In January 2020, the Federal Bureau of Investigation reported that the fastest-growing financial crime in the U.S. is synthetic identity fraud.1 Banks and financial institutions (FIs) lost $20 billion in 2020 as a result of synthetic identity fraud.2 This type of fraud occurs when criminals combine fake and real identification information to create an identity that is not real or genuine, aka “synthetic.” Fraudsters can create a synthetic identity by combining personally identifiable information (PII), such as the Social Security numbers (SSNs), addresses and birthdates of multiple people, or by combining real information about a single person with fabricated information. Synthetic identities can also be created when fraudsters use SSNs belonging to children, criminals, the homeless or the elderly. This false identity is used to defraud FIs by opening fake accounts for the following purposes: Making fraudulent purchases, creating bust-out loan schemes, money laundering, terrorist financing, human trafficking or facilitating other types of financial crimes.
Previously, there was no single industry-wide definition to classify synthetic identity fraud. Without a standard definition, it increased the challenges for mitigating risks and prevention. In efforts to raise awareness, in 2020, the Federal Reserve led an industry group of fraud experts to develop a standard definition of synthetic identity fraud. This standard definition, which was released in April 2021, defined synthetic identity fraud “as the use of a combination of PII to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.”3 The Federal Reserve also states that, “This industry-recommended definition helps to serve as an important step toward improving consistent identification and classification of synthetic identity fraud.”4
What Is in a Synthetic ID?
Traditional identity fraud includes a criminal stealing and misusing a person’s actual identity, whereas synthetic identity fraud involves the creation of a completely new identity. This can be achieved through several methods:
- Identity manipulation: Real PII data elements are adjusted slightly to create a new identity.
- Identity compilation: Actual and fabricated PII data elements are compiled together to form a new identity (the most common form of synthetic identity creation).5
- Identity fabrication: A new fake identity is created without the use of any genuine PII.
By combining real and fake information, it becomes much more difficult to identify a fraudster that is using a synthetic identity. In some cases, synthetic identity fraud can go undetected for years. Once the perfect synthetic identity is pieced together, bank accounts can be opened, and money can be accessed and stolen or laundered in myriad ways.
Why Synthetic Identity Fraud Is so Dangerous
One of the most difficult financial crimes to detect is synthetic identity fraud. Victims notice and report unusual activity in their accounts with traditional identity theft; theft. However, with synthetic identity fraud, there is often not a real victim in the traditional sense—meaning no victim reports the fraud. A synthetic identity can pass onboarding and new account opening know your customer (KYC) checks because the method exposes the fact that there is no single database where the given details could be cross-referenced. The PII used to create synthetic identities are often retrieved due to data breaches, phishing scams and even by searching the identification records of children, the unbanked, the homeless, the deceased or incarcerated individuals. These are people who have “thin credit files” or nonexistent credit histories. ID verification systems will not flag any records because they have never appeared anywhere else.
Regarding the fabricated data, there is no shortage of services criminals can use to create fake IDs in seconds. Sophisticated fraudsters will even go as far as creating deepfakes to fool video selfie ID verification services. Also, with the proliferation of data breaches, criminals need only visit the dark web to easily acquire real data and use it to create convincing fake identities.
SSNs Used as Identifiers in Synthetic Identity Fraud
SSNs have not been used as identifiers on driver’s licenses and other public documents since June 25, 2011, when the Social Security Administration (SSA) began to randomly assign SSNs. The SSA clarified that this was implemented to protect the integrity of SSNs and extend the pool of nine-digit SSNs available nationwide.6 By issuing randomized SSNs, the SSA eliminated the significance of the first three digits of the SSN, which were area numbers that previously helped FIs determine an individual’s state of origin. As a result, it is more difficult to detect fraudsters creating synthetic identities using unissued or fabricated SSNs. To help control fraud, the SSA launched an electronic Consent Based Social Security Number Verification (eCBSV) service in 2020 that allows permitted entities (particularly FIs) to verify if an individual’s PII combination matches in Social Security records. The ability to verify PII when consumers file for new credit or submit new account applications is expected to greatly enhance anti-fraud efforts.
