Why Criminals Like AI for Synthetic Identity Fraud

As generative artificial intelligence (GenAI) technology becomes more widely available, cybercriminals will likely take advantage of it to enhance their synthetic identity fraud capabilities. Unfortunately, current fraud detection tools might not be enough to address the rising threat, which could spell financial losses in the coming years, experts say.

Synthetic identity fraud refers to a compilation of stolen or fabricated personal information that is used to create an individual who exists only digitally. This information could include attributes belonging to real people, such as birth dates and Social Security numbers, as well as counterfeit traits, like email addresses and phone numbers.

Synthetic identity fraud has risen so rapidly that many cybersecurity professionals question how soon technology will be available to address the threat. A Wakefield Research survey of 500 fraud and risk professionals last fall found that 88% of respondents believe AI-generated fraud will worsen before new technology is created to prevent it.

Easy Tech, Lower Barrier to Entry

Cybercriminals have been turning to GenAI to create deepfake videos and voice prints of real people to defraud companies, says Matt Miller, principal of cybersecurity services at KPMG US. The rise of large language models and other similar AI technology has made false image generation easier and cheaper for cybercriminals to misuse.

Cybercriminals' use of GenAI varies based on their level of sophistication, says Ari Jacoby, founder and CEO of Deduce. In the past, bad actors either had to write their own scripts or commission a software developer to write them. But with the rise of GenAI, cybercriminals can turn to these tools to write a malicious script quickly and cheaply.

For example, a malicious actor can instruct the GenAI application, "Please create an accurate New York driver's license," and it will be able to fabricate documents using photos of real people readily available online, Jacoby says.

He also notes that existing defenses intended to prevent counterfeit IDs will "get crushed" by GenAI.

"If you want to use that data that already exists for almost everybody to create a selfie, that's not hard," Jacoby says. "There's an enormous group of bad guys, bad folks out there, that are now weaponizing this type of artificial intelligence to accelerate the pace at which they can commit crimes. That's the low end of the spectrum. Imagine what's happening on the high end of the spectrum with organized crime and enormous financial resources."

Copycat versions of AI tools like ChatGPT are also available on the Dark Web, says Nathan Richter, senior partner at Wakefield Research.

Getting Worse Before Better

The Wakefield Research survey data shows organizations are already being affected by the rise in synthetic identity fraud. According to the report, 76% of respondents said they think their organizations have customers using synthetic identities that have been approved for an account. The fraud and risk professionals surveyed also estimate that synthetic identity fraud has risen, on average, by 17% over the past 24 months.

Nearly a quarter (23%) of respondents estimated that the average cost of a synthetic fraud incident is between $10,000 and $25,000. Another fifth of respondents estimated that synthetic identity fraud incidents cost between $50,000 and $100,000. For financial firms, the cost impact of synthetic identity fraud could be high.

Many cybersecurity professionals see the problem of synthetic identity fraud becoming worse before it gets better. The Deloitte Center for Financial Services predicts that synthetic identity fraud could lead to $23 billion in losses by 2030.

The openness among survey respondents to discuss the issue suggests that synthetic identity fraud is becoming more pervasive, Richter says.

"Typically, when you do research among highly trained professional audiences, there's a certain amount of professional pride that makes it difficult to admit any kind of fault or problem," Richter says. "We don't have that problem here for the most part. We have respondents that are readily admitting this is an enormous issue. It's resulting in significant losses per incident, and it's expected to get worse before it gets better. I can tell you, as a researcher, that is extremely rare."

Fighting Fraud With Cyber

Tackling this problem requires companies to adopt a multilayered approach, says Mark Nicholson, principal of cyber and strategic risk at Deloitte. Part of the solution entails using AI and behavioral analytics to distinguish between real customers and fraudsters.

Beyond verifying a customer's identity at a particular point in time, companies, especially in financial services, need to understand customers' behaviors over a longer period and continue to authenticate them during those interactions, Nicholson says. In addition to behavioral analytics, companies are weighing other options, such as harnessing biometric data, third-party data, fraud data sources, risk assessors, and session-monitoring tools.

"Just as we contend with zero-days and we patch applications, we're going to have to understand how generative AI is being used on a continuous basis and adapting as quickly as we can in response," Nicholson says. "There's no silver bullet, I don't think. And it's going to take a concerted effort by everyone involved."

Besides their cybersecurity tools, companies also must evaluate the human risk factors that have emerged with the rise of GenAI and synthetic identity fraud and begin to train employees to spot those risks, Miller says. Companies must understand where their processes are susceptible to human error.

"Can your leadership call up your treasury department and move money just with a voice phone call? If your CEO was deepfaked or your CFO was deepfaked, could that result in financial loss?" Miller says. "Look at some of those process controls and put counterbalances in place where necessary."

The Biden administration's executive order introducing new standards for AI safety and security is a good first step, but more regulation is needed to safeguard the public. Though tech companies are lobbying for self-regulation, that may not be enough to address the rising threat of AI, Jacoby says, adding that self-governance has not been beneficial for consumers in the past.

"I don't think that the talking heads on Capitol Hill understand all of the ramifications, nor should we expect them to in the early innings of this game," Jacoby says. "It's very difficult to regulate these things."

In addition to regulatory and policy controls, Miller says he foresees technological controls being implemented so that AI can be used in a manner that stakeholders agree is appropriate. However, while those restrictions are being worked out, companies must remain diligent because digital adversaries are able to build their own models and infrastructure to execute fraud.

Ultimately, AI companies will have to play a role in mitigating the risks associated with the technology that they've created.

"It's incumbent upon the institutions that are providing this technology to not only understand them, but to really understand the risks associated with them and be able to educate on the proper use and also be able to control their own platforms," Miller says. "We always talked about it in cyber historically as spy versus spy, but in many cases we're now seeing AI versus AI."