You probably have a place where everyone knows your name — and maybe your address and your birthday and your favorite drink. That place could be your favorite restaurant, your office or your grandma’s house. It doesn’t matter where that place is; when everyone in the room greets you by name, it gives you a warm feeling inside, knowing this is where you belong. But threat actors are using this same kind of information and feeling of comfort to commit synthetic identity theft.

There’s another place that could also know your name and many other details — the dark web. Cyber criminals harvest personally identifiable information (PII) from wherever they can find it and sell it on the dark web. From there, they can use that information for fraud. Many believe these thieves need a lot of information about you to do any harm. Really, all they need is a single piece of information, such as your name, birthdate or phone number. Like Dr. Frankenstein, identity thieves take one or two pieces from many people to create one new fake person. This is synthetic identity theft, and it is an increasingly popular type of financial fraud.

The Rise of Synthetic Identity Theft

“[S]ynthetic ID fraud is the fastest-growing type of financial crime in the United States, accounting for 10 to 15% of charge-offs in a typical unsecured lending portfolio,” according to McKinsey.

Fraudsters use this fake persona in two ways. First, they could do a one-off use to get a credit card. They apply for the card with a stolen Social Security number, then use the card for a single large purchase or a cash withdrawal, or create a persona to get your tax refund.

The second way is more time consuming but has a higher reward. The fraudster builds a full synthetic identity and uses it to build up a high credit limit. When it reaches a peak, they go all-in on spending and not repaying. This can result in millions of dollars for the thieves, who can build thousands of accounts this way. It is difficult for the victims to discover if their PII has been used in this way because it is only one piece of information, not the whole person.

Synthetic identity theft hurts businesses as much as it does consumers. Companies lose money if used for fraudulent purchases. During the pandemic, some small- and medium-sized businesses were shut out of Paycheck Protection Program funding and other emergency loans due to synthetic identity fraud, taking limited funds away from where they were really needed. And any PII lost in a data breach and used this way can both impact a business’ bottom line and hurt its reputation.

How They Gather the Information

As mentioned earlier, stolen PII is bought and sold on the dark web, but attackers have to gather it first. Identity thieves use every venue possible to get the data they need. They’ll steal mail from mailboxes and dig through trash and recycling bins. They scour social media sites and business ‘meet our team’ webpages to kick off business identity theft.

The risk of identity theft is why the Federal Trade Commission (FTC) has warned consumers about posting their vaccination cards online. “For example, just by knowing your date and place of birth, scammers sometimes can guess most of the digits of your Social Security number,” the FTC stated.

Or, thieves can create fake vaccine passports that can be sold to people who haven’t gotten the vaccine.

They also take advantage of user laziness. Autofill boxes on websites are nice for anyone who has had to fill out the same fields over and over, but can also play right into attackers’ hands. Or you may stay logged into smartphone apps with PII or sensitive work information embedded. Attackers dig into these digital ID cards and use them to create new personas.

Basics of Identity Theft Prevention

Let’s be realistic. Both personal and business information is already widely available and likely already at least partially compromised. However, that’s no excuse for making it easier for threat actors and fraudsters to collect even more PII or put customer data at risk. Corporate websites should make it more difficult to locate employees, especially high-level staff who are most at risk for targeted attacks. They should limit the amount of data customers can store on their e-commerce-facing sites. Users can boost their identity theft security with the following:

  • Disable autofill features on your browser.
  • Always click ‘never’ when asked if you want your browser to remember your password.
  • Completely log out of apps and websites after each use.
  • Never use public Wi-Fi when filling out forms that require PII.
  • Think twice about what you share on social media.

Social Security number theft and other forms of identity theft are popular because it is easy to collect PII and difficult to discover until it is too late. Synthetic identity theft is even more popular because fraudsters can create thousands of personas with a mixture of real and fake information. It’s a difficult crime to prevent. Both consumers and businesses need to take action to stop making it so easy for the fraudsters to do their dirty work.

More from Banking & Finance

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan

16 min read - In late April through May 2023, IBM Security X-Force found several phishing emails leading to packed executable files delivering malware we have named BlotchyQuasar, likely developed by a group X-Force tracks as Hive0129. BlotchyQuasar is hardcoded to collect credentials from multiple Latin American-based banking applications and websites used within public and private environments. Similar operations conducted in late 2022 have also been noted delivering an earlier variant of this modified QuasarRAT by likely Spanish-speaking actors. BlotchyQuasar, which X-Force describes as…