October 28, 2014 By Steven D'Alfonso 6 min read

Synthetic identity theft is fraud that involves the use of a fictitious identity. Identity thieves create new identities using a combination of real and fabricated information, or sometimes entirely fictitious information. Fraudsters use this fictitious identity to obtain credit, open deposit accounts and obtain driver’s licenses and passports.

Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number. Fraudsters seek SSNs that are not actively being used, such as those of children and the deceased. In some cases, an identity fraudster may create a completely fake identity with a phony SSN, name and address. This would be categorized as synthetic identity fraud since there is no theft involved. For the purposes of this article, synthetic identity theft or fraud will be treated as the same.

Why Is Synthetic Identity Theft Important?

This type of theft has been emerging as a major fraud activity over the past five to seven years. The size of the synthetic identity theft business is estimated to be in the billions per year across North America. According to CBC, monthly case volumes are in the thousands as compared to five years ago, when they saw about 100 per month.

The exponential growth of synthetic identity theft — and particularly its impact on children’s identities — will have distressing consequences for young individuals in the future. A study performed by Carnegie Mellon’s CyLab found that children’s SSNs are 51 times more likely to be used in a synthetic fraud scheme than those of adults for the population studied. While CyLab clearly stated its findings could not be extrapolated to the general population, the threat to children is evident.

Synthetic identity thieves target children’s SSNs because they are inactive and will generally remain unchecked for up to 18 years. Children generally have no public information associated with their SSN, making them a prime target. Unless a victimized minor’s parents are tipped off by a bill collector, the child begins receiving credit card offers in the mail or the child is denied a driver’s license or college loan, the fraud may not be discovered.

The true impact of child identity theft, which has been increasing over the past 10 years, will be realized as the victimized youngsters approach college age, start applying for college aid or have difficulty getting their first jobs after high school when negative information appears in a company background screening.

How a Credit File Is Created

It’s important to understand how a credit file is created prior to delving into the ways in which cybercriminals manipulate the system to their advantage.

Credit history is compiled and maintained by credit reporting agencies (CRAs) or credit bureaus. There are three major CRAs in the United States: Equifax, TransUnion and Experian. These agencies collect consumer credit history from credit card companies, banks, mortgage companies and other creditors to create an in-depth credit report.

Whenever a consumer completes an application for a credit card or loan of some type, all the application information is sent to the CRAs. CRAs gather the applicant’s personally identifiable information and determine whether a credit report exists. They also scour public records for financial information such as court records from bankruptcies and foreclosures. If no matches are found, the CRAs must keep a record of the inquiry by establishing a credit file. If a match is found, the credit file information is returned to the lender for it to make a credit decision.

The key concept to understand is that any credit request submitted to a CRA will create a credit file if none existed prior to the request.

Every month, lending institutions and other creditors send updated consumer credit information to the CRAs. This information includes how much individual consumers owe and whether they make their payments on time.

There are two kinds of inquiries: hard and soft. Hard inquiries are requests made by institutional creditors such as credit card companies, mortgage lenders, retail companies and landlords for rental applications. Soft inquiries are made by the consumer or by an employer as part of an employment background screening. Negative events such as bankruptcies, foreclosures and charge-offs stay on credit reports for seven to 10 years, while positive events such as on-time mortgage payments, can stay on even longer.

There are three main ways in which identity fraudsters exploit the credit process to establish synthetic identities and execute frauds: apply for credit directly with a lender, use the authorized user provision of most credit card accounts or through a data-furnisher scheme.

Applying for Credit

Fraudsters will create a synthetic ID and build a credit profile by directly applying for credit with a lender such as a credit card issuer. The initial application will be declined, but a new credit file will be established as a result.

With the newly established credit file, the fraudster will then apply for credit with a credit card issuer. When the card company runs a credit inquiry, the CRA will return information to the card company that a profile does exist. The profile will not have any credit history associated with it, though the fraudsters typically target card issuers that offer credit lines of $300 to $500 to applicants with no history.

Armed with a new credit account, the fraudster will legitimately use the credit account and make payments to establish good history. The fraudster will leverage the positive credit history to obtain more credit cards, retail store credit accounts and car loans.

