What is Synthetic Identity Fraud?
Synthetic identity fraud is a problem that is growing in sophistication, intensity and frequency. A synthetic identity is a combination of fabricated credentials where the implied identity is not associated with a real person. Fraudsters may create synthetic identities using potentially valid social security numbers (SSNs) with accompanying false personally identifiable information (PII). For example, the synthetic may have a real, “shippable” address and the SSN may appear valid, but the SSN, name, and date of birth combination do not match with any one person.
A major contributing factor to the heightened risk associated with synthetic identities is the implementation of social security number randomization, the Social Security Administration’s (SSA’s) new approach to SSN issuance that took effect in July 2011. While this new approach was designed to provide higher safeguards for the public, it has also made it more difficult for fraud detection systems to identify a fictitious SSN.
Compounding the problem is that synthetic identities are not created equally. The method fraudsters use to compose a fake identity has an impact on the level of financial harm a synthetic identity can do and how easily it can be detected.
The methods fraudsters use to create synthetic identities currently fall into two categories:
- Manipulated Synthetics – Synthetic identities based on a real identity where limited changes are made to the SSN and other elements. These are often used by individuals to hide a previous history and gain access to credit and may or may not be used with malicious intent. Individuals with bad credit histories may create fictitious identities to be approved for new credit for legitimate purchases that they intend to repay. The good news for enterprises is that manipulated identities can be detected. The key to identifying manipulated synthetics is that they often collide with the real identity they are augmenting and don’t pass validity checks.
- Manufactured Synthetics – Originally, these synthetic identities were composed of valid data assembled from multiple identities—sometimes referred to as ‘Frankenstein’ identities because fraudsters cobble together bits and pieces of personally identifiable information (PII) from real people to create fake identities. More recently, they are built from invalid information, including SSNs that fraudsters choose from the same range of numbers the SSA now uses to randomly issue SSNs. The PII used to create the account does not belong to any known consumers. This new form of manufactured synthetics is difficult to identify with current techniques.
The Dangers of Synthetic Identity Fraud
The true danger of synthetic fraud is that, unlike third-party fraud where an entire identity is stolen and used to defraud enterprises and victims, synthetic fraud frequently has no specific consumer victim. That can sound like a good thing – until you realize that consumer victims are a critical tool in detecting and stopping fraud. The lack of a clear victim presents two challenges to enterprises.
- Without a consumer to alert an organization of fraudulent activity during account life, fraudsters can use synthetic identities to keep accounts open for months-to-years, garnering credit line increases and improved credit standing, only to eventually max out the credit line and disappear without a trace.
- Once the account charges off synthetic frauds are often categorized as credit bads – since there is no clear evidence of fraudulent activity. For enterprises, this makes it difficult to identify a synthetic fraud problem – and even harder to know if new defenses are proving effective.
These examples show the difficulty in tracking and quantifying losses from synthetic identities. Additionally, there are often inconsistencies within organizations on what constitutes a synthetic identity and even disagreement on whether this is a fraud or credit problem. Without a paper trail leading to a real person, the true victims of synthetic identity fraud are the lenders and service providers who are left to absorb what can be high-frequency and high-dollar losses.
Protecting Against Synthetic Identity Fraud
In May of 2018 new legislation was passed called the Economic Growth, Regulatory Relief, and Consumer Protection Act. The Act includes a provision directing the SSA to make a mechanism available to facilitate the verification of SSNs, upon request by a certified financial institution. Currently, in order to verify an SSN, an institution must collect and submit a hard-copy wet signature on an SSA consent form, which is a significant obstacle to using current SSA services. This provision would allow a certified financial institution to obtain consent from a consumer electronically. Electronic consent will allow financial institutions to verify identities more quickly, and at scale, in connection with a credit transaction.
While this regulation has the long-term potential to help reduce synthetic identity fraud, uncertainty around the SSA’s timeline for implementation, and limitations on the industries and use cases which can benefit from it make the level of impact unclear.
Synthetic identity fraud is a complex challenge that’s growing by the day – solving it requires effective strategies that examine the core issue of identity legitimacy and the typical outcomes. By creating a holistic defense capable of addressing the entire issue, enterprises can better maintain performance once synthetic fraudsters shift their methodology.
Contact ID Analytics today to learn more about best practices and defenses enterprises should consider in combatting this evolving threat.