Table of Contents
Synthetic identity fraud is a growing threat that’s spreading like wildfire, victimising countless individuals and costing financial institutions billions of dollars. This elaborate version of identity theft combines both real and fabricated personal identification information to manufacture entirely new identities, which can be extremely difficult to detect.
Not to be taken lightly, synthetic identity fraud was the fastest-growing form of fraud in 2023, according to a report by TransUnion. Although the concept of creating synthetic IDs has been around for several decades, the problem has escalated significantly since 2017, with identity theft reports to the Federal Trade Commission increasing from 371,000 in 2017 to 1.4 million in 2021.
Cybersecurity Education and Training Begins Here
Here’s how your free trial works:
- Meet with our cybersecurity experts to assess your environment and identify your threat risk exposure
- Within 24 hours and minimal configuration, we’ll deploy our solutions for 30 days
- Experience our technology in action!
- Receive report outlining your security vulnerabilities to help you take immediate action against cybersecurity attacks
Fill out this form to request a meeting with our cybersecurity experts.
Thank you for your submission.
Definition of Synthetic Identity Fraud
Synthetic identity fraud is a sophisticated financial crime that involves fabricating a fictitious identity using real and made-up personal information. Unlike traditional identity theft, which uses a real person’s identity, synthetic identity fraud moulds an entirely new persona that doesn’t correspond to any single individual.
Synthetic identities often combine authentic and fake ID elements, most commonly including:
- A real Social Security number (SSN)
- A false name
- A made-up date of birth
- A fictitious address
A synthetic ID may also include fake or stolen phone numbers, counterfeit government-issued ID documents, fake online presence, forged employment history, or manipulated credit history.
What defines synthetic ID fraud is its hybrid nature of blending authentic and false information to fashion a new identity that can pass initial verification processes. This differentiates it from other forms of identity-related crimes and makes it especially difficult to detect and prevent.
How Synthetic ID Fraud Works
Synthetic identity fraud is a complex process that involves making a phony identity appear credible, legitimate, and capable of passing verification processes and receiving communications. It’s a long-term scheme that can yield significant payouts for threat actors while causing substantial losses for financial institutions and individuals whose personal information was exploited. Such schemes are typically carried out using several tactics.
1. Gather Information
Fraudsters typically start by collecting authentic personal data, often focusing on Social Security Numbers. Common sources include:
- Data breaches
- Dark web marketplaces
- Social engineering tactics
- Public records
- Social media platforms
They often target SSNs belonging to children, elderly folks, or homeless individuals, as these targets are less likely to be actively monitored.
2. Create the Synthetic Identity
It’s common for fraudsters to pair a stolen SSN with fake information, such as a fake name, phone number, date of birth, or address. Often referred to as a “Frankenstein ID”, this combination of real and forged data is what defines a synthetic identity.
3. Build Credit and Credibility
With the intention of eventual theft, fraudsters then use the synthetic ID to apply for lines of credit. Initially, applications are often rejected and dismissed due to a lack of credit history. However, these applications create a credit file for the synthetic identity.
Patient fraudsters continue applying for credit until they are successful, often with high-risk lenders. When invested long-term in their synthetic identity, they use this credit responsibly, making timely payments to build a positive credit history and overall credibility.
4. Cultivating the Identity
Over months or even years, fraudsters nurture and grow the synthetic identity, gradually gaining access to higher credit limits and more valuable financial products. They may use techniques like credit piggybacking, where the synthetic identity is added as an authorised user on an account with good credit to boost its creditworthiness.
To make the identity seem more authentic, fraudsters may also create fake social media profiles and engage in online activities associated with the synthetic identity.
5. The “Bust-Out”
Once the synthetic identity has established legitimate credit and can effectively borrow funds from financial institutions, the fraudster makes one final push to max out all available credit before vanishing and neglecting any repayment. This is often referred to as “busting out”, leaving creditors with significant losses.
6. Repeating the Process
Skilled fraudsters often create multiple synthetic identities simultaneously, allowing them to scale their operations and increase their illicit gains. The accessibility of such cyber crimes has made them incredibly widespread and difficult to prevent.
Methods of Synthetic Identity Fraud
Cyber criminals use a range of techniques to craft and carry out synthetic ID theft. Here are the primary methods used.
- Identity compilation: Otherwise known as “Frankenstein Fraud”, this common method combines a stolen SSN with fake personal information so that the new identity doesn’t correspond to any real person.
- Identity manipulation: This tactic seeks to alter the details of a real person’s identity to create a new one. Slight changes to names, addresses, or birthdates can be enough to mask previous credit history or start a “fresh” identity.
- Piggybacking: Similar to tailgating to access a secure physical area, piggybacking involves adding a synthetic identity as an authorised user on a legitimate account, effectively boosting its credit score.
- Credit Profile Number (CPN) scams: These schemes use a fake nine-digit number in place of a real SSN, which are often marketed as a legal way to create a new credit identity but are illegal.
- Social engineering: By using phishing, pretexting, or other socially manipulative tactics, threat actors obtain real personal information to incorporate into synthetic identities.
- Exploiting credit repair loopholes: With an established synthetic ID, threat actors may file false identity theft claims to remove negative items from credit reports, thereby artificially improving the creditworthiness of the synthetic identity.
- Data breach exploitation: Another technique involves utilising personal information obtained from large-scale data breaches. Fraudsters can easily combine fragments of authentic information from multiple individuals and create convincing synthetic identities at scale.
