In early 2013, 18 people were charged in a $200 million international credit card scam which involved more than 7,000 fake identities and more than 25,000 fraudulent credit cards[1].
This case is the cookie cutter template for the typical synthetic identity fraud scam, where fraudsters fabricate identities to obtain credit cards, build up the spending power of those cards, then spend as much as they can, then walk away from debt.
If you deal with any kind of financial transactions, whether you are part of a financial institution, government, healthcare, or even retail ecommerce, you are probably saying to yourself right now – what is synthetic fraud, how can I detect it, and most of all, how can I prevent it.
Synthetic Identity Fraud can be difficult to detect
By now, we’ve all heard about identity fraud. Between 2017-2018 the volume of personal information exposed in data breaches increased by 126% with more than 446 million records exposed[2], making personal data such as bank account login credentials, drivers licenses, credit card numbers, social security numbers and other sensitive data readily available to fraudsters. With identity fraud, a fraudster uses this information to pretend to be another real person, often taking over a financial account, or using the victim’s credit. This type of fraud happens quickly and is detected & reported relatively quickly when a victim notices an unusual charge on their statement.
Synthetic identity fraud happens over a much longer period of time, sometimes years, and is much more difficult to detect. It often goes unreported because there are no individual victims, and so no one to alert the financial institution or business to the unusual activity.
Synthetic Identity Fraud occurs when a fraudster creates an identity by cobbling legitimate (and sometimes fake) information together, eg., name, address, social security number, date of birth, email and phone number. This new identity does not tie back to a real-person, and a fraudster may create many such identities to maximize their revenue potential.
Cleverly disguised, 85-95% of synthetic identities slip into the financial system undetected[3], bypassing standard screenings. To financial institutions, they may look like a legitimate customer that is new to credit, like a young adult, or a new to country. Unfortunately, once in the system, over time, as these fraudulent identities become established and mature, they even begin to appear as very desirable customers.
How does synthetic fraud play out?
There is a common pattern of 4 critical steps:
Create a synthetic identity
Establish the legitimacy
Increase creditworthiness and credit limits
Bust out
#1 Create a synthetic identity
The first step for these criminals is to create a fraudulent identity. They can just make elements up, like 123 Rainbow Rd., Neverland, AM. But… fraudsters being the clever people they are, know that financial institutions are required by the US Patriot Act to do a process called KYC. Know Your Customer, where they are required by law to collect name, date of birth, address, and social security number or tax payer number for any user opening a new account. Often, the fraudster will cobble together legitimate names, addresses, and social security numbers, so they will pass a check when scrutinized for validity.
The social security number is one of the key elements that allows a consumer to establish credit. It is believed that one of the drivers behind the increase we see in synthetic identity fraud, was the 2011 change to the way that the Social Security Administration issued Social Security Numbers. Rather than generating the number based on a person’s location and year of birth, they switched to random number generation[4].
When fraudsters create a synthetic identity, they will commonly use the social security numbers of individuals less likely to notice the exploitation such as elderly, or homeless, and even children.
Children’s social security numbers are especially valuable because unused numbers can be paired with any name and birth date, and chances of discovery of this use is low. It often takes 10-15 years before the theft is detected, as parents don’t typically monitor their children’s identities. More than 1 million children were the victims of identity fraud in 2017[5] and child social security numbers are 51 times more likely to be used in synthetic identity theft[6].
#2 Establish the legitimacy
Once an identity has been created, the fraudster then has to bring it forth into the world. The easiest way to establish legitimacy, is to start to get this synthetic identity into the credit bureau. The most common ways this happens:
Apply for credit cards. The act of applying, whether online or at a branch, approved or denied establishes a record with the credit bureau, legitimizing the identity.
Apply for secured credit card. This can be an easier path for the fraudster, as this is a product designed to help people establish credit.
Piggybacking (a technique used by these fraudsters about 50% of the time[7]). By adding an authorized user on the account of another individual with good credit, the authorized user inherits the good credit history and positive credit score of the parent account and is a quick way to establish credit for the newly created synthetic identity.
#3 Increase creditworthiness and credit limits
Once a synthetic identity has been planted in the financial system, they look and behave like normal consumers, and the identity can be nurtured for months and sometimes even years.
These accounts may even support the fostering of other synthetic identities, serving as the parent account for other synthetic authorized users on the same credit card.
Fraudsters will cultivate these accounts by making small purchases and paying these off to build good repayment histories. They will open new credit cards, bank accounts, transfer funds, pay bills (on time) so they can improve their credit history.
They may open personal loans, or take out auto loans, but their goal is to get as many lines of credit and increase their credit limits to as much as possible to maximize their eventual payoff. Through a technique called “loan stacking”, these fraudsters take advantage of lenders fast turnaround times and inability to verify multiple loan applicants in a short period of time. Financial institutions can be eager to provide these loans because they look like great customers to the bank.
#4 Bust out
Once the fraudster has built up what they deem adequate credit payoff, they execute a “bust out” – maximizing all their credit lines at one time with no intent to repay. If an auto loan is involved, they could drive away with a brand new car, and the lender would have no one to pursue.
And then to make matters worse, they may try to multiply their payouts by filing a claim with the financial institution, indicating that they (their fictitious entity) were the victim of identity theft, and dispute the loss. This could result in charges being reversed and credit lines reopened.
Under the Fair Credit Reporting Act, banks are required to respond to these disputes in a set period of time. They may trigger a flood of claims, to reduce the chance that the financial institution can complete a full investigation within this window. If they are able to successfully close a dispute, their credit won’t be negatively impacted, and they can continue to use their synthetic identity.
This is happening at your financial institution
According to the Federal Reserve, synthetic identity payments fraud is the fastest-growing type of fraud in the US, this number is only going to go up. In 2016, this represented more than $6 billion in losses, a big hit for a financial institution.
To understand the impact to you, understand that synthetic fraud represents more than 5% of charged-off accounts AND 20% of credit losses. At an average charge-off balance of $15K per instance of synthetic identity fraud, you can see how this quickly adds up. This number doesn’t even take into account any expenses associated with trying to recover funds from a person that doesn’t exist.
What can you do about it?
Detecting synthetic identities can be a tricky matter. One of the steps you can take is to reframe the questions you ask about these customers. For example, instead of asking “Is this really the applicant?”, you can ask “is the applicant real?”
There are common signals to Synthetic identities:
Synthetic identities appear out of nowhere: First appearance is with the credit bureau
Depth of relationships: They will have no parents, no family, no friends, no associates
They have no history – no birth records, no driver’s license or other DMV records, no passports, no house or property ownership, no utility bills, passports, professional licenses…
They may have an unusually large number of authorized users on an account
For example: A product manager is likely to have worked at a couple of different companies (employment history), have had a cell phone (telecom records), have an email that was set up years ago (email records), may have lived at multiple residences (address records), may even own property (property records), could have had a student loan 10 years ago (financial records), probably drives a car (DMV records), and social media accounts.
Basic best practices for detecting fraud include, using machine learning and artificial intelligence to learn customer behavior patterns and identify anomalies. Analyze and connect a multitude of data sources including 3rd party data. Look at data not only across accounts and portfolios, but across organizations, as fraudsters will typically target multiple organizations with the same data.
Be sure to look at the individual’s digital identity or profile as well as the physical identity to understand the whole customer behavior patterns. When checking personally identifiable information, don’t only check to see if the information is legitimate, but make sure it all belongs together, and that there isn’t any fraud associated with the elements.
Check for unusual occurrences, and patterns such as –
A high volume of account applications for credit products from same IP or device, or associated with the same social security number, particularly across organizations
Multiple names or addresses tied to same IP address/device/email/phone/social security number
Individuals/authorized user on same account that have different surnames or cities
Combatting synthetic fraud should not be done in a silo. Connect with other industry partners and law enforcement to share information, identify trends, behaviors, threats. By leveraging these best practices, you can help improve your ability to detect, mitigate, and reduce your exposure to synthetic fraud
[1] Qureshi, B. (2013, February 5). Retrieved from United States Department of Justice: https://www.justice.gov/usao-nj/pr/eighteen-people-charged-international-200-million-credit-card-fraud-scam
[2] Lacey, C. (n.d.). 2018 End-of-Year Data Breach Report. Retrieved from Identity Theft Resource Center: https://www.idtheftcenter.org/2018-end-of-year-data-breach-report/
[3] Slipping through the cracks: How synthetic identities are beating your defenses. (n.d.). Retrieved from ID: Analytics: https://www.idanalytics.com/wp-content/uploads/2018/11/Synthetic-Identity_Slipping-through-the-cracks_Executive-Summary.pdf
[4] (Social Security. (n.d.). Retrieved from Social Security Randomization: https://www.ssa.gov/employer/randomization.html
[5] Child Identity Fraud Hit More Than One Million U.S. Victims in 2017 According to New Javelin Strategy & Research Study. (2018, April 24). Retrieved from Javelin: https://www.javelinstrategy.com/node/59561
[6] Power, R. (2011, March 9). Child Identity Theft. Retrieved from Carnegie Mellon CyLab: https://www.cylab.cmu.edu/_files/pdfs/reports/2011/child-identity-theft.pdf
[7] (Cunha, J. (2019, October). Detecting Identity Fraud in the US Payment System.Retrieved from Federal Reserve: https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-october-2019.pdf
Comentários