This Emerging Cybercrime Hurts Everyone It Touches
Synthetic identity fraud is a crime. It is either a felony or misdemeanor depending on its scale and financial impact. In this emerging form of fraud, a cybercriminal combines stolen information, such as an actual Social Security number, with other data that may be a mix of real and invented information, such as name, date of birth, address, and social media handles. The result of this forged alliance is a fake or synthetic identity that can then be used to commit acts of financial fraud. Synthetic identities are effective because they appear to be real and legitimate.
According to Experian, a global leader in credit information, synthetic identity fraud is a rapidly accelerating threat, and its victims can experience serious credit and financial consequences. Individuals, businesses, and government entities can be victims. Once a fake or synthetic identity has been created around an individual’s Social Security number, criminals will use it to defraud banks, financial services providers, credit card companies, and other lenders. Businesses who sell goods and services become victims of synthetic identity fraud as fake credit is used to make purchases that leave the seller holding the bag. These particular criminals also steal from federal government programs such as Medicare, Medicaid, and similar benefit programs, and from local governments as well.
How a Synthetic Identity is Built
Every new hack or data breach we read about exposes personal information to cybercriminals. Once they have access to Social Security numbers, the rest of the fake profiles can be created.
The best synthetic identities are those that combine some real and some false information and use it to build a believable online profile of a fake person. These are commonly known as Frankenstein identities for being cobbled together from a host of disparate parts.
To add credibility to the synthetic identity, criminals may create fake social media accounts, obtain easy credit cards, and slowly build a credit history. They may incubate a synthetic identity for months or even years before finally using it to “borrow” a large amount of money or commit other financial crimes. Once they’ve enriched themselves, they generally abandon the used identity and move on to begin creating a new one.
The Serious Financial Impact of Synthetic Identity Fraud
In the past several years, synthetic identity fraud has outpaced credit card fraud and identity theft as the fastest growing form of fraud in the world, according to Thomson Reuters. One reason is that organized cybercrime is active in synthetic identity fraud, thus exponentially increasing the impact. Another reason is that using a synthetic identity to steal money is easy and inexpensive, with a low risk of detection. In fact, it is estimated that 95% of synthetic identities go undetected when new customer accounts are created at financial institutions.
Similarly, among retail and e-tail businesses, losses due to synthetic identity fraud either go undetected or are written off as a cost of doing business.
The estimated cost of synthetic identity fraud ranges from $20 billion to $40 billion globally, according to various sources. The Deloitte Center for Financial Services estimates that synthetic identity fraud will cause $23 billion or more in losses in the U.S. by 2030.
Data compiled by Statista illustrates that synthetic identity fraud was the second greatest source of fraud in the U.S. in terms of merchant losses in 2022. Specifically, 28% of merchant losses due to the creation of new accounts and purchase of goods and services were the result of synthetic identify fraud, as were 29% of losses due to account logins. Only first party fraud generated more financial losses, at 30% to 31% overall.
For cybercriminals, and for cybercriminal gangs, the greatest attraction of synthetic identity fraud is that so many organizations are vulnerable to it. Because it is still an emerging threat and difficult to detect, governments, financial institutions, insurers, retailers, and e-commerce sites have not yet effectively upgraded their customer authentication tools to detect synthetic identity thieves before they strike.
Unfortunately, synthetic identity scams have been so successful in so many ways that they have expanded beyond their original parameters. Today, this type of fraud enables other criminal activities that range from romance scams and money laundering to illegal arms sales, human trafficking, and terrorism. Clearly, this is more than a financial crime and is far from victimless.
The Real Human Effects of Synthetic Identity Fraud
Social Security numbers are the Holy Grail of personal data due to their unique and closely guarded nature. And they are the most common and preferred basis upon which to build a synthetic identity. When your Social Security number is compromised in a data breach, for example, and obtained by a cybercriminal, their fraudulent activities can lead to a “split or fragmented credit file,” as Equifax explains.