The process is straightforward and easy to execute, but it is less favorable because of the time it takes to build a solid credit profile.

Authorized Users

The authorized user process is how most synthetic IDs are created. Adding authorized users to an account is legal and allowable by credit card issuers. It is typically used for legitimate purposes, such as adding a spouse or a child.

Fraudsters exploit the authorized user process and actively recruit cardholders with good credit to add unknown people/identities to their card, often for just several days. Using this technique, often referred to as “piggybacking,” the legitimate cardholder receives a fee for adding the authorized user identity to his or her account. A credit card is not issued to the authorized user; it simply sits on the credit account for a period and “inherits” the card owner’s credit history.

Once the trade lines have reported to the CRAs, the synthetic identity can be removed from the account as an authorized user, but the credit history is retained. The fraudster will then apply for credit with multiple card issuers. With multiple credit lines successfully obtained, the fraudster will max out all the credit lines by buying gift cards and valuable merchandise such as smartphones and other electronics that can be easily sold.

In this example, the fraudster could also execute a bust-out scheme in which the credit lines are maxed out, paid down with worthless or counterfeit checks and maxed out again before the check payments are returned. This creates an exposure of as much as two times the original credit limit. Well-organized criminals may be able to repeat this process more than once.

Card owners who are recruited to add authorized users will have as many as 50 in their account at once. Card owners may believe they are donating their good credit history to help others establish or repair their credit. There are many credit repair/piggybacking brokers who bring together donors and those who need credit assistance. Accounts that continually produce identities tied to fraudulent activity are known as pollinator accounts.

For example, a synthetic ID had a credit file created in June 2014 and used an address tied to a retail shopping center. In August, a seasoned trade line with a credit limit of $55,000 was added to the synthetic ID. Within two months of adding the authorized user, the synthetic ID amassed $200,000 in unsecured credit, making out over $140,000.

  • Bank A: $10, 000
  • Bank B: $10,000
  • Bank C: $50,000
  • Bank D: $5,700
  • Bank E: $20,000
  • Retail 1: $16,000
  • Retail 2: $20,000

The investigation revealed that most of the purchases involved retail gift cards and some high-end merchandise. One CRA investigator indicated that Verizon Wireless and other similar merchants are being targeted for smartphones, particularly iPhones.

Data Furnishing

Data furnishing is a very effective tactic but requires more sophistication and organization and may involve complicit insiders within a small business. This method requires fraudsters to use a front company, which is vetted by CRAs and approved to furnish or supply payment history on credit accounts extended to its customers.

These front companies may be new companies created for the purpose of committing fraud or may be existing businesses in which the owner or an individual within the business (e.g., credit or finance manager) is compromised by an organized fraud ring.

In the data-furnishing scheme, synthetic IDs can be created or credit files of existing synthetic IDs can be enriched. The typical scheme works in the following way:

  • An “applicant” applies for — and is granted — credit for a fictitious purchase of the business’s product, such as a used car.
  • Each month, the business reports payments on the credit account associated with the synthetic identities to which it has provided phantom credit.
  • Over several months, the synthetic identity’s credit score will improve, allowing the fraudster to obtain more and more unsecured credit from victim card-issuers until the fraudsters are ready to max out/bust out the card accounts.

Data furnishers engaged in synthetic ID activity may be identified because the CRA identifies anomalies such as credit accounts in amounts that far exceed the data furnisher’s product values. Additionally, CRAs may link multiple synthetic IDs to a particular data furnisher.

Synthetic identify theft is a growing problem, and its full effects may not be realized for several years. We will likely hear stories of children’s identities that were victimized years ago being uncovered years later as they moved into adulthood. Criminals understand that synthetic identity theft is generally an easy and lucrative scheme to employ. There are many factors that contribute to the problem, but the authorized user process and availability of credit from some of the major card issuers play key roles in this.

I will be writing more about synthetic fraud in the coming weeks, exploring challenges facing the industry, legislative initiatives and what financial institutions and consumers can do to help minimize synthetic fraud.

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today