Synthetic identity theft is fraud that involves the use of a fictitious identity. Identity thieves create new identities using a combination of real and fabricated information, or sometimes entirely fictitious information. Fraudsters use this fictitious identity to obtain credit, open deposit accounts and obtain driver’s licenses and passports.

Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number. Fraudsters seek SSNs that are not actively being used, such as those of children and the deceased. In some cases, an identity fraudster may create a completely fake identity with a phony SSN, name and address. This would be categorized as synthetic identity fraud since there is no theft involved. For the purposes of this article, synthetic identity theft or fraud will be treated as the same.

Why Is Synthetic Identity Theft Important?

This type of theft has been emerging as a major fraud activity over the past five to seven years. The size of the synthetic identity theft business is estimated to be in the billions per year across North America. According to CBC, monthly case volumes are in the thousands as compared to five years ago, when they saw about 100 per month.

The exponential growth of synthetic identity theft — and particularly its impact on children’s identities — will have distressing consequences for young individuals in the future. A study performed by Carnegie Mellon’s CyLab found that children’s SSNs are 51 times more likely to be used in a synthetic fraud scheme than those of adults for the population studied. While CyLab clearly stated its findings could not be extrapolated to the general population, the threat to children is evident.

Synthetic identity thieves target children’s SSNs because they are inactive and will generally remain unchecked for up to 18 years. Children generally have no public information associated with their SSN, making them a prime target. Unless a victimized minor’s parents are tipped off by a bill collector, the child begins receiving credit card offers in the mail or the child is denied a driver’s license or college loan, the fraud may not be discovered.

The true impact of child identity theft, which has been increasing over the past 10 years, will be realized as the victimized youngsters approach college age, start applying for college aid or have difficulty getting their first jobs after high school when negative information appears in a company background screening.

How a Credit File Is Created

It’s important to understand how a credit file is created prior to delving into the ways in which cybercriminals manipulate the system to their advantage.

Credit history is compiled and maintained by credit reporting agencies (CRAs) or credit bureaus. There are three major CRAs in the United States: Equifax, TransUnion and Experian. These agencies collect consumer credit history from credit card companies, banks, mortgage companies and other creditors to create an in-depth credit report.

Whenever a consumer completes an application for a credit card or loan of some type, all the application information is sent to the CRAs. CRAs gather the applicant’s personally identifiable information and determine whether a credit report exists. They also scour public records for financial information such as court records from bankruptcies and foreclosures. If no matches are found, the CRAs must keep a record of the inquiry by establishing a credit file. If a match is found, the credit file information is returned to the lender for it to make a credit decision.

The key concept to understand is that any credit request submitted to a CRA will create a credit file if none existed prior to the request.

Every month, lending institutions and other creditors send updated consumer credit information to the CRAs. This information includes how much individual consumers owe and whether they make their payments on time.

There are two kinds of inquiries: hard and soft. Hard inquiries are requests made by institutional creditors such as credit card companies, mortgage lenders, retail companies and landlords for rental applications. Soft inquiries are made by the consumer or by an employer as part of an employment background screening. Negative events such as bankruptcies, foreclosures and charge-offs stay on credit reports for seven to 10 years, while positive events such as on-time mortgage payments, can stay on even longer.

There are three main ways in which identity fraudsters exploit the credit process to establish synthetic identities and execute frauds: apply for credit directly with a lender, use the authorized user provision of most credit card accounts or through a data-furnisher scheme.

Applying for Credit

Fraudsters will create a synthetic ID and build a credit profile by directly applying for credit with a lender such as a credit card issuer. The initial application will be declined, but a new credit file will be established as a result.

With the newly established credit file, the fraudster will then apply for credit with a credit card issuer. When the card company runs a credit inquiry, the CRA will return information to the card company that a profile does exist. The profile will not have any credit history associated with it, though the fraudsters typically target card issuers that offer credit lines of $300 to $500 to applicants with no history.

Armed with a new credit account, the fraudster will legitimately use the credit account and make payments to establish good history. The fraudster will leverage the positive credit history to obtain more credit cards, retail store credit accounts and car loans.

The process is straightforward and easy to execute, but it is less favorable because of the time it takes to build a solid credit profile.

Authorized Users

The authorized user process is how most synthetic IDs are created. Adding authorized users to an account is legal and allowable by credit card issuers. It is typically used for legitimate purposes, such as adding a spouse or a child.

Fraudsters exploit the authorized user process and actively recruit cardholders with good credit to add unknown people/identities to their card, often for just several days. Using this technique, often referred to as “piggybacking,” the legitimate cardholder receives a fee for adding the authorized user identity to his or her account. A credit card is not issued to the authorized user; it simply sits on the credit account for a period and “inherits” the card owner’s credit history.

