You probably have a place where everyone knows your name — and maybe your address and your birthday and your favorite drink. That place could be your favorite restaurant, your office or your grandma’s house. It doesn’t matter where that place is; when everyone in the room greets you by name, it gives you a warm feeling inside, knowing this is where you belong. But threat actors are using this same kind of information and feeling of comfort to commit synthetic identity theft.

There’s another place that could also know your name and many other details — the dark web. Cyber criminals harvest personally identifiable information (PII) from wherever they can find it and sell it on the dark web. From there, they can use that information for fraud. Many believe these thieves need a lot of information about you to do any harm. Really, all they need is a single piece of information, such as your name, birthdate or phone number. Like Dr. Frankenstein, identity thieves take one or two pieces from many people to create one new fake person. This is synthetic identity theft, and it is an increasingly popular type of financial fraud.

The Rise of Synthetic Identity Theft

“[S]ynthetic ID fraud is the fastest-growing type of financial crime in the United States, accounting for 10 to 15% of charge-offs in a typical unsecured lending portfolio,” according to McKinsey.

Fraudsters use this fake persona in two ways. First, they could do a one-off use to get a credit card. They apply for the card with a stolen Social Security number, then use the card for a single large purchase or a cash withdrawal, or create a persona to get your tax refund.

The second way is more time consuming but has a higher reward. The fraudster builds a full synthetic identity and uses it to build up a high credit limit. When it reaches a peak, they go all-in on spending and not repaying. This can result in millions of dollars for the thieves, who can build thousands of accounts this way. It is difficult for the victims to discover if their PII has been used in this way because it is only one piece of information, not the whole person.

Synthetic identity theft hurts businesses as much as it does consumers. Companies lose money if used for fraudulent purchases. During the pandemic, some small- and medium-sized businesses were shut out of Paycheck Protection Program funding and other emergency loans due to synthetic identity fraud, taking limited funds away from where they were really needed. And any PII lost in a data breach and used this way can both impact a business’ bottom line and hurt its reputation.

How They Gather the Information

As mentioned earlier, stolen PII is bought and sold on the dark web, but attackers have to gather it first. Identity thieves use every venue possible to get the data they need. They’ll steal mail from mailboxes and dig through trash and recycling bins. They scour social media sites and business ‘meet our team’ webpages to kick off business identity theft.

The risk of identity theft is why the Federal Trade Commission (FTC) has warned consumers about posting their vaccination cards online. “For example, just by knowing your date and place of birth, scammers sometimes can guess most of the digits of your Social Security number,” the FTC stated.

Or, thieves can create fake vaccine passports that can be sold to people who haven’t gotten the vaccine.

They also take advantage of user laziness. Autofill boxes on websites are nice for anyone who has had to fill out the same fields over and over, but can also play right into attackers’ hands. Or you may stay logged into smartphone apps with PII or sensitive work information embedded. Attackers dig into these digital ID cards and use them to create new personas.

Basics of Identity Theft Prevention

Let’s be realistic. Both personal and business information is already widely available and likely already at least partially compromised. However, that’s no excuse for making it easier for threat actors and fraudsters to collect even more PII or put customer data at risk. Corporate websites should make it more difficult to locate employees, especially high-level staff who are most at risk for targeted attacks. They should limit the amount of data customers can store on their e-commerce-facing sites. Users can boost their identity theft security with the following:

  • Disable autofill features on your browser.
  • Always click ‘never’ when asked if you want your browser to remember your password.
  • Completely log out of apps and websites after each use.
  • Never use public Wi-Fi when filling out forms that require PII.
  • Think twice about what you share on social media.

Social Security number theft and other forms of identity theft are popular because it is easy to collect PII and difficult to discover until it is too late. Synthetic identity theft is even more popular because fraudsters can create thousands of personas with a mixture of real and fake information. It’s a difficult crime to prevent. Both consumers and businesses need to take action to stop making it so easy for the fraudsters to do their dirty work.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today