These methods are often used in combination, allowing fraudsters to produce hard-to-detect synthetic identities. The variety and complexity of these techniques impact the escalating challenges of combating synthetic identity fraud in the financial sector.
The Dangers of Synthetic Identity Fraud
Synthetic identity fraud poses significant risks to both individuals and businesses, with devastating consequences that can persist for years. Understanding these dangers is crucial to acknowledge and combat this growing threat.
- Financial losses for businesses: Synthetic identity fraud is one of the fastest-growing forms of fraudulent activity. An Equifax study identified potential losses of $300 million to the credit card industry and $25 million to telecommunications and utilities providers in just 12 months.
- Long-term impact on individuals: Young people are particularly vulnerable, as their credit can be compromised for years before outside threats are detected. During that time, victims may struggle to obtain credit, loans, or employment due to damaged credit histories.
- Undermining credit systems: The widespread prevalence of synthetic identities diminishes trust in credit reporting and lending systems. In turn, financial institutions default to tightening their lending criteria, making it increasingly difficult for legitimate consumers to access credit.
- Facilitation of other crimes: The criminal application of fabricated identities poses dangers beyond immediate financial losses. Synthetic identities can be used for money laundering, terrorist financing, or other illicit activities.
- Challenges for fraud detection: Traditional fraud detection methods often cannot pinpoint synthetic identities. The inability to identify a specific consumer victim makes it challenging to detect threat actors and quantify losses.
- Increased costs for businesses and consumers: Organisations may invest heavily in advanced fraud detection systems to combat synthetic ID theft. These costs are subsequently passed on to consumers through higher fees or interest rates.
- Data privacy concerns: Creating synthetic identities typically relies on stealing personally identifiable information from data breaches. This perpetuates an ongoing cycle of data theft and misuse, raising concerns for broader data privacy and protection.
The dangers of synthetic identity fraud extend far beyond immediate financial losses, affecting the integrity of financial institutions, individual credit profiles, and societal trust in digital identities.
How to Detect Synthetic ID Fraud
Detecting synthetic identity fraud is an uphill battle, but there are several warning signs to watch for and fundamental strategies to leverage, including:
- Unusual credit file characteristics: Sudden changes in credit activity, rapid credit score increases, or credit profiles with a thin or short history.
- Mismatched information: Discrepancies between provided information and official records or inconsistencies in personal details across different databases.
- Behavioural anomalies: Multiple applications for credit in a short period or accounts that show patterns of building credit followed by sudden high-value transactions.
- Enhanced verification processes: Organisations can add levels of authentication and use knowledge-based authentication questions.
- Regular audits: Institutions should conduct periodic reviews of accounts, especially those with limited history, and monitor authorised user accounts for suspicious patterns.
- Social media and online presence checks: Verifying online footprint consistency and checking social media profiles for signs of authenticity can help detect synthetic ID fraud.
With these detection methods and maintaining vigilance for warning signs, businesses and individuals can improve their ability to identify and prevent synthetic identity fraud.
How to Protect Against Synthetic Identity Fraud
Protecting against synthetic identity fraud requires both technological solutions and personal vigilance. Here are some effective ways to defend against such threats.
Secure Personal Information
Individuals should take precautions to secure their SSNs and other personally identifiable information. This includes safeguarding physical documents, shredding sensitive papers, and avoiding sharing SSNs unnecessarily. Using digital security software can further protect personal data from hackers and malware.
Regular Credit Monitoring
Regularly reviewing credit reports and monitoring credit scores can help protect institutions from synthetic ID theft early on. Unexpected changes or unfamiliar information on credit reports may indicate fraudulent activity.
Social Engineering Awareness
Consumers and employees should be educated about common social engineering tactics, like phishing scams. Be wary of unexpected communications claiming to be from legitimate sources requesting personal information.
Advanced Analytics and Machine Learning
Organisations can employ machine learning algorithms to analyse high volumes of data and identify patterns associated with synthetic identities. These systems can process large datasets quickly, evaluating risk factors and flagging suspicious activities in real-time.
Digital Identity Verification
Deploying robust digital identity verification systems can significantly reduce the risk of synthetic identity fraud. These systems use a combination of document verification, liveness detection, and multifactor authentication to ensure the person creating an account is who they claim to be.
How Proofpoint Can Help
Proofpoint offers a comprehensive suite of cybersecurity solutions designed to protect against identity fraud. By leveraging advanced threat intelligence and machine learning, Proofpoint’s products can detect and mitigate the risks associated with synthetic identities.
For instance, Proofpoint’s email security solutions can identify and block phishing attempts that often serve as the initial step in gathering personal information for creating synthetic identities. Additionally, their digital risk protection services monitor the dark web and other illicit online marketplaces for stolen personal data, alerting organisations to potential threats before they can be exploited.
Proofpoint’s Identity Threat Detection and Response (ITDR) solutions provide robust defences against synthetic identity fraud. These tools analyse user behaviour and digital footprints to identify anomalies that may indicate the presence of synthetic identities. By integrating multifactor authentication and continuous monitoring, Proofpoint ensures that only legitimate users can access sensitive systems and data.
This proactive approach not only helps in detecting synthetic identities early but also enhances overall security posture, making it significantly harder for fraudsters to succeed. To learn more, contact Proofpoint.