Glenn Larson is the Vice President of Engineering at Acuant and is a member of Forbes Technology Council, an invitation-only community for world-class CIOs, CTOs and technology executives. Read his article for the Forbes Tech Council below, or you can read the original here.
Synthetic identity fraud is a relatively recent phenomenon that is on the rise. McKinsey claims synthetic ID fraud is the fastest-growing type of financial crime in the U.S. LexisNexis Risk Solutions (via Yahoo Finance) found that “61% of fraud losses for [large] banks stem from identity fraud [and] 20% of the identity fraud incurred by these larger banks is synthetic identity fraud.”
Synthetic fraud differs from traditional identity fraud in that instead of assuming the identity of a real person using their credit, it creates a new identity using a real social security number with a fictitious name, driver’s license and address. How is this possible?
Traditional identity fraud is usually detected and reported relatively quickly because there is a real victim who is being affected. To create a synthetic identity, a scammer simply needs an unused social security number, often from a child. With this fresh social security number, they can establish a new identity with the credit bureaus.
The fraudster starts by applying for a loan with the synthetic identity. Because there is no credit history on file for this person, the loan will be declined. However, the fact the request was made will create a new credit profile in the database, and now they “officially” exist. Then the perpetrator continues to apply for credit at various institutions until they finally get approved — often for a secured credit card or some other product from a lender willing to work with high-risk borrowers.
These scammers are playing the long game: They can take months, even years, to build up good credit with small purchases that they promptly pay off, continuing to legitimize the identity. They use false identification documents, social media and P.O. boxes to make the identity appear real. Over time, they increase their available credit with new cards and higher limits.
Once there is the opportunity for a high payout, the synthetic identity “busts out” by maxing out all credit and disappearing. The Federal Reserve reported that the largest synthetic ID ring detected to date caused $200 million (or more) in losses from 7,000 synthetic IDs and 25,000 credit cards. Synthetic fraud costs lenders more than $6 billion annually, and the average loss is estimated at $10,000 per account.
There are some cracks in the system that have allowed synthetic identities to proliferate. The United States relies on social security numbers as identifiers, yet data breaches have exposed those numbers to those that would do harm. A report from security firm Flashpoint (via PCMag) shows how inexpensive it can be to purchase a social security number on the dark web.
For better or worse, credit bureaus assume the first person to apply for a loan with a social security number is legitimate, and there is no way to validate a number with the Social Security Administration. Also, in 2011, the SSA switched to random numbers, eliminating the geographical distinctions that would help identify fraudulent numbers or users.
Finally, because the number is often assigned to a child, they are less likely to access credit information and uncover the fraud, so it goes unreported for years.
But often the real victim is the financial institution. Synthetic ID fraud accounts for 80% of all credit card fraud losses, and there is no person to trace or collect from. But banks and lenders can take steps to reduce synthetic ID fraud. Early and faster fraud detection is key.
Banks are getting better at looking for suspicious behavior and adding more verification and authentication steps, particularly for digital onboarding and transactions. Financial institutions should look beyond a credit score and bring in third-party data such as social media accounts, cell phone records, previous addresses, email addresses and phone numbers while looking for a high degree of consistency for those attributes and ensure they are tied to a proven identity.
In order to prove an identity, banks can also utilize document verification and biometric screening — tools that can’t be fooled by deep fakes and image spoofing.
These threats are not only continuing to proliferate, but they could be a veritable ticking time bomb. There is an unknown number of synthetic identities currently lurking in the financial system. Until the United States weans itself from the use of social security numbers as identity verifiers, financial institutions will need to take necessary measures to protect themselves from synthetic identity fraud using all the tools at their disposal.
To learn more about Acuant’s identity solutions, schedule a demo now: