Faceless Fraud: How Criminals Use Synthetic Identity Fraud to Steal Billions of Dollars

Financial fraud is an ever-present problem.

And, that’s hardly surprising. Those who figure out how to “game the system” are often able to steal huge quantities of money before they are eventually busted, and, for some people, that’s just too much temptation to resist.

But, with the advent of EMV, traditional card fraud methods have become much more difficult and expensive to pull off. Naturally, dedicated fraudsters have come up with something altogether more audacious.

What is synthetic identity fraud?

Synthetic identity fraud is the process of creating a fictitious identity using a combination of real and fabricated information in order to commit financial fraud. Typically, these synthetic identities have a name, social security number, date of birth, address, and everything else you would expect a real person to have. Often, they’ll even have active accounts with online retailers and major financial institutions.

Meet Scott.

Scott is a management consultant living in Santa Monica, California. He has everything you’d expect a man in his position to have: an apartment, a driver’s license, a library card. He applies for jobs, shops on Amazon, and has active magazine subscriptions. On paper, Scott looks like a model citizen and a strong credit applicant.

There’s just one problem; Scott doesn’t exist.

In fact, Scott is a completely fabricated identity, created with only one goal in mind: To acquire as many lines of credit as possible, max them out, and then disappear.

Sound far-fetched? Let’s take a closer look.

The synthetic lifecycle

If you’ve ever applied for credit, you are already aware that a number of criteria must be met. As a starting point, you’ll be asked for your name, home address, date of birth, and social security number (SSN). Simple enough, right?

Of course, to be approved, you’ll also need a reliable payment history and a reasonable credit score. For the average person, these are built over time and are a product of the normal ebb and flow of day-to-day life.

So how can a bad actor possibly manage to fabricate a synthetic identity that’s convincing enough to fool lenders? It can’t be achieved overnight. Not only does it typically require the use of a real physical address (often a rented apartment), it also takes a substantial amount of time to establish the accounts and payment history necessary to make the synthetic identity appear desirable to credit providers.

In fact, at first glance, it seems hardly worth the effort. Sadly, synthetic identity fraud has become a huge issue for lenders, accounting for nearly 20% of all credit losses, and costing in excess of $6 billion in 2016 alone.

And, there have been multiple high-profile cases of synthetic identity fraud.

In 2006, a former credit bureau operator named James Rose was arrested and sentenced to 70 months in prison. His crime? Using his knowledge of the credit system to fabricate over 500 synthetic identities and pocket around $750,000 over a two-year period.

Mr. Rose, and his accomplice, rented 200 apartments across 14 states and setup shell companies to feed bogus data to the credit bureaus in order to “flesh out” his synthetics’ credit files. Once he had successfully acquired credit cards for his synthetic identities, Mr. Rose used the cards to “buy” goods and services from his own shell companies – withdrawing the money as cash from the companies’ ATM cards.

Synthetic identity fraud doesn’t only attract lone wolves. It’s also a highly attractive proposition for organized crime syndicates.

In one case from 2013, a criminal group in New York was arrested after using synthetic identities to steal at least $200 million. The group used 1,800 mailing addresses across 28 states and eight countries, fabricated approximately 7,000 synthetic identities, and acquired more than 25,000 credit cards.

How is this possible?

To many people, it seems incredible that bad actors could fabricate so many convincing synthetic identities. Unfortunately, there are a number of contributing factors that have made this fraud scheme possible:

1. Randomized SSNs

Before 2011, the numbers found in an individual’s SSN meant something – specifically, the geographic region and area number of the individual’s postal address, followed by four digits that were determined serially, and issued in order of application. This was crucial for lenders to determine whether an SSN had been issued. Then, in 2011, the Social Security Administration began to run out of viable SSNs and were forced to randomize SSN issuing, making it far harder today for lenders to determine whether a stated SSN is likely to be legitimate.

2. Growth of credit repair agencies and the use of credit profile numbers (CPNs)

Credit repair agencies help individuals increase their credit scores through a variety of means, most commonly by attempting to have negative markers (e.g., late payments) removed early. While this may seem a helpful service, it really makes the task of distinguishing between good and bad credit applicants much harder. At the same time, bad actors (and some shady credit repair agencies) have started using so-called CPNs to further confuse the process. In reality, CPNs are typically nothing more than stolen SSNs that belong to vulnerable populations, such as children or the elderly.

3. Theft of personally identifiable information (PII)

Let’s be honest, a lot of PII has been stolen or compromised over the past decade. If you care to visit a dark web marketplace, you’ll find thousands upon thousands of personal records for sale. Since synthetic identity fraud relies on a mixture of real and fake information, compromised PII records can be used to add authenticity to synthetic credit applications… and there are plenty of compromised PII records to go around.

4. Appearance of data furnishers

Data furnishing is the process of feeding falsified information to credit agencies for the purpose of fleshing out a synthetic identity’s credit score. Unfortunately, it’s relatively simple to do and has become a common tactic for organized fraudsters.

5. Proliferation of internet and mobile device application channels

Gone are the days when you had to sit in front of a bank manager to apply for a credit card. These days, it’s all done online, making life far easier, quicker, and safer for fraudsters to make applications on behalf of their synthetic identities. To give you an idea of how attractive online application processes are to fraudsters, it has been estimated that they are eight times more likely to be synthetic fraud than in-person applications.

How does synthetic identity fraud affect the healthcare industry?

Through a combination of synthetic identities and maliciously-registered shell companies, fraudsters are targeting a wide range of industries, from Government programs like Medicare and Medicade to insurance and healthcare plan providers.

In the case of healthcare, fraudsters typically use synthetic insurance or CDH-style accounts to purchase expensive “treatments” from their own sham companies and ultimately withdraw the money using ATM cards or by wiring it to foreign bank accounts.

Synthetic identity fraud: best practices & keys to detection

In a post-EMV world, where traditional fraud practices are far harder to pull off, it’s not surprising that fraudsters have found new and innovative ways to game the system. In the long-term, improved consumer authentication will be essential in the fight against increasingly-sophisticated fraud schemes. If we can reliably link accounts with genuine, legitimate account-holders, it becomes much, much harder for fraudsters to operate.

Of course, synthetic identity fraud is happening right now, so it’s also important to understand how synthetic identities can be distinguished from genuine applicants. At face value, it can be extremely difficult to distinguish between the two, but there are some questions we can ask as a starting point:

• Does the applicant have a thin credit file or limited information available via the credit bureau?
• Is there any substantive proof of the applicant’s existence? For example, do they have a driver’s license, social media presence, loans, or insurance products?
• Are there any credit losses tied to the applicant’s address?
• Is the same mobile device tied to multiple accounts?
• Do credit loss transactions link back to the same merchants?

Fraudsters do their best to make their synthetic identities appear as authentic as possible, but there is only so much they can do. For a full explanation of how industry players can help identify and report synthetic identities, click here to view our on-demand webinar: Exploring Synthetic Identity Fraud.