Once the trade lines have reported to the CRAs, the synthetic identity can be removed from the account as an authorized user, but the credit history is retained. The fraudster will then apply for credit with multiple card issuers. With multiple credit lines successfully obtained, the fraudster will max out all the credit lines by buying gift cards and valuable merchandise such as smartphones and other electronics that can be easily sold.

In this example, the fraudster could also execute a bust-out scheme in which the credit lines are maxed out, paid down with worthless or counterfeit checks and maxed out again before the check payments are returned. This creates an exposure of as much as two times the original credit limit. Well-organized criminals may be able to repeat this process more than once.

Card owners who are recruited to add authorized users will have as many as 50 in their account at once. Card owners may believe they are donating their good credit history to help others establish or repair their credit. There are many credit repair/piggybacking brokers who bring together donors and those who need credit assistance. Accounts that continually produce identities tied to fraudulent activity are known as pollinator accounts.

For example, a synthetic ID had a credit file created in June 2014 and used an address tied to a retail shopping center. In August, a seasoned trade line with a credit limit of $55,000 was added to the synthetic ID. Within two months of adding the authorized user, the synthetic ID amassed $200,000 in unsecured credit, making out over $140,000.

  • Bank A: $10, 000
  • Bank B: $10,000
  • Bank C: $50,000
  • Bank D: $5,700
  • Bank E: $20,000
  • Retail 1: $16,000
  • Retail 2: $20,000

The investigation revealed that most of the purchases involved retail gift cards and some high-end merchandise. One CRA investigator indicated that Verizon Wireless and other similar merchants are being targeted for smartphones, particularly iPhones.

Data Furnishing

Data furnishing is a very effective tactic but requires more sophistication and organization and may involve complicit insiders within a small business. This method requires fraudsters to use a front company, which is vetted by CRAs and approved to furnish or supply payment history on credit accounts extended to its customers.

These front companies may be new companies created for the purpose of committing fraud or may be existing businesses in which the owner or an individual within the business (e.g., credit or finance manager) is compromised by an organized fraud ring.

In the data-furnishing scheme, synthetic IDs can be created or credit files of existing synthetic IDs can be enriched. The typical scheme works in the following way:

  • An “applicant” applies for — and is granted — credit for a fictitious purchase of the business’s product, such as a used car.
  • Each month, the business reports payments on the credit account associated with the synthetic identities to which it has provided phantom credit.
  • Over several months, the synthetic identity’s credit score will improve, allowing the fraudster to obtain more and more unsecured credit from victim card-issuers until the fraudsters are ready to max out/bust out the card accounts.

Data furnishers engaged in synthetic ID activity may be identified because the CRA identifies anomalies such as credit accounts in amounts that far exceed the data furnisher’s product values. Additionally, CRAs may link multiple synthetic IDs to a particular data furnisher.

Synthetic identify theft is a growing problem, and its full effects may not be realized for several years. We will likely hear stories of children’s identities that were victimized years ago being uncovered years later as they moved into adulthood. Criminals understand that synthetic identity theft is generally an easy and lucrative scheme to employ. There are many factors that contribute to the problem, but the authorized user process and availability of credit from some of the major card issuers play key roles in this.

I will be writing more about synthetic fraud in the coming weeks, exploring challenges facing the industry, legislative initiatives and what financial institutions and consumers can do to help minimize synthetic fraud.

More from Banking & Finance

How the ZeuS Trojan Info Stealer Changed Cybersecurity

4 min read - Information stealer malware is a type of malicious software designed to collect sensitive information from a victim’s computer. Also known as info stealers, data stealers or data-stealing malware, this software is true to its name: after infecting a computer or device, it’s highly adept at exfiltrating login credentials, financial information and personal data. Info stealers typically operate by monitoring keyboard input, capturing screenshots and intercepting network traffic. They may also search a hard drive for specific types of data. The…

4 min read

2022 Industry Threat Recap: Finance and Insurance

5 min read - The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

5 min read

How to Spot a Nefarious Cryptocurrency Platform

4 min read - Do you ever wonder if your cryptocurrency platform cashes in ransomware payments? Maybe not, but it might be worth investigating. Bitcoin-associated ransomware continues to plague companies, government agencies and individuals with no signs of letting up. And if your platform gets sanctioned, you may instantly lose access to all your funds. What exchanges or platforms do criminals use to cash out or launder ransomware payments? And what implications does this have for people who use exchanges legitimately? Blacklisted Exchanges and Mixers…

4 min read

Kronos Malware Reemerges with Increased Functionality

6 min read - The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

6 min read