includes identity elements that are fabricated and/or taken from one or more persons, making synthetic identity fraud more challenging to detect and prevent.
Fraudsters using synthetic identities may pursue unsecured credit (e.g., credit card or unsecured loan) rather than secured credit (e.g., home mortgage), that would require additional scrutiny of financial records and identity documents.[4] It is still possible, however, for synthetic identity fraud to occur in mortgage applications and other types of secured credit.
 How are Synthetic Identities Created?
Fraudsters may acquire PII by from various means and sources including scams, data breaches, or purchasing PII from the dark web. Due to decreased scrutiny of PII belonging to certain populations (e.g., minors, incarcerated individuals, deceased individuals), fraudsters may seek to use their primary PII elements.
Upon manufacturing a synthetic identity, fraudsters may take steps to make the synthetic identity appear more legitimate including using the synthetic identity to:
- Enroll in utilities or municipal services, possibly to establish residency.
- Create of an online footprint (e.g., social media profiles) for the fake identities.
- Fabricate identity documents (e.g., driver’s licenses, state IDs, and passports).
- Inquire to setup lines of credit using the synthetic identity. By merely inquiring about credit, a credit history is created around the synthetic identity.
Techniques, Tactics, and Procedures
Once a synthetic identity is created, a fraudster can use the same identity to defraud multiple industries at once including financial, government, and healthcare. In addition, with the single synthetic identity, up to five additional trade lines may follow.
The proliferation of synthetic identities to help mask actions and footprints enables criminal networks and other nefarious actors to more easily acquire illicit goods (e.g., drugs, weapons), and engage in money laundering and other serious crimes.
Proliferation of Synthetic Identity Fraud
Several factors make synthetic identity fraud increasingly easy to engage in and to scale including:
- Continued shift towards conducting banking business transactions online.
- Increasing frequency of website and organization data breaches and ease of purchasing PIIs in bulk.
- Use of generative artificial intelligence (AI) to develop images, sounds and other identity elements.
- Digital automation to scale various actions (e.g., testing hacked PIIs and applying for new accounts).
 Recognize if you Are a Victim by Synthetic Identity Fraud
Individuals can identify and guard against synthetic identity theft using similar precautions as guarding against traditional identity theft. To identify if an individual may be a victim of synthetic identity fraud:
- Regularly monitor credit reports and credit scores. Contact credit agencies if any suspicious or unfamiliar information is identified.
- Regularly check bank and credit card statements for any suspicious or unfamiliar information. Reach out to the respective bank or issuing institution if such information is identified.
- As a precaution, Individuals can freeze their credit for free by completing an online form with each of the credit bureaus, Equifax, Experian, and TransUnion.
- As a precautionary measure against a fraudster establishing a credit history using the PII of a minor and to protect the minor’s credit, guardians of the minor can freeze the minor’s credit score by completing printable forms and mailing the forms along with copies of required identity paperwork of the guardian and minor to each of the credit bureaus to freeze their credit score. For specific forms and procedures, refer to each of the respective credit agencies.
If an individual believes they are a victim of either traditional or synthetic identity fraud, they should report it to the Federal Trade Commission (FTC). They can report identity theft, including a stolen SSN, to the FTC by visiting IdentityTheft.gov or by calling 1-877-438-4338 to report it.
Detect and Protect Against Synthetic Identity Fraud
Strategies to detect synthetic identity fraud focus on its main attribute -- use of an assortment of identity elements from various sources or through fabrication. Institutions can analyze customer and applicant data for specific discrepancies and correlations between personal elements. They can also work across industries to identify suspicious elements and connections between seemingly unrelated accounts identify synthetic identities. The use of force multiplier technologies (e.g., AI, machine learning (ML), and natural language processing (NLP)) can assist institutions in analyzing volumes of data so institutions can integrate additional background information (e.g., credit histories, digital footprint) when analyzing applicant and current customer data for discrepancies.
Analysis & Due Diligence
To guard against synthetic identity fraud, institutions can integrate enhanced due diligence on a subset of the higher risk account holders and applicants or engage force multiplier technologies to analyze information provided by applicants and customers for data discrepancies. Institutions should pay special attention to the following aspects that may be are tied to a higher risk of synthetic identity fraud:
Synthetic Identity Anomalies at the Individual, Institution, and Industry level:
|
Individual Level
|
Within Institutions
|
Across Industries & Institutions
|
|
- Inconsistent or unexpected information between credit history, age, employment history, stated employment, stated income, amount in account, or other attributes.
- Individual information does not match digital footprint, public records, credit profile, online profiles, or internal data reviews.
- Unusual address changes.
- Thin credit histories and use of newly instituted emails or phone numbers.
- High number of recent credit inquiries.
|
- Inconsistent information across different applications.
- Existence of multiple people associated with a single social security number.
- Existence of connections between seemingly unrelated accounts.
- Similar or matching contact information (e.g., the reuse of contact information across accounts).
- Same digital footprint used to submit applications for multiple people (e.g., the geolocation and IP address used to submit an account application).
|
- Inconsistent information across different applications.
- Existence of multiple people associated with a single social security number.
- Existence of connections between seemingly unrelated accounts.
- Same digital footprint used to submit applications for multiple people (e.g., the geolocation and IP address used to submit an account application).
|
To combat synthetic identity fraud, consider employing an array of tools and strategies within and across organizations and institutions including:
- Detection Rules and Risk Scores
- Detection models can be paired with machine learning to identify fraud risk scores for profiles and accounts at a higher risk of being fraudulent. With an understanding of an institution’s customer base and risk appetite, institutions can determine a risk score threshold to necessitate additional monitoring and due diligence to assess the risk of synthetic identity fraud.
- Data and intelligence Sharing Across Industry
- Where possible, share information across the payments industry as it pertains to synthetic identity fraud and associated trends, behaviors, risks, and best practices.
- As permitted, share datasets that can be used to compare suspect account information. Where law enforcement brings instances of synthetic identity fraud to the attention of a financial institution, the institutions should complete a suspicious activity report (SAR) or Currency Transaction Report (CTR) via FinCEN and include the name of the Federal Trade Commission (FTC) agent.
- Integration of Force Multiplier Technologies
- Machine Learning can be integrated into an institution’s strategy to combat synthetic identity fraud and used to scale the ingest and analysis of large amounts of data. Machine learning can be integrated into synthetic fraud protection in various ways including:
- Assess applicant and client information including user identity information, credit histories, information from external data sets (e.g. public records) to assist with real-time credit decisions, risk identification, and risk scores.
- Analyze applicant and customer information and trends across institutions which can be used to detect multiple fraud attempts and specific synthetic identities prior to default or “bust-out” actions.
|
