In brief:
- Synthetic identity fraud is when criminals alter stolen business or personal ID information, mix it with made-up elements, or sometimes even use completely fabricated credentials to create a fake but believable new identity they then use to commit fraud.
- Synthetic identity theft is difficult to detect because it uses conventions from legitimate identities (and sometimes real ID information), can’t be traced back to one unique real business or person as a victim, and is sometimes used for long-term fraud where criminals don’t do anything financially suspicious until they’re able to steal large enough amounts of money.
- Preventing synthetic identity fraud requires supplementing traditional “Know Your Business” (KYB) and “Know Your Customer” (KYC) processes with alternative data on entities (like location, relationships, and activity), along with new analysis technologies like artificial intelligence and machine learning, to detect fraud-signaling traits and behavior patterns in entities that may not be readily apparent.
Synthetic identity fraud – also known as synthetic identity theft – is a snowballing financial problem for businesses that’s proving difficult to stop. According to a 2022 survey by Regula Forensics, 46% of all businesses globally had to deal with synthetic identity fraud that year. 91% of U.S. businesses told the survey they viewed synthetic identity fraud as a significant threat – the highest rate among countries in the survey. And according to a 2019 McKinsey & Company report cited by the Federal Reserve, synthetic identity fraud is the fastest-growing financial crime in the U.S.
Financial institutions are especially worried. According to Regula’s 2022 survey, 92% of banks globally believe synthetic identity fraud is a real danger. And their fears are well-justified by other synthetic identity fraud statistics: Regula’s 2022 report also noted 26% of banks and 17% of fintech companies worldwide encountered over 100 synthetic identity fraud incidents that year. The surveyed fintechs affected by synthetic identity fraud lost an average of $120,000 to the crime during the year. Affected banks lost an average of $310,000 to synthetic identity fraud during the year, with 31% saying their losses because of the crime totaled over $479,000.
So what is synthetic identity fraud, and how are criminals using it to cheat financial institutions and other businesses? Why is it so difficult to detect, and what can businesses do to have a better chance of catching and preventing it? We tackle those complicated questions in this article.
- What is synthetic identity theft?
- 7 synthetic identity theft example scams to look out for
- How to detect and prevent synthetic identity theft
First, we’ll talk about what synthetic identity theft is, how it’s accomplished, and how it’s different from regular identity theft.
What is synthetic identity theft?
Synthetic identity theft – or synthetic identity fraud – is when criminals combine identification information (often stolen) from real people or businesses with made-up pieces of ID information. The result is a believable, but ultimately fake, identity the criminals then use to commit fraud.
So what is a synthetic identity composed of? According to the U.S. Federal Reserve, personally-identifiable information (PII) that may be used to create a synthetic identity falls into two main categories:
- Primary – Pieces of PII that, when combined, usually point to a specific person or business. Examples include names, dates of birth, and government-issued identifiers such as EINs or other kinds of TINs.
- Secondary – Pieces of PII that reinforce an identity’s credibility, but can’t create an identity on their own. These include mailing or billing addresses, phone numbers, email addresses, and digital footprints (such as IP addresses or device IDs).
As such, synthetic identities tend to contain one or two pieces of primary PII – usually from different people or businesses – and then the rest is a mix of fake primary PII and real or fake secondary PII to make the identity look credible.
How synthetic identify fraud works
Synthetic identity theft involves one of three processes:
- Identity compilation – A criminal obtains one or more pieces of legitimate PII (i.e. by finding them, stealing them, or buying them off the dark web) and uses them as the basis for a synthetic identity, then uses fake but plausible values for the remaining PII.
- Identity manipulation – Closer to traditional identity theft, this is where a criminal takes legitimate PII and slightly alters certain pieces of it to try to pass themselves off as a different person or business.
- Identity fabrication – A criminal follows the conventions and formats of different pieces of PII to create an identity that’s completely fake, but still believable.
Did you know?
When using identity compilation or identity manipulation, criminals tend to use legitimate PII from people and businesses that tend not to check their credit reports or conduct financial transactions very often. These include inactive companies, children, the elderly, and the unhoused. This can make synthetic identity theft even harder to track because it may take some identity theft victims a long time to realize their information has been stolen and used for fraud.
Synthetic identity theft vs. identity theft: what’s the difference?
The difference between synthetic identity theft vs. identity theft is that with traditional identity theft, all of the PII used to commit the fraud belongs to the same unique person or business. This makes it easier to detect and track because institutions can notice things like transaction patterns or information change requests that are unusual for that particular entity. They can then alert the appropriate entity, who can then ask to freeze their financial activities to prevent any further unauthorized transactions.
In contrast, synthetic identity theft uses PII that is a mix of legitimate and fake ID information, altered from a real person or business’s ID information, or completely made up but still plausible. Therefore, the resulting identity doesn’t correspond to any singular real entity.
This makes preventing synthetic identity fraud much more challenging than preventing traditional identity theft. A synthetic identity may contain PII from one or more real people or businesses, but because some of the PII is from different entities or just totally fabricated, the identity can’t be fully traced back to one unique entity that actually exists.
