You probably have a place where everyone knows your name — and maybe your address and your birthday and your favorite drink. That place could be your favorite restaurant, your office or your grandma’s house. It doesn’t matter where that place is; when everyone in the room greets you by name, it gives you a warm feeling inside, knowing this is where you belong. But threat actors are using this same kind of information and feeling of comfort to commit synthetic identity theft.

There’s another place that could also know your name and many other details — the dark web. Cyber criminals harvest personally identifiable information (PII) from wherever they can find it and sell it on the dark web. From there, they can use that information for fraud. Many believe these thieves need a lot of information about you to do any harm. Really, all they need is a single piece of information, such as your name, birthdate or phone number. Like Dr. Frankenstein, identity thieves take one or two pieces from many people to create one new fake person. This is synthetic identity theft, and it is an increasingly popular type of financial fraud.

The Rise of Synthetic Identity Theft

“[S]ynthetic ID fraud is the fastest-growing type of financial crime in the United States, accounting for 10 to 15% of charge-offs in a typical unsecured lending portfolio,” according to McKinsey.

Fraudsters use this fake persona in two ways. First, they could do a one-off use to get a credit card. They apply for the card with a stolen Social Security number, then use the card for a single large purchase or a cash withdrawal, or create a persona to get your tax refund.

The second way is more time consuming but has a higher reward. The fraudster builds a full synthetic identity and uses it to build up a high credit limit. When it reaches a peak, they go all-in on spending and not repaying. This can result in millions of dollars for the thieves, who can build thousands of accounts this way. It is difficult for the victims to discover if their PII has been used in this way because it is only one piece of information, not the whole person.

Synthetic identity theft hurts businesses as much as it does consumers. Companies lose money if used for fraudulent purchases. During the pandemic, some small- and medium-sized businesses were shut out of Paycheck Protection Program funding and other emergency loans due to synthetic identity fraud, taking limited funds away from where they were really needed. And any PII lost in a data breach and used this way can both impact a business’ bottom line and hurt its reputation.

How They Gather the Information

As mentioned earlier, stolen PII is bought and sold on the dark web, but attackers have to gather it first. Identity thieves use every venue possible to get the data they need. They’ll steal mail from mailboxes and dig through trash and recycling bins. They scour social media sites and business ‘meet our team’ webpages to kick off business identity theft.

The risk of identity theft is why the Federal Trade Commission (FTC) has warned consumers about posting their vaccination cards online. “For example, just by knowing your date and place of birth, scammers sometimes can guess most of the digits of your Social Security number,” the FTC stated.

Or, thieves can create fake vaccine passports that can be sold to people who haven’t gotten the vaccine.

They also take advantage of user laziness. Autofill boxes on websites are nice for anyone who has had to fill out the same fields over and over, but can also play right into attackers’ hands. Or you may stay logged into smartphone apps with PII or sensitive work information embedded. Attackers dig into these digital ID cards and use them to create new personas.

Basics of Identity Theft Prevention

Let’s be realistic. Both personal and business information is already widely available and likely already at least partially compromised. However, that’s no excuse for making it easier for threat actors and fraudsters to collect even more PII or put customer data at risk. Corporate websites should make it more difficult to locate employees, especially high-level staff who are most at risk for targeted attacks. They should limit the amount of data customers can store on their e-commerce-facing sites. Users can boost their identity theft security with the following:

  • Disable autofill features on your browser.
  • Always click ‘never’ when asked if you want your browser to remember your password.
  • Completely log out of apps and websites after each use.
  • Never use public Wi-Fi when filling out forms that require PII.
  • Think twice about what you share on social media.

Social Security number theft and other forms of identity theft are popular because it is easy to collect PII and difficult to discover until it is too late. Synthetic identity theft is even more popular because fraudsters can create thousands of personas with a mixture of real and fake information. It’s a difficult crime to prevent. Both consumers and businesses need to take action to stop making it so easy for the fraudsters to do their dirty work.

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read