Increase in PII Available to Fraudsters
The Identity Theft Resource Center reported that between 2017 and 2018, there was a 126% increase in the number of exposed PII records. In addition, data breaches exposed more than 446 million records.7 The increased volume of PII available for synthetic identity building comes as a result of social engineering, personal information shared on social media and other risky behaviors. A large amount of this information is sold on the dark web, including bank account login credentials, driver’s licenses, credit card numbers and SSNs.
Based on research reported by Experian, the price for bits of PII and other related personal information sold on the dark web varies per information type. Graphic 1 shows the 10 most common pieces of information sold on the dark web and the general range of the price for which they are sold.8
As referenced in the Experian report, a “fullz” or a “full” package for a U.S. consumer, contains a person’s PPI, in addition to their address, phone number, driver’s license number and mother’s maiden name. The data included is more desirable to criminals since it offers them more opportunities for financial enrichment.10
Common Synthetic Identity Fraud Red Flags
- Transaction spikes in new accounts: When an account that has been open less than a year has spikes in the number of transactions, such as automated clearing house (ACH) credit transactions, wire transfers or cleared checks—either during the first couple of months after opening or then again during the next several months—these are red flags for synthetic identity fraud. Requests for multiple lines of credit or loans being utilized to their maximums are also red flags for synthetic identity fraud.
- IP addresses: Multiple accounts being created using the same IP address are indications of potentially fraudulent activity, including synthetic identity fraud.
- PII: The same personal information being used to create multiple accounts, particularly the same SSN and dates of birth, are significant indications of synthetic identity fraud.
- No records found: No results found in identification confirmation databases for driver’s licenses, automobile ownership, insurance, property ownership, job designations or school history are typically red flags of a synthetic identity being used to open an account or apply for credit.
- SSN: Repeated use of a single SSN per applicant or per account is a red flag for synthetic identity fraud. Also, due to the SSA’s change to the randomization of SSNs in 2011, SSNs issued after 2011 are a potential red flag of synthetic identity fraud and should be verified.
- Credit: A lack of credit history, credit files with a rapid rise in the FICO score or a lack of credit card usage followed by sudden numerous requests for large credit line increases can also signify a high likelihood the account was opened using a synthetic identity.
- Authorized user: Many criminals add the synthetic identity to a real person’s account as an authorized user in an effort to build up their credit history quickly. Applicants listed as authorized users on multiple accounts, especially people who live in different cities or have different surnames, can be a sign of synthetic identity fraud.
Compliance Considerations: Detection and Mitigation Strategies
FIs can take steps to combat synthetic identity fraud, and data is the solution to combating the fraud. A good starting point is conducting initial KYC checks during the onboarding and account opening processes because it is often a compliance requirement. Unfortunately, gaps in the KYC protocols of FIs are being abused by criminals. Additional identity layers in a risk-based approach impede fraudsters as the layers add more security hurdles, and in turn, they need to synthesize more robust profiles. The layers can include increased due diligence and the use of anti-money laundering/Bank Secrecy Act (AML/BSA) and fraud-monitoring software and services that are calibrated to the rising threat of synthetic identity fraud.11
The U.S. Federal Reserve states, “A multi-layered approach that employs both manual and technological data analysis gives organizations the best chance to identify and mitigate fraud caused by synthetics.”12
Systems that can appropriately consider the totality of data instead of relying on limited views can help FIs effectively mitigate synthetic identity fraud. Adapting to new data parameters and sources is key. Leveraging more independent and reliable data sources can help the systems be more fraud-proof.
Implementing link analysis processes, which analyze the connections between different identities and data, further strengthens the multi-layered approach. For example, indications of fraudulent patterns can look like different identities using the same address or SSN or having some other relationship. Analyzing data point connections between IP addresses, physical location, geolocation and biometrics will also be useful in detecting potential fraudulent relationships. The more data points and attributes in the link analysis, the greater potential to find commonalities.