Synthetic identity detection can be especially difficult when you’re just starting a company. You have so many other things to focus on than continually checking your credit score or transaction history for signs you’ve onboarded a fake customer! That’s why Middesk put together a guide on how to balance growing your company with minimizing risk and meeting your anti-financial crime compliance obligations. You can find it at the link below.
{{gated-content-block="/insights/kyb-for-every-stage-of-a-business"}}
7 synthetic identity theft example scams to look out for
There are many different synthetic identity scams out there, given how easy it can be to create a synthetic identity – and how difficult it can be to spot one. Here are 7 major synthetic identity theft examples to show you what kind of tricks criminals can pull with what’s sometimes called “Frankenstein fraud”.
1. Bank account application flooding
Criminals can use various combinations of stolen and fake ID information to create a near-limitless number of synthetic identities. They can then use numerous different identities to apply for accounts at several different banks. While most applications will be rejected, it only takes one successful application for criminals to get a bank account they can use for other financial crimes.
2. Credit bust-out fraud
This is when a criminal uses a synthetic identity to apply for a loan, line of credit, or credit card, and then spends as much money as they can before abandoning their fake ID and leaving creditors to cover the losses. The fraud may be short-term, in that the criminal spends their balances as quickly as possible before disappearing.
Other times, the criminal may play the long game. They may stick with their synthetic identity for a while to make many minor transactions and pay off several small debts. This allows them to build up their credit rating and make their synthetic identity seem more legitimate. It’s only when they’re able to access significantly large amounts of credit – such as mortgage loans and insurance policies – they start recklessly borrowing and spending money, then dump their fake identity and never pay back what they owe.
3. Credit repair fraud
A business or individual with poor credit or bad debt may create a synthetic identity to trick creditors into believing they’re more creditworthy than they actually are. Sometimes, they may do this non-maliciously with every intent to repay the debts they owe. Other times, they have no intention of paying back the money they borrow and just rack up more debt, then move on to a new synthetic identity and repeat the scam.
Did you know?
A criminal may even impersonate one of the real people or businesses whose information was used to create the synthetic identity, and then claim they’re a victim of fraud. Their goal is to trick a creditor into forgiving their debts and repairing their credit. Then they just continue on recklessly borrowing and spending money.
4. Fake tax returns
Criminals could use stolen or fabricated Tax Identification Numbers (TINs) to create synthetic identities, then file false tax returns to get additional refunds they aren’t entitled to. They may even commit business identity theft and use your company’s Employment Identification Number (EIN) as part of a synthetic identity to file a tax return as if they were a business. This not only allows them to get commercial tax benefits they aren’t eligible for, but it can also get your company in trouble with the IRS because it’s your company’s EIN being used for the fraud.
5. Sanctions evasion
Individuals on sanctions lists or financial watchlists – or from countries on these lists – can use synthetic identities to apply for financial accounts and products they would otherwise be barred from. If successful, they can use these resources to continue illegal activities such as drug/weapons/human trafficking, money laundering, or even terrorism financing.
6. Financing fraud
Criminals can also use synthetic identities to purchase expensive goods or services that they’re allowed to pay for over a period of time – except they end up never paying any of the installments. When the merchant tries to collect what they’re owed, they find they’re chasing a business or person that doesn’t actually exist.
Did you know?
In a 2022 survey by PricewaterhouseCoopers on fraud and other economic crimes, 21% of online businesses surveyed claimed they’d encountered at least one instance of synthetic identity theft. Criminals would use synthetic identities to impersonate customers or other businesses, then make unauthorized purchases or other transactions.
7. Essential services fraud
A person or business can use a synthetic identity to look qualified for things usually associated with living a comfortable life – such as getting affordable housing, paying for utilities, applying for jobs, or receiving government benefits – when they otherwise might not be eligible for these services.
Sometimes, an entity will do this merely out of desperation, fully intending to pay back whatever money they owe once they find employment or some other source of income. Other times, bad actors will intentionally abuse these systems and take away necessities from people who really need them.
How to detect and prevent synthetic identity theft
Preventing synthetic identity fraud is a tough task for several reasons:
- Synthetic identities can include identity information from real people and businesses, and often follow the conventions of legitimate identities. So it’s difficult to tell from the credentials alone that they’re fake.
- Although synthetic identities may contain ID information from multiple different real people and businesses, they ultimately don’t correspond to any one entity that actually exists. This makes synthetic identity theft difficult to trace and fix because it isn’t clear whose identity is being stolen. Synthetic identities may even not use any real ID information at all – the entire identity is fabricated.
- Some synthetic identity thieves won’t exhibit any suspicious financial behavior until they have good enough credit to access significant amounts of money ($15,000 on average, according to a 2016 report by Auriemma Consulting Group). Only then do they start heavily drawing on their accounts before vanishing.
Therefore, synthetic identity fraud detection requires a layered approach that looks beyond an entity’s ID credentials to things like how they behave and who they’re connected with. Here are some best practices to follow.
