Skip to main content

Money 20/20: Whats Behind the Rise in Synthetic Identity Fraud

Audience at business event with focus on a woman

The premiere event for financial services, Money 20/20, wrapped in late October. Identity and fraud were front and center on the agenda as major challenges facing the industry. Synthetic identity fraud was a particularly hot topic. With their presentation — What’s Behind the Rise in Synthetic Identity Fraud — Jim VanDyke, TransUnion Senior Principal and Head of Innovation, and David Mattei, Strategic Advisor, Fraud and Anti-Money Laundering (AML) Practice, Datos Insights, shared insights to help attendees better understand synthetic identity risk and how to improve their abilities to combat it.

What is synthetic identity fraud?

There’s no common definition for synthetics, even within the same organization. Synthetic identities are commonly understood as identity fabrication, compilation or manipulation. Complicating a clear understanding of synthetic identities is recognizing there’s no single way bad actors perpetrate this fraud. Once an account is created with a synthetic identity, fraudsters may choose to just take the money immeditately, or they may maintain the account in good standing while building up credit history.

When synthetic accounts finally default, there’s no common way financial institutions categorize this loss. For instance:

  • Never pay default — A borrower fails to make any payments
  • Early life defaults — A borrower stops making payments within first six months
  • Straight rollers — A credit card or loan account moves directly into default without the borrower making any payments
  • Bust outs — A borrower makes monthly payments until they max the loan amount and stop making payments, typically over a two-year time period
  • Over-limits — Quick over-extension of credit

With no agreed-upon definition and understanding of synthetic identity, the FedPayment Improvement initiative — part of the Federal Reserve Bank — undertook the task of coming up with a common definition industry can use. Its definition is “the use of a combination of personal identity information (PII) data to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.”

Without consistent categorization of the problem synthetic identities pose, financial services organizations don't necessarily track it properly, often simply bucketing it under credit risk losses. This lack of visibility limits most organizations’ abilities to understand the scope and scale of the problem they face, impacting loss prevention strategies.

 

What does a synthetic identity attack look like?

Synthetic identity fraud can be difficult to spot. A September 2020 US federal indictment of participants in a coordinated synthetic identity fraud attack illustrates the extent to which crime rings behind these attacks play the long game.

Graphic depicting steps in a synthetic fraud attack

 

The ring included 13 individuals and three fraudulent businesses. Over the course of 18 months, they obtained more than  $1 million in fraudulent loans from 19 US banks and credit unions:

  • Twenty synthetic identities were compiled using Social Security numbers (SSN) stolen from individuals unlikely to be accessing credit (children, incarcerated and elderly individuals), then the fraudsters appended new names, addresses, dates of birth, etc.
  • The fraudsters proceeded to apply for accounts with minimal identity verification requirements (email accounts, mobile phones and loyalty points) to give the identities a foothold.
  • They then used the tried-and-true tactic of springboarding (i.e., adding synthetic identities to existing established credit card accounts as authorized users). The ring also created shell companies that were used to report credit histories on the synthetic identities (backdated in some cases to further add validity).

How do synthetic identities happen?

A perfect storm around synthetics developed in the past decade:

  • Data breaches: With tens of billions of records breached over the past decade, organized crime rings have an unprecedented amount of data at their disposal to fuel their identity-compilation and identity-manipulation efforts.
  • SSN randomization: Social Security Administration (SSA) used to issue sequential SSNs where the first three digits represented a location of the SSA office that assigned the number. This was a useful tool to identify the validity of a SSN. Unfortunately, the SSA began randomizing the issuance of SSNs in 2011 rather than having a specific issuance formula based on the date and geographic region. This randomization eliminated a valuable tool that could be used to check the validity of an SSN at the time of account onboarding from financial institutions’ arsenals.
  • Loosening credit: As the economic recovery progressed after the Great Recession, US financial services firms loosened credit requirements — which made it easier for synthetic identities to take hold and build from a thin file to an established credit holder.
  • Credit repair: Credit repair agencies abounded over the past decade, offering credit profile numbers (CPN). The CPN is a nine-digit number sold by credit repair agencies to consumers with bad credit to “get a fresh start.” It’s also often used by undocumented immigrants to access credit. The intent is to obfuscate creditors’ inquiries to credit bureaus and establish new records for the consumer.

 

US data breaches increasing in volume and severity — increasing and shaping future fraud

The number of data breaches in the US increased 83% over the past two years, according to TransUnion’s 2023 State of Omnichannel Fraud Report, expediting the access and sale of personally identifiable information to create synthetic identities. Increasingly, cybercriminals have begun targeting third parties to acquire identity information; these are organizations that process data on behalf of the organization holding the consumer relationship.

US data breach volume and severity 2020-2022 by primary and third-party

 

How much is lost to synthetic identity fraud?

Datos Insights estimates synthetic identity fraud for unsecured US credit products totaled US$1.8 billion in 2020 and will grow to US$2.94 billion in 2025. “Recently, a fraud executive took a new position at a financial institution. One of their first tasks was analyzing existing accounts to see how many of them were potentially opened using synthetic identities. They found upwards of 15% of the accounts were tied to a synthetic identity,” stated David Mattei, Strategic Advisor, Fraud and AML Practice, Datos Insights. If the number of credit charge-offs attributable to synthetics is indeed in the 10% to 12% range, then the losses could be as high as US$6 billion.

Estimated cost of synthetic fraud to banks at least $6 billion annually.
Sources: Mitigating Synthetic Identity Fraud in US Payments System, 2019 Federal Reserve report. Synthetic Identity Fraud: Diabolical Charge-offs on the Rise, Datos Insights, February 2021 (sponsored by TransUnion). ABA Banking Journal Oct 20, 2021.

TransUnion’s internal analysis recently showed US lender exposure to synthetic identities was nearly $3 billion; auto loans reached $1.8 billion, representing more than 60% of total exposure to synthetic identities.

Not only are the losses painful, so is the fact much of synthetic identity fraud is written off as a credit risk — meaning valuable collector time is spent trying to collect from someone who doesn’t exist. Many of the FinTechs interviewed by Datos Insights believed synthetics represent an AML issue, as well as a fraud issue: If you have a bunch of synthetics on your books, how well do you know your customer?

 

How can financial institutions combat synthetic identity fraud?

Mitigating synthetic identity fraud requires a company-wide effort by financial institutions. The federal government is trying to support industry solutions but with mixed results. The electronic Consent Based Social Security Number Verification (eCBSV) Service, for example, isn’t a silver bullet to protect organizations from synthetic identities. The system is limited by its requirement to match names exactly as they exist in SSA’s files. Submissions with small variances will not pass eCBSV checks, requiring financial institutions to verify identities some other way.

Many organizations simply charge off the loss of synthetic accounts as bad debit. However, synthetic accounts represent a significant compliance challenge for organizations, including Know Your Client (KYC) and AML. To mitigate synthetics, organizations need to take a layered approach: combining identity verification, device-based risk assessment and portfolio reviews using a synthetic fraud model. By taking this layered approach, organizations can improve their abilities to detect suspected synthetic identities at the front door and take steps to prevent future losses.

Do you have questions? Our team is ready to help.