Fragmented credit files occur when information from another person (in this case, a synthetic identity created using your SSN) becomes attached to your very real and personal credit history. This parasite can negatively affect your credit score, your ability to obtain credit in the future, your financial profile, and your credibility in the eyes of bankers and other lenders. What’s more, this parasite can be extremely difficult to remove.
Cybercriminals prefer easy marks, and may target individuals who don't actively or frequently use credit, such as children or the elderly. A child whose SSN has been compromised and used to create a synthetic identity may not realize they’ve been victimized until they reach adulthood, by which time the fraudulent activity tied to their Social Security number can be an obstacle to employment or to obtaining credit. An elderly individual who collects government benefits may not learn that their Social Security number has been compromised until they miss a few benefit payments. Thus, the personal toll may be significant.
How Businesses Can Protect Data
A recent article in Forbes observes that this emerging cybercrime has created a two-fold responsibility for businesses to (1) safeguard their customer information and (2) protect their own organizations.
Synthetic identity fraud relies on cybercriminals obtaining personal information, which is often sourced from compromised websites. To better protect online data—which may range from personally identifiable information and protected health information to payment card data and other forms of sensitive information—cybersecurity experts recommend installing protections to block cyberattacks on websites. Safeguards include:
- Data encryption
- Network security safeguards
- Threat monitoring and detection tools
- Timely software updates and security patches
- Multifactor authentication tools for user logins
- Security audits to gauge the effectiveness of these measures.
Conducting a website risk assessment and web application testing are sensible first steps to identify vulnerabilities and security gaps that can lead to exploitation by cybercriminals.
It’s also important to regularly train employees to be aware of cybercrime, how to recognize phishing and other social engineering schemes, and what to do if they become suspicious of a request for information.
How Individuals Can Protect Data
Taking action to reduce synthetic identity fraud is not solely the responsibility of businesses and government entities. Individuals can take effective actions, too. Experian notes that the key to avoiding synthetic identity fraud is to keep your personal information safe and routinely monitor for any signs that it has been compromised.
Following are four practical actions consumers can take immediately:
- Treat your Social Security number like gold and keep it private. When a business, healthcare provider, or any other organization requests your SSN, ask specifically why they need it, and what alternative form of identification would suffice, such as a driver’s license. If filling out a form that requests your SSN, don’t enter it until you have confirmed that it is, in fact, required in order to obtain the service or merchandise you are seeking. More often than not this won’t be the case.
- Be alert for phishing schemes. Many cybercrimes begin with phishing schemes designed to trick individuals into sharing information they shouldn’t. Phishing can occur via email or phone call. The request for information usually sounds legitimate or harmless. But ask pointed questions about why the information is needed and for what actual purpose. Ask who you can call to verify the request before providing the information. Being sharp and vigilant will scare away most schemers and send them angling for easier fish.
- Be careful what you share online. Too many people share too many personal details and place too much trust in social platforms. Sharing your complete date of birth, your maiden name, an old address, or other personal information on social media may seem innocent enough. However, these details can be used by cybercriminals to pose as you for fraudulent purposes. They can also be used together to create a synthetic identity without you even knowing it. Think twice before you overshare.
- Monitor your credit reports. Regularly checking your credit reports at all three credit bureaus (Experian, TransUnion, and Equifax) can be an effective and early way to detect suspicious activity and signs of identity theft. And locking your credit reports can make it more difficult for criminals to open up new credit using your name. Reports can be unlocked temporarily when you need to apply for credit.
Summary
The rapidly emerging crime known as synthetic identity fraud costs the U.S. billions of dollars each year and is projected to top $23 billion in the next six years. It affects businesses in banking, credit and finance, insurance, retail sales and ecommerce, as well as government programs that dispense financial benefits. It also victimizes individuals, from the theft of Social Security numbers to the wreckage of fragmented credit files.
To help reduce this growing cybercrime, actions can be taken immediately by businesses, individuals, and government organizations. Network and website safeguards, heightened cybersecurity awareness, user training, and multifactor authentication can be effective tactics in the war on synthetic identity fraud, along with the implementation of universally accepted cybersecurity frameworks from NIST, HITRUST, and other proven sources. The experienced cybersecurity experts at 24By7Security can help you get started.