1. Use a business identity verification solution like Middesk during onboarding
Starting with basic “Know Your Business” (KYB) checks is a good first step to telling if a business that wants to partner with you is using a synthetic identity. Look up the business’s registered information and make sure it’s consistent across multiple government and trusted third-party sources. Also, find out who the business’s ultimate beneficial owners (UBOs) are and see if they’re being covered negatively in the news, or are on financial sanctions lists or watchlists – or at least operate in a country that’s on one of these lists.
Middesk products like Verify, Signal, and TIN Match can automate these checks with just a few inputs – a business’s name, office address, TIN number, and (optionally) website URL. They connect directly to U.S. government databases like Secretary of State offices, the IRS, and county courthouse to verify that business and owner information is correct in the official registries. It can also screen for a business or owner’s presence on sanctions lists and other watchlists, or for adverse coverage of them in the news.
How it helps: Checks if a business is officially registered and is what it claims to be. Also checks that its UBOs are real people representing themselves truthfully, and don’t present any high-risk signals.
For more on how Middesk’s products and features can be used to combat synthetic identity fraud, read over the Middesk Synthetic Fraud eBook.
2. Dive deeper into the business’s location
Unfortunately, just looking at a business’s ID credentials isn’t enough to tell if it’s real or fake. It could be a shell company: a business that looks legitimate on paper, but has no offices and minimal (and often illegal) business operations. That’s why you need to check if a business has real corresponding locations that are unique to it, and how high-risk those locations are. This includes:
- Whether the business’s street address is a real location in the U.S. or another country
- If the business actually has an office located at the street address
- If multiple other businesses are registered at the business’s street address (which could be indicative of fraud)
- If the business’s address is actually the location of a registered agent that has frequently been linked to fraudulent activity
- The business’s mailing address, and whether it represents a high-risk mail service such as a private mailbox or P.O. box
- Whether the business’s online activity originates from shared devices, or unusual IP addresses that don’t match where the business is allegedly located
Businesses with risky, inconsistent, or non-existent locations can be flagged as potentially using a synthetic identity or otherwise fraudulent.
How it helps: Ensures a business has unique physical presences that can be visited or delivered to, and doesn’t just exist on paper.
3. Trace the business’s relationships
Criminals using a synthetic business identity rarely do something legitimate businesses do: form functional relationships with customers or other businesses. Check if a business has any links to suppliers, whether those suppliers are on any financial sanctions or watchlists, and how active those relationships are in terms of transaction volume or amounts.
Also look at the business’s website, social media pages, and other online presences for inconsistent information, and to assess the business’s interactions with customers. Low levels of activity can indicate a business that’s using a synthetic identity or otherwise has fraudulent intent.
How it helps: Flags businesses with few or risky suppliers or other partners, or minimal or inconsistent customer interactions, as high-risk and potentially fraudulent.
4. Pay attention to the business’s activities for sudden changes and other suspicious behavior
Some criminals who use synthetic identities try to fly under the radar by making their financial activity look as normal as possible – at least at first. It’s only when they are given access to large enough sums of money that they start making suspicious transactions. So how do you catch them before they get to that point?
Behavioral trends that indicate the use of synthetic identities and other fraud may not be immediately obvious, but they do exist. Using artificial intelligence and machine learning to monitor transactions and differentiate between usual and unusual activity – especially for a particular business or person – can help you pick out odd patterns that may indicate synthetic identity theft or other fraud. These include a business doing things like:
- Repeatedly depositing or moving small amounts of money, rather than a large sum at once, to avoid financial reporting requirements
- Suddenly or repeatedly changing multiple pieces of its ID or contact information
- Suddenly switching its financial activity from low-value, low-risk transactions to high-value, high risk transactions
- Suddenly initiating a large volume of transactions over a short period of time
- Suddenly and rapidly trying to withdraw funds from its accounts
- Exhibiting behaviors and traits similar to past entities found to be fraudulent
How it helps: Detects patterns of transactions and other activities that may not be obviously abnormal for a business, but could indicate it’s using a synthetic identity or is otherwise fraudulent.
See Middesk Product Ops expert Jules Mei explain what synthetic identity fraud is, how much it costs businesses, and what businesses can do to more effectively detect and prevent it in our guide to combating synthetic identity fraud in business onboarding. This is a summary of our webinar (find a recording of the full webinar here).
Synthetic identity fraud prevention is a challenging but necessary process for financial institutions, eCommerce companies, and other types of businesses. Fortunately, it can be made a bit easier by having a solid foundation of reliable business registration data, a continuous monitoring strategy, and alternative data sources that can reveal suspicious behavioral patterns. Alternative data adds color and context to the story that authoritative government sources might miss, and should be an essential part of your synthetic fraud ID program.
That’s where Middesk comes in. Our products can automate business verification and risk assessment – even after a business has been onboarded. With direct connections to Secretary of State offices and other U.S. government agencies, we ensure you have the most credible and up-to-date business identity information. We can also continually check a business and its associated people for presence on financial sanctions and watchlists, negative coverage in news, changes to their identity data, and more.
Financial services companies also use Middesk Web Analysis to assess a business’s online presence checking for fraud risk—in a matter of seconds compared to the 15–20 minutes it takes to do this manually
To add Middesk to your arsenal for fighting back against synthetic identity fraud, start by contacting us for a demo.
