Money 20/20: What's Behind the Rise in Synthetic Identity Fraud

How do synthetic identities happen?

A perfect storm around synthetics developed in the past decade:

• Data breaches: With tens of billions of records breached over the past decade, organized crime rings have an unprecedented amount of data at their disposal to fuel their identity-compilation and identity-manipulation efforts.
• Consumer social engineering scams: More than half (52%) of consumers reported being targeted by email, online, phone call or text messaging scams in Q4 2024. The most frequent scams reported by consumers included phishing, smishing and vishing; scams meant to steal personal information from consumers.
• SSN randomization: The Social Security Administration (SSA) used to issue sequential Social Security numbers (SSN) where the first three digits represented the location of the SSA office that assigned the number. This was a very useful tool for identifying SSNs validity. Unfortunately, rather than keeping a specific issuance formula based on the date and geographic region, the SSA began randomizing the issuance of SSNs in 2011 — thus eliminating the financial institutions’ abilities to check validity at the time of account onboarding.
• Organizations’ risk thresholds: Some organizations, be they lenders, telecommunications firms or gaming firms, set their own levels of acceptable risk for existing credit or payment terms. Organizations that serve higher-risk individuals (those with little to no credit history) are more exposed to synthetic identities than those originating credit for low-risk individuals. And once established at one organization, a criminal can use that synthetic identity to attack any organization.
• Credit repair: Credit repair agencies abounded over the past decade, offering credit profile numbers (CPN). They sold these nine-digit numbers to consumers with bad credit to “get a fresh start.” They’re also often used by undocumented immigrants to access credit. The intent is to obfuscate creditors’ inquiries to credit bureaus and establish new records for the consumer.
• Gen-AI deepfakes: Generative AI enables fraudsters to create fake documents and images, including driver’s licenses and passports, designed to fool organizations’ identity proofing tools. The issue is so serious the US Treasury FinCEN issued an alert about deepfake media to financial institutions late last year. 
   

US data breaches increasing in volume and severity — fueling and shaping future fraud

According to TransUnion’s H1 2025 Update: State of Omnichannel Fraud Report, the number of data breaches in the US exceeded 16,000 over the past five years, expediting the access and sale of personally identifiable information to then create synthetic identities. While the volume of US data breaches rose to 3,092 in 2024, the average breach risk severity (the ability of a breach to enable identity fraud), as measured by TransUnion TruEmpower™ Breach Risk Score (BRS), increased 34%, its highest point ever since TransUnion initiated studies in 2020.Increasingly, cybercriminals have begun targeting third parties to acquire identity information; these are organizations that process data on behalf of the organization holding the consumer relationship. 

How much is lost to synthetic identity fraud?

Synthetic fraud losses are often reported as charge-offs due to bad debt, so overall estimates vary widely. TransUnion’s internal analysis recently showed US lender exposure to synthetic identities for credit cards, auto loans, personal loans and retail cards totaled $3.3 billion in potential losses at the end of 2024. That’s an increase of 3% over the end of 2023 and an all-time high going back to TransUnion’s first measurement in 2009.

Based on the percentage (0.32%) of attempted account openings with synthetic identities, the market faces continued threat of charge-offs in the future. While auto loans continued to represent the largest exposure by trade, incidences of synthetic identities in bankcard credit inquiries was the highest among credit types analyzed, surpassing 1% at the end of 2024 — a first since TransUnion began reporting synthetic identity exposure.

While potential losses are worrisome, the fact much of synthetic identity fraud is written off as bad dept — meaning organizations often never uncover the synthetic identities behind these losses — makes them even more problematic and damaging.

How can financial institutions combat synthetic identity fraud?

Mitigating synthetic identity fraud requires a companywide effort within financial institutions. The federal government is trying to support industry solutions but with mixed results. The electronic Consent Based Social Security Number Verification (eCBSV) Service, for example, isn’t a silver bullet to protect organizations from synthetic identities. The system is limited by its requirement to match names exactly as they exist in SSA’s files. Submissions with small variances will not pass eCBSV checks, requiring financial institutions to verify identities some other way.

As mentioned, many organizations simply charge off losses from synthetic accounts as bad debit. However, these accounts represent a significant compliance challenge for organizations in regard to know your customer (KYC) and anti-money laundering (AML) regulations. To mitigate synthetics, organizations need to take a layered approach: combining identity verification, device-based risk assessment and portfolio reviews using a synthetic fraud model. By doing so, organizations can improve their abilities to detect suspected synthetic identities at the front door and take steps to prevent future losses.