A new report from Socure examines the challenges of fabricated and manipulated synthetic identity ... [+]
Fraud is one of the oldest and most pervasive crimes. It predates technology and, fundamentally, is not a cybersecurity issue. However, the advent of the internet enables synthetic identity fraud at scale and has blurred the line between traditional crime and cybercrime. Synthetic identity fraud is projected to cost businesses nearly $2.5 in 2022, and research suggests that number could double to nearly $5 billion by 2024.
Socure, the leading provider of digital identity verification and fraud solutions, today issued a report on synthetic identity fraud that illustrates the growing threat this type of fraud posed to US industries, government agencies, and consumers.
What Is Synthetic Identity Fraud?
Identity fraud is fairly cut and dry. Someone literally impersonates another person and steals their identity. Synthetic identity fraud is more insidious.
With synthetic identity fraud, authentic information is combined with fake information to create an identity. The resulting new—or synthetic—identity has enough verifiable information to seem credible, allowing it to be used to open fake accounts, make fraudulent purchase, and defraud retailers, government agencies, and financial institutions.
Fabricated vs. Manipulated
A fabricated synthetic identity is completely fake. For example, bad actors can use a valid Social Security number and date of birth combination, but with an invented name—thereby creating an entirely new identity.
Manipulated synthetic identities are a newer concept. The Socure report explains, “These identities are typically based on real people but created by transposing or tumbling one or more identity elements within their name, SSN, and/or DOB. The most common reasons for creating a manipulated synthetic identity are to bypass a bad credit history or hide from a criminal background.”
Synthetic Profiles
Criminals—good ones at least—are relatively clever and know they need to understand legitimate identity profiles in order to craft believable fakes.
Socure examined years of synthetic fraud data to identity patterns. According to the press release, “They found that criminals employing synthetic identities do their best to meld them with the overall population. In the majority of cases, synthetic identities fell into the most common demographics and consumer traits. The four most used names for synthetic identities are consistent with the top four names in the Social Security Administration’s list of the most popular birth names over the past century—although not in rank order. After studying the fraud data’s most popular first names and surnames, Socure’s team found that the name most likely to be used for synthetic identities is Michael Smith. He is also most apt to be 31-years old, born in August, and reside in a single-family home located in Houston.”
Blurred Lines
Synthetic identity fraud blurs the line between crime and cybercrime. Fraud is not seen as a cyber or technical threat. For many organizations, it is simply part of the expected cost of doing business.
Technology enables threat actors and individuals to create fabricated and manipulated synthetic identifies at scale, and technology can be used to identify and thwart synthetic identity fraud, but businesses don’t generally view fraud that way.
The report states, “Because first-party fraud and manipulated identity fraud behave similarly, many organizations end up, often unwittingly, classifying synthetic identity fraud as first-party fraud—so it goes to collections and is written off without their ever knowing that it involved a fake identity—leaving the organization to be the victim of this financial crime.”
Targeting Minors
Bad actors like to stay under the radar and remain undetected for as long as possible. Many people are not as vigilant about monitoring their credit as they should be, but in general if you start creating fabricated synthetic identities that get conflated with the true identity and get reported through credit bureaus, there is a fair chance that the activity will be detected.
The good news—for the bad guys, at least—is that most children in the United States have Social Security numbers assigned, but nobody is paying attention to them. They don’t have credit or credit history, so there is no reason to actively monitor credit bureaus until they reach adulthood. In theory, there could be a decade-plus of fraudulent activity associated with a child’s SSN before they will ever find out.
Eradicate Synthetic Identity Fraud
“At Socure, we strongly believe we can eradicate synthetic fraud within the next three years, and stop the damage that bad actors are committing against consumers and our financial system,” shared Johnny Ayers, founder and CEO of Socure in a press release statement. “That goal inspired us to develop a product that is far more precise in identifying synthetic fraud than anything else in the market, while removing friction from the acquisition of legitimate consumers.”
I spoke with Ayers about the report and Socure’s approach to addressing the problem and potentially eradicating the issue entirely.
“We've spent the last 10 years building out every dimension that is required to verify Tony's identity. So, everything related to email, phone, address, date of birth, Social Security number, physical documents, device, behavioral biometrics—and then we built a huge velocity network graph underneath it to basically allow us to answer the question, ‘Is this Tony or is this someone pretending to be Tony?’ no matter how that identity is presented,” explained Ayers.
Socure outlines a 10-step plan to eradicate synthetic fraud in the report:
1. Educate the industry about the problem of synthetic fraud
2. Stop synthetic identities before they can enter the front door
3. Identify “manipulated” and “fabricated” identities and treat them appropriately
4. Bring identity characteristics forward into account management
5. Apply rigid definitions to fraud, label each account, and share those labels with a noteworthy consortium
6. Remove the known tools of the trade whenever possible
7. Provide eCBSV for all
8. Require CIP solutions that don’t integrate synthetic fraud detection technology to provide a disclaimer to users
9. Identify and delete existing synthetic fraud out of the “machine”
10. Systematically freeze credit reports for randomly issued SSNs at birth
Take a look at the report for yourself to learn more about the problem of synthetic identity fraud and what we can do about it: The State of Synthetic Fraud: Evolution, Trends, and How We Will Eradicate it By 2026.