Machine learning is also an effective method enhancement within a monitoring and detection program. Machine learning is a method of data analysis in which systems and computers identify patterns and generate decisions based on data and statistical models. Through machine learning, large amounts of data can be processed without relying on pre-defined fraud detection rules. Identity information can be compared to known “bad data” and is often more effective than static fraud detection approaches, which require more time to identify trends and implement changes. Robotic process automation and artificial intelligence (AI) can also be used to identify fraudulent transactions or activities commonly conducted in conjunction with accounts that were opened with synthetic identities.
Investing in sophisticated methods of identity verification, such as document verification (data consistency checks) and biometric verification (image analysis) powered by AI algorithms, is essential in mitigating the opening of new accounts using synthetic identities. While a synthetic identity that combines a real SSN with fake data can bypass electronic identification databases, it is less likely to get past a document check.
Synthetic identity fraud is a hugely impactful form of fraud. Significant focus and attention must be given to the development of mitigation and prevention strategies for both current and future synthetic identity fraud activity. In efforts to promote awareness, the Federal Reserve released the Synthetic Identity Fraud Mitigation Toolkit in February 2022.13 Developed by the Federal Reserve, the toolkit aims to help educate the financial industry about synthetic identity fraud, as well as outline potential detection and mitigation methods for this fraud type.
Synthetic identity fraud differs from traditional identity theft because criminals do not steal an identity. They create one. The best defense against synthetic identity fraud for FIs is a multi-layered approach that leverages a wide range of available information from accessible data sources, including financial history, property records, social media accounts, data analytics services, mobile phone number ownership, email address history, document and biometric verification and more. Also, measures should be taken by FIs to ensure that all necessary BSA requirements have been implemented within the FIs’ customer identification program to sufficiently mitigate risks of synthetic identity fraud threats.
Mavis Bennett, CAMS, AVP assistant BSA officer and transaction monitoring manager, Community Federal Savings Bank, NY, USA
- “FBI, This Week: Synthetic Identity Theft,” Federal Bureau of Investigation, January 2, 2020, https://www.fbi.gov/audio-repository/ftw-podcast-synthetic-ids-010220.mp3/view
- Ari Jacoby, “A New Frontier of Fraud: Synthetic Identity Fraud,” Payments Journal, May 6, 2022, https://www.paymentsjournal.com/a-new-frontier-of-fraud-synthetic-identity-fraud/; “Unmasking a Synthetic Identity Fraud Mitigation Toolkit,” The Federal Reserve, February 15, 2022, https://www.frbservices.org/news/fed360/issues/021522/industry-perspective-sif-toolkit
- “Synthetic Identity Fraud Defined,” The Federal Reserve, https://fedpaymentsimprovement.org/strategic-initiatives/payments-security/synthetic-identity-payments-fraud/synthetic-identity-fraud-defined/
- “9 Reasons Why Synthetic Identity Fraud is Increasing in Popularity,” Fraud.net, https://fraud.net/n/why-synthetic-identity-fraud-is-increasing-in-popularity/
- “Allure of a Synthetic To A Fraudster: Ease of Creation,” The Federal Reserve, https://fedpaymentsimprovement.org/wp-content/uploads/allure-of-a-synthetic-to-a-fraudster.pdf
- “Detecting Synthetic Identity Fraud in the U.S. Payment System,” The Federal Reserve, https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-october-2019.pdf
- Brian Stack, “Here’s How Much Your Personal Information Is Selling for on the Dark Web,” Experian, December 6, 2017, https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/
- “Risk-based Fraud Monitoring BAM+ Fraud: Fraud Detection Software,” Abrigo, https://www.abrigo.com/software/bsa-aml-and-fraud/bam-fraud/
- “Mitigating Synthetic Identity Fraud in the U.S. Payment System,” U.S. Federal Reserve, July 2020, http://www.fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-july-2020.pdf; “Synthetic identity fraud—Spotting the fakes,” Trulioo, February 23, 2021, https://www.trulioo.com/blog/synthetic-identity-fraud
- “Synthetic Identity Fraud,” The Federal Reserve, https://fedpaymentsimprovement.org/synthetic-identity-fraud-mitigation-toolkit/