informa

Cybersecurity In-Depth

The Edge

How Criminals Are Using Synthetic Identities for Fraud

Organizations must improve their cybersecurity protocols to detect fraudulent identities and make sure they're safeguarding their consumers’ personal information.

Synthetic identity fraud was already a problem before the COVID-19 pandemic shifted spending and work online, but it is becoming a bigger problem now as criminals take advantage of looser rules around credit and the sheer amount of personal information exposed via data breaches.

The Federal Reserve defines synthetic identity fraud as a fraud attack in which cybercriminals combine real information with fabricated information, such as addresses, dates of birth, or names to build a fake identity that can be used to make purchases. Synthetic identity fraud cost US banks and financial institutions $20 billion in losses in 2020, compared with just $6 billion in 2016, according to the recent "2021 Synthetic Identity Fraud Report" from FiVerity.

Prior to and during the coronavirus pandemic, it has become easier for people to sign up for credit cards, apply for government benefits, and conduct other business online, making it easier for online criminals to create accounts without having to show up in person, says Bruno Farinelli, director of operations and analytics at ClearSale.

Fraud Begins With Stolen Data
For fraudsters, consumers with a thin or nonexistent credit history, such as children or elderly people, are the ideal targets for a fake identity because they aren’t opening lines of credit or checking their credit reports frequently or at all, says David Britton, vice president of global ID and fraud at Experian. These identities can be used for longer periods of time and are ideal for using their Social Security number, he says.

Establishing new credit card accounts or other payment accounts with retailers, banks, and other financial service companies using a fake identity allows fraudsters to house their stolen funds, Britton explained. Their transactions aren't attached to any one victim, making it harder for the companies to detect the accounts are fraudulent.

"They can basically use it and nobody's checking any statements because it wasn't a stolen credit card," Britton says. "So rather than steal a card, they're stealing the data, creating the data to create the card itself."

Over the past few years, major data breaches of major institutions, including the IRS, Equifax, and Experian hacks, have resulted in consumer information being spilled onto the Dark Web. Healthcare records are particularly rich in information that could be used to create synthetic identities, including addresses, children, or spousal information, and other data points that could be exploited.

"The data that is being lost from businesses and that personally identified information, whatever source it comes from — on the Dark Web, it's very easy to go down there if you know what you're doing and find a site that is selling personal identifying information," says Matt Bohlmann, national identity theft program manager for IRS Criminal Investigation.

Look for Signs of Fake Identities
The scale of synthetic identity fraud is difficult to measure, since the attack requires these fake identities to stay under the radar and appear similar to legitimate thin-credit individuals. These fake identities look like customers with excellent credit, with a FICO score of 742, compared with the average consumer who has a score of 698, according to FiVerity. Even so, there are ways to remotely detect synthetic identities.

Companies can use software to cross-check personal information to verify whether a synthetic identity is, in fact, fake by looking for telltale signs such as newer phone numbers or email addresses used to create an account, Farinelli says. Companies can check for characteristics that align with the synthetic identity, such as location, language, time zone, and the device used, Britton says.

The device being used could also provide some clues to help distinguish a fraudster from a true person. For example, the company may scan the device being used in the transaction and detect malware, or find digital signatures or lines of code associated with malicious activity. Another indicator is if the user takes too long to enter a presumably memorized Social Security number, Britton says. Other harder-to-impersonate behavioral biometric authenticators include how a consumer moves the mouse across the screen or holds the mobile device.

A range of industries, including hospitals, sports betting, financial services firms, and government agencies, are common targets for executing synthetic identity fraud, says Eric Leiserson, vice president of marketing at IDology. Nearly a quarter of survey respondents (23%) say they noticed an account opened within the past 12 to 18 months without their consent, up from 19% in 2020. Of those who saw an unauthorized account created or used containing their personal information, more than a third (37%) of survey respondents discovered fraudulent credit card accounts open, followed by checking accounts (19%), online shopping accounts (15%), and savings accounts (12%). The percentage of respondents who saw unauthorized lending, government benefits, medical, and sports-betting accounts opened in their name were all less than 5% each, IDology's survey found.

While synthetic identities represent a relatively small number of consumer accounts, they still are capable of financial damage. The average synthetic identity profile successfully steals between $81,000 and $97,000, according to FiVerity.

Protect Data From Being Abused
Synthetic identities are easy to create because the data elements are readily available. Consumer data needs to be protected so they can't be used this way. Many companies fail to implement even the most basic safeguards, such as resetting passwords from their factory settings, not investing in antivirus software, not backing up data, and not encrypting email systems, Bohlmann says. Much like people implement safety protocols for their homes, like installing cameras and smoke detectors, businesses should invest in safety protocols and cybersecurity plans in case of emergency, he says.

"We're trying to get businesses to be really intentional about setting up your cybersecurity plans and reviewing it, making sure your employees know, and identifying what all your weaknesses are, where your weaknesses might be accessed," Bohlmann says. "Businesses that have all of this data really need to be more intentional than what they would with their house because they have so much information there that could damage individuals."