Why Synthetic Identity Fraud Is More Sinister Than Traditional Identity Theft

Community banks and other smaller financial institutions need to recognize one of today’s most troubling cybersecurity issues—synthetic identity fraud.

Traditional identity theft is bad enough, but synthetic identity fraud affords criminals even greater access to money that doesn’t belong to them. As a result, it’s time to learn how this financial crime is carried out, why it’s growing and how your institution can help stop it.

Manufactured Identities Versus Stolen Ones

Traditional identity theft has garnered significant attention over the last decade. The consequent increased consumer awareness and development of more robust identity theft mitigation technologies and tactics has made this financial crime more difficult and costly. Unfortunately, criminals are undeterred and continue to look for workarounds.

Whereas traditional identity theft steals all aspects of a person’s identity, synthetic identity fraud manufactures all or part of a new, artificial identity. The Federal Reserve white paper, Synthetic Identity Fraud in the U.S. Payment System, describes the three different ways that a synthetic identity can be created:

• Identity fabrication only uses fake information.

• Identity manipulation slightly modifies real personally identifiable information (PII).

• Identity compilation combines real PII—often a social security number— along with manufactured PII.

Multiple Motivating Factors

Like traditional identity theft, criminal organizations and individual fraudsters create synthetic identities to steal or launder money. They can then use it for their own benefit or to fund illicit activity such as drug trafficking or terrorism.

Additionally, some specific motivations for synthetic identity fraud involve particular groups:

• Disreputable credit repair businesses: Rather than work with clients to repair their credit through legitimate means, these firms create synthetic identities for them.

• People without social security numbers: Illegal immigrants who lack a social security number create a synthetic identity that can be used to participate in the financial or healthcare systems or for illicit purposes.

• Individuals with problematic histories: Those with felony convictions, bankruptcies, foreclosures or other derogatory records create a synthetic identity to hide their past and gain access to new credit.

Although these motivating factors may not be as malicious as pure theft and money laundering, they are still illegal and pose a significant risk to financial institutions.

Synthetic Identify Fraud: The Patient Crime

Synthetic identity fraud is the exact opposite of a snatch-and-grab crime. In fact, criminals exhibit a tremendous amount of patience to reap their reward.

Here’s how it works:

• Meticulous set-up: Criminals go to great lengths to fabricate new identities. For example, as they cobble together real and fake personally identifiable information (PII), they create fictitious identity documents and even set up social media accounts with photos and posts to create the veneer of a legitimate persona.

• Undeterred application for credit: Synthesized identity are used to apply for credit. With no prior credit history, the bank or credit card company typically denies the request. However, the financial institution’s act of pulling a hard credit inquiry at credit bureaus triggers a new credit file for this fake identity, which makes it look more real. Criminals then continue applying for credit elsewhere until someone finally approves them for a limited credit amount.

• Steady account usage: Criminals begin by charging small amounts to the new card or line of credit and paying it off on time and in full. Their good behavior is eventually rewarded with higher credit limits, which they continue to use and pay off to raise them higher.

When the criminals attain their desired credit limit, they max out its usage and disappear. This is called busting out.

Scalability on Steroids

Compared to other types of financial fraud, such as account takeover or traditional identity theft, criminals can scale up synthetic identity fraud much more, making for greater payday potential. There are a few methods that allow them to build more credit:

• Piggybacking accounts: Criminals add multiple authorized users to unwitting account holders, to knowing but compensated account holders, or to other established synthetic identity accounts.

• Creating fake businesses: Criminals establish a sham business with credit card terminals to run up charges on synthetic identity accounts.

• Colluding with shady merchants: Criminals partner with a co-conspirator that already has credit card terminals for the same purpose.

Unwitting Victims as Targets

Traditional identity theft can and does happen to almost anybody with a valid social security number. However, perpetrators of the synthetic version are more discerning. They strategically choose the social security numbers or other PII of those least likely to notice or take steps to protect themselves if their PII is compromised.

The most vulnerable identities include those of:

• Children, who likely won’t apply for credit until they are at least 18
• Anyone issued a social security number after they became randomized in 2011
• Senior citizens who no longer need new credit
• The homeless, who rarely interact with the financial system
• Deceased persons no longer using their identities

Engineered to Go Undetected

This crime is designed to remain undetected for as long as possible.

During the application process, efforts to make the fake identity appear real help criminals slip through know-your-customer due diligence. Furthermore, their work to build a good credit history helps ensure approval. As the targets described above don’t notice anything is amiss, they also don’t report a stolen social security number for a long time, if ever.

Once credit is extended, the bank has no reason to suspect fraud because the account holder consistently makes payments.

Finally, at the bust-out phase, criminals add insult to injury by taking advantage of delays in payment posting. In Detecting Synthetic Identity Fraud in the U.S. Payment System, the Federal Reserve describes the process. Criminals pay off a maxed-out balance with another fake or fraudulent account, freeing up the credit limit for further use. They quickly max out the balance again before the payment is rejected, thus doubling their profit before disappearing for good.

Two Risk Issues in One Crime

Not only do these criminals defraud the bank with a fake identity, but they leave behind uncollectible debts that drive up charge-offs. This makes synthetic identity fraud a dual-risk issue for financial institutions. McKinsey warns that many banks may not realize the risk in their credit portfolios, referring to undetected synthetic identities as hidden time bombs.

The Ultimate Victim

Even though the original victim’s PII is stolen, and that will need to be rectified through identity recovery measures, financial institutions are on the hook for the monetary cost of these crimes. That cost grows every year. Aite Group estimates that the cost of synthetic credit card fraud more than doubled between 2015 and 2020 from $580 million to $1.257 billion.

8 Tips for Combatting Synthetic Identity Fraud

Large banks and major credit card companies face the biggest direct risk from synthetic identities, but a CNBC story describing the impact to one federal credit union proves that smaller institutions are not immune.

Additionally, with the vast amount of PII for sale on the dark web, your customers and their family members could be affected even if your institution is not.

Here are eight practices that community banks and credit unions can do to thwart synthetic identity fraud:

1. Educate staff about its common characteristics and uses.

2. Spread the word to your customers and explain how to protect the oldest and youngest members of their families.

3. Update application procedures to better detect red flags such as multiple applications from the same phone number or IP address.

4. Adopt stronger identity verification measures such as biometric screening.

5. Once widely available, consider subscribing to the Social Security Administration’s new electronic Consent Based Social Security Number        Verification (eCBSV) service.

6. Build stronger relationships with your customers to truly know

7. Determine how to accurately identify and label charge-offs from synthetic identity fraud.

8. Participate in information-sharing with law enforcement and other institutions.

With the above in mind, your institution can do its part to be cyber smart.