Synthetic identity theft represents a growing threat to digital customers and online businesses. It works by piecing together fragments of the victim’s identity from multiple sources, creating a composite that can be used for fraudulent credit applications and purchases. This constitutes a more sophisticated form of identity theft than conventional attack methods, making it more difficult to stop. Fortunately, there are steps that companies can take to protect themselves and their customers from synthetic identity fraud.
Here we’ll provide the background you need to start protecting your business against synthetic identity theft. We’ll begin by defining just what synthetic identity theft is and explaining how it works. This will highlight the contrast between synthetic identity fraud and more conventional methods, explaining why it’s more challenging to detect and why it can damage businesses and consumers. Finally, we’ll show you what you can do to protect your company against synthetic identity fraud.
What Is Synthetic Identity Theft? A Definition
Let’s start with a synthetic identity theft definition. Synthetic identity theft is a digital fraud method that combines data from multiple sources to create phony credentials that can be used to apply for financing, make fraudulent purchases, or commit other financial crimes. Typically, pieces of real Personally Identifiable Information (PII) are combined with false information to give the appearance of legitimacy. For example, a person’s real name and Social Security Number (SSN) may be combined with a different email and bank account to divert funds from a loan application in the victim’s name to the criminal’s bank account.
How Do You Create Synthetic Identities?
Creating a synthetic identity typically begins with the theft of a real credential such as a Social Security Number or Employer Identification Number (EIN). This may be combined with other real credentials, such as real names. Real information gets combined with false data such as fake addresses or emails and bank accounts not owned by the victim of the identity theft scam. Combining real and fake information enables the perpetrator to commit financial crimes such as applying for a credit card in the victim’s name or applying for a loan. Some fraudsters also use synthetic identities to make fraudulent purchases and have them sent to the wrong address, from which they can be returned for a refund or sold for profit.
An Example of Synthetic Identity Theft
To illustrate, let’s say that a cybercriminal ring targets elderly homeowners from a retirement community, assuming that this demographic is more likely to be wealthy. To steal SSNs, the criminals send all the residents living in the community a mail package pretending to represent a prescription drugs savings opportunity for senior citizens. Seniors who respond to the offer are asked to provide their SSN.
Once the victim provides their SSN, the identity thieves know their name, address, and SSN. This forms the foundation of the synthetic identity. Now the thieves combine this information with a fake email account and new address and begin applying for credit cards in the victim’s name, leveraging the target’s credit score for fraudulent purposes.
How Does Synthetic Identity Theft Occur?
The example above illustrates the steps in the process of a synthetic identity theft incident:
- A fraudster creates a new synthetic identity
- The fraudster applies for a new line of credit or loan or makes a fraudulent purchase
- The fraudster continues applying for financing or attempting purchases until successful
- The fraudster will nurture a good credit score to secure a larger credit line
- The fraudster will eventually max out the credit limit, stop payments, and disappear
Often, this process targets the SSN of a small child so that the identity theft will not be discovered until the child is old enough to apply for a credit card or pull a credit report. Sophisticated identity theft rings may replicate this process often with multiple accounts and large groups of victims.
Is Synthetic Identity Theft Common?
Unfortunately, the growth of online financial transactions has increased the incidence of synthetic identity theft. Additionally, as physical credit card security technology has improved, criminals have turned to synthetic identity theft as an alternate way to exploit credit cards. In 2021, the Federal Trade Commission received 2.8 million fraud reports from consumers, with losses of over $5.8 billion, an increase of 70% from 2020. This total included several different categories of fraud, with identity impersonation topping the list.
What Is the Difference Between Synthetic Identity Fraud and “Traditional” Identity Theft?
Synthetic identity theft differs from previous types of identity theft in the way stolen data is used, assembled, applied, and detected:
- With traditional identity theft, the thief impersonates a person’s entire identity, whereas synthetic identity theft steals parts of a person’s identity to create an artificial identity
- Traditional theft may rely on a single source, such as a stolen password, while synthetic theft combines data from multiple real and fictional credentials
- Conventional identity theft scams use stolen data to open accounts or make purchases using the person’s original identity, while synthetic scams use data to perpetrate fraud using false identities which resemble real identities superficially
- Conventional identity theft tends to get detected when someone notices phony charges on their bills, while synthetic theft may go undetected because the synthetic identity isn’t known to the owner of the original identity
These distinctions make synthetic identity theft more sophisticated and challenging to detect than traditional impersonation scams.
Detecting Synthetic Identify Theft
Synthetic identity theft is difficult to detect for several reasons. The synthetic identity represents a non-existent person or business composed of pieces of real accounts, so the warning signs which accompany the impersonation of real individuals may go under the radar for a while. If the perpetrator is using the SSN of a small child, the fake identity may be used for years before anyone notices. Even when the victim is older, the thief may spend a long time building fake credit before disappearing with unpaid debt. Only then do creditors contact the original information owner to inquire what’s wrong. By then, the thief may be using another new identity, and the stolen money may be in a bank account in another country.
What Are the Consequences of Synthetic Identity Theft?
Synthetic identity theft affects the victims whose data is stolen and the institutions targeted for fraud. An individual or business whose identity is stolen may come under suspicion by authorities, potentially placing them in legal jeopardy. Even if they can prove their identity was stolen, they may face hassles when applying for credit cards or loans. Fortunately, as long as consumers report identity theft promptly, their financial liability for misuse of their accounts is limited to $50.
But the full impact of synthetic identity theft goes beyond this. Financial institutions and retailers also are victims of synthetic identity theft. Because consumers’ liability for repaying the cost of theft is limited, financial providers and retailers end up eating the costs of synthetic identity fraud. Moreover, their customers may hold them responsible for failing to take preventive measures, hurting their brand reputation.
How to Prevent Synthetic Identity Theft
To guard against the financial loss and brand damage associated with synthetic identity theft, security experts recommend that financial providers, fintech companies, eCommerce retailers, and other affected businesses take several preventive measures:
- Following Know Your Customer (KYC) best practices to authenticate the identity of new customers
- Using artificial intelligence machine learning to cross-reference customer data with other databases and automate the process of detecting suspicious data patterns and discrepancies
- Implementing multi-factor authentication to confirm customer identity during transactions
- Adopting biometric identification methods such as facial recognition to strengthen customer authentication procedures
Taking these steps can reduce the risk of you and your customers falling prey to synthetic identity theft.
Protect Your Company and Customers from Synthetic Identity Theft with Incode
Stealing digital credentials and using them to build synthetic identities has become a favored tactic of cybercriminals, and financial service providers often end up footing the bill. Fortunately, you can protect your company by deploying automation to implement powerful new security strategies such as machine learning and biometric authentication. The Incode Omni platform provides an end-to-end identity authentication platform that lets you implement robust security procedures while delivering a fast, frictionless experience for online customers. Contact our team to schedule a demo and see how we can help you protect your company and customers from synthetic identity theft.