Synthetic identity fraud (SIF)

Synthetic Identity Fraud (SIF)

What is Synthetic Identity Fraud (SIF)?

Identity fraud is a crime in which perpetrators obtain personally identifiable information belonging to an individual, and assume that individual’s identity to commit fraud. In identity fraud, criminals may use a person’s credit card information to make unauthorized charges, or apply for credit or government benefits. Identity related crime is growing in sophistication, intensity, and frequency.

Synthetic identity fraud (SIF) is different. SIF is a crime in which perpetrators combine real and fictitious identifying information, to create new identities with which they defraud financial institutions, government agencies, or individuals. It is important to understand that in synthetic identity fraud, the resulting identity and profile is not associated with a real person, it is a new identity.

Synthetic identity fraud can be achieved through identity fabrication (a completely fictitious identity is created), and identity manipulation (modified real information, or a combination of real and fake information is used for a new identity). SIF can go undetected for years. Assembling a new identity used to be the specialty of spies, now it is also part of the modus operandi of state-sponsored groups, the organized crime, and even individuals.

National security programs in many countries rely on verifying a purported identity against a list of suspected bad actors or terrorists. Criminals and terrorists use synthetic identities to enter countries or move around undetected. SIF criminals have successfully used synthetic identities to obtain state-issued identity documents necessary to acquire passports. SIF has also been used to finance terrorists and criminals over long periods of time.

SIF impacts national security in other ways too. It offers the opportunity to organized crime and nation states to obtain and launder illicit profits, and to harm the economic stability of households, enterprises and governments.

The trend to digitize almost all financial transactions and government benefits create opportunities for criminals, terrorists, and spies. It’s much easier to impersonate someone online than it is in person. The large number of data breaches across all sectors of the economy has exposed all personal information anybody would need for SIF, and everybody can purchase this information.

SIF is often used in other crimes too. Sexspionage and romance scams occur when a perpetrator adopts a fake identity to gain a victim’s affection and confidence. The perpetrator uses the illusion of a romantic or close relationship, to manipulate and/or steal from the victim. The persons that carry out romance scams are experts at what they do and will be seem genuine, caring, and believable. Their intention is to quickly establish a relationship, gain trust, and eventually ask for money or information.

Which is the solution to Synthetic Identity Fraud (SIF)?

Biometric identification and verification technologies are the answer to SIF. This is necessary for banking services, international and domestic travel, access to sensitive facilities and information, government benefits, voting rights and so many other areas that are exploited by threat actors.

A biometric identifier is a measurement of a physical characteristic of an individual which, when captured in a database, can be used to verify the identity or check against other entries in the database. Fingerprints, facial recognition, iris scans, voice recognition, and anthropometry (body measurements) are some examples. New sensors and algorithms and new technologies can dramatically improve identification and verification.

You can find more information at:

Steps, from the US Government Accountability Office (GAO)

A typical process to create and build a synthetic identity involves the following steps:

Step 1: Perpetrators steal or purchase hacked public or private databases that contain personally identifiable information. They combine this information to make new identities.

Step 2: Perpetrators use the synthetic identities to apply for lines of credit, typically at a bank. The bank submits an inquiry to credit bureaus about the applicant’s credit history. The credit bureaus initially report that an associated profile does not exist, and the bank may reject the application; however, the credit inquiry generates a credit profile for the synthetic identity in the credit bureaus’ databases.

Step 3: Once the synthetic identity is established via the credit profile, the perpetrator again applies for and ultimately receives credit. At this stage, the perpetrator will typically apply for multiple credit cards and other products marketed to consumers who are new to credit.

Step 4: SIF perpetrators maintain good credit over time to build up credit limits and apply for more cards. They also exploit credit bureau procedures to improve their credit history by getting legitimate credit users to act as accomplices and add synthetic identities as “authorized users” on accounts in good standing. Criminals may also build credit history by adding the synthetic identities as “authorized users” to other credit accounts they have obtained using different synthetic identities.

Step 5: Eventually SIF perpetrators exploit financial institutions by, for example, charging the maximum amount on credit cards and not paying the bill. This stage of the fraud is known as the “bust-out.” Perpetrators may also launder the money between multiple accounts. They may also use the synthetic identities to fraudulently obtain government benefits or illegally obtain work.

Synthetic Identities, from the US National Credit Union Administration

What do you get when you combine real identity data with fabricated data? You get what is commonly termed a “synthetic identity.” It exists only in the virtual world but can wreak havoc in the real one.

The foundation of a synthetic identity is personally identifiable information along with a compromised Social Security number that acts as the essential linchpin. In order to avoid detection, fraudsters prefer to use Social Security numbers of those least likely to use credit, such as the elderly and children.

This synthetic identity may be comprised of one person’s name, a second person’s Social Security number, a third person’s physical address, and some fabricated information such as a fictitious place of employment. This semblance of an identity — made from combining just enough real data and just a bit of fake data — allows fraudsters to apply for credit, make major purchases, and establish a convincing financial history over time.

And the use of synthetic identities is growing. According to the Justice Department, synthetic identities derived from compromised Social Security numbers is one of the fastest growing forms of identity theft in the United States. TransUnion reports that a record $355 million in outstanding credit-card balances are owed by people who it suspects did not exist in 2017. Lastly, Accenture PLC listed synthetic identity fraud as one of the biggest threats facing financial institutions in 2018, and reports it will cost billions of dollars and countless hours as financial institutions “chase down people who don’t even exist.”

The difficulty in detecting the fraudulent use of Social Security numbers is, in part, an unintended consequence of the Social Security Administration’s attempt to reduce identity fraud. In the past, a Social Security number was comprised of a three-digit geographic number, a two-digit age group number, and a four-digit serial number. However, in July 2011, the agency began randomizing Social Security numbers partly in response to concerns that fraudsters could reconstruct them from public records. Because of randomization, financial institutions can no longer pair a Social Security number with a credit applicant’s place and date of birth to help verify the applicant’s identity.

An active synthetic identity fraud also creates a fragmented credit file. A fragmented credit file refers to additional credit report information, comprised of some combination of real and fabricated data, tied to a valid Social Security number. Negative information entered into a fragmented file that is linked to a consumer’s Social Security number has the potential to cause real world harm. For example, if a synthetic identity fraud results in a defaulted loan, the fraud can result in harm to a real consumer’s credit rating even though the name and date of birth attached to the fraud are different. Credit blocks and alert notification services tied to a valid credit file are not effective when it comes to monitoring activity on a fragmented credit file.

Often credit unions rely on data analytics or information provided by third parties to detect traditional forms of identity fraud. Data analytics typically focus on suspicious activity, such as accounts with large transactions, transactions made in geographic areas deemed high-risk, and patterns of insufficient payments or bounced checks. They often look for rapid changes in customer behavior consistent with traditional identity fraud. Unfortunately, building a financial history with a synthetic identity is typically a slower process, so a credit union may not realize an account is fraudulent until after fraud has already occurred, if at all.

Despite the difficultly, there are a few things a credit union can do to increase its chances of identifying a possible synthetic identity.

These include:

- Utilizing a more effective data analytic tool that flags seemingly unconnected accounts based on similar data fields such as a phone number;

- Monitoring for any Social Security number that matches a different consumer while no credit file is available for the requested applicant; and

- Monitoring for credit files where the name and address of the applicant match, but the Social Security number matches a different consumer and vice versa.

Likewise, there are a few things consumers and credit union members can do determine if their Social Security number is associated with a synthetic identity:

- Check their annual Social Security statement to ensure that the reported income figure is in line with what was actually earned.

- Be on the lookout for mail that is sent to their home with someone else’s name on it.

What Are Identity Theft and Identity Fraud? From the US Department of Justice

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.

The most common ways that Identity Theft or Fraud can happen are:

- In public places, for example, criminals may engage in "shoulder surfing"– watching you from a nearby location as you punch in your telephone calling card number or credit card number – or listen in on your conversation if you give your credit-card number over the telephone.

- If you receive applications for "pre-approved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. Also, if your mail is delivered to a place where others have ready access to it, criminals may simply intercept and redirect your mail to another location.

- Many people respond to "spam"– unsolicited E-mail – that promises them some benefit but requests identifying data, without realizing that in many cases, the requester has no intention of keeping his promise. In some cases, criminals reportedly have used computer technology to steal large amounts of personal data.

With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes. For example:

- False applications for loans and credit cards,

- Fraudulent withdrawals from bank accounts,

- Fraudulent use of telephone calling cards or online accounts, or

- Obtaining other goods or privileges which the criminal might be denied if he were to use his real name.