Synthetic identity fraud is a crime. It is either a felony or misdemeanor depending on its scale and financial impact. In this emerging form of fraud, a cybercriminal combines stolen information, such as an actual Social Security number, with other data that may be a mix of real and invented information, such as name, date of birth, address, and social media handles. The result of this forged alliance is a fake or synthetic identity that can then be used to commit acts of financial fraud. Synthetic identities are effective because they appear to be real and legitimate.
According to Experian, a global leader in credit information, synthetic identity fraud is a rapidly accelerating threat, and its victims can experience serious credit and financial consequences. Individuals, businesses, and government entities can be victims. Once a fake or synthetic identity has been created around an individual’s Social Security number, criminals will use it to defraud banks, financial services providers, credit card companies, and other lenders. Businesses who sell goods and services become victims of synthetic identity fraud as fake credit is used to make purchases that leave the seller holding the bag. These particular criminals also steal from federal government programs such as Medicare, Medicaid, and similar benefit programs, and from local governments as well.
Every new hack or data breach we read about exposes personal information to cybercriminals. Once they have access to Social Security numbers, the rest of the fake profiles can be created.
The best synthetic identities are those that combine some real and some false information and use it to build a believable online profile of a fake person. These are commonly known as Frankenstein identities for being cobbled together from a host of disparate parts.
To add credibility to the synthetic identity, criminals may create fake social media accounts, obtain easy credit cards, and slowly build a credit history. They may incubate a synthetic identity for months or even years before finally using it to “borrow” a large amount of money or commit other financial crimes. Once they’ve enriched themselves, they generally abandon the used identity and move on to begin creating a new one.
In the past several years, synthetic identity fraud has outpaced credit card fraud and identity theft as the fastest growing form of fraud in the world, according to Thomson Reuters. One reason is that organized cybercrime is active in synthetic identity fraud, thus exponentially increasing the impact. Another reason is that using a synthetic identity to steal money is easy and inexpensive, with a low risk of detection. In fact, it is estimated that 95% of synthetic identities go undetected when new customer accounts are created at financial institutions.
The estimated cost of synthetic identity fraud ranges from $20 billion to $40 billion globally, according to various sources. The Deloitte Center for Financial Services estimates that synthetic identity fraud will cause $23 billion or more in losses in the U.S. by 2030.
Data compiled by Statista illustrates that synthetic identity fraud was the second greatest source of fraud in the U.S. in terms of merchant losses in 2022. Specifically, 28% of merchant losses due to the creation of new accounts and purchase of goods and services were the result of synthetic identify fraud, as were 29% of losses due to account logins. Only first party fraud generated more financial losses, at 30% to 31% overall.
For cybercriminals, and for cybercriminal gangs, the greatest attraction of synthetic identity fraud is that so many organizations are vulnerable to it. Because it is still an emerging threat and difficult to detect, governments, financial institutions, insurers, retailers, and e-commerce sites have not yet effectively upgraded their customer authentication tools to detect synthetic identity thieves before they strike.
Unfortunately, synthetic identity scams have been so successful in so many ways that they have expanded beyond their original parameters. Today, this type of fraud enables other criminal activities that range from romance scams and money laundering to illegal arms sales, human trafficking, and terrorism. Clearly, this is more than a financial crime and is far from victimless.
Social Security numbers are the Holy Grail of personal data due to their unique and closely guarded nature. And they are the most common and preferred basis upon which to build a synthetic identity. When your Social Security number is compromised in a data breach, for example, and obtained by a cybercriminal, their fraudulent activities can lead to a “split or fragmented credit file,” as Equifax explains.
Cybercriminals prefer easy marks, and may target individuals who don't actively or frequently use credit, such as children or the elderly. A child whose SSN has been compromised and used to create a synthetic identity may not realize they’ve been victimized until they reach adulthood, by which time the fraudulent activity tied to their Social Security number can be an obstacle to employment or to obtaining credit. An elderly individual who collects government benefits may not learn that their Social Security number has been compromised until they miss a few benefit payments. Thus, the personal toll may be significant.
A recent article in Forbes observes that this emerging cybercrime has created a two-fold responsibility for businesses to (1) safeguard their customer information and (2) protect their own organizations.
Synthetic identity fraud relies on cybercriminals obtaining personal information, which is often sourced from compromised websites. To better protect online data—which may range from personally identifiable information and protected health information to payment card data and other forms of sensitive information—cybersecurity experts recommend installing protections to block cyberattacks on websites. Safeguards include:
Conducting a website risk assessment and web application testing are sensible first steps to identify vulnerabilities and security gaps that can lead to exploitation by cybercriminals.
It’s also important to regularly train employees to be aware of cybercrime, how to recognize phishing and other social engineering schemes, and what to do if they become suspicious of a request for information.
Taking action to reduce synthetic identity fraud is not solely the responsibility of businesses and government entities. Individuals can take effective actions, too. Experian notes that the key to avoiding synthetic identity fraud is to keep your personal information safe and routinely monitor for any signs that it has been compromised.
Following are four practical actions consumers can take immediately:
The rapidly emerging crime known as synthetic identity fraud costs the U.S. billions of dollars each year and is projected to top $23 billion in the next six years. It affects businesses in banking, credit and finance, insurance, retail sales and ecommerce, as well as government programs that dispense financial benefits. It also victimizes individuals, from the theft of Social Security numbers to the wreckage of fragmented credit files.
To help reduce this growing cybercrime, actions can be taken immediately by businesses, individuals, and government organizations. Network and website safeguards, heightened cybersecurity awareness, user training, and multifactor authentication can be effective tactics in the war on synthetic identity fraud, along with the implementation of universally accepted cybersecurity frameworks from NIST, HITRUST, and other proven sources. The experienced cybersecurity experts at 24By7Security can help you get started.