Synthetic identity fraud: an introduction

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

In the past, synthetic ID fraud was the tactic of consumers with poor credit ratings. Back then, it was also known as a “credit bust out” and the process consisted in opening credit card accounts or applying for loans, then default and move on. Now, fraudsters have discovered the same tactics, and are using them at scale to cause major headaches in almost every industry.

Synthetic identity fraud occurs when fraudsters use a blend of real and fake information to create a new “individual.” In some cases, the information used is entirely false. The bad guys then will open up new credit cards or auto loans under the fake individual’s name, with the goal of creating credit records and boosting the credit profile. In other cases, fraudsters will also make major purchases and even obtain driver’s licenses and passports.

Why has it become the new go-to tactic for fraudsters?

“There is no “victim” in Synthetic ID Fraud. There is no real person to make a complaint. It takes a bit more time for a fraudster to create the ID but it has a much bigger payoff” - Brett “Gollumfun” Johnson, former Cyber Criminal.

The shift to EMV has pushed fraudsters to card-not-present fraud and new application fraud, which is directly correlated to synthetic ID fraud. Fraudsters only need minimal “true” information to commit synthetic ID theft. The appeal is that fraudsters don’t need to have someone’s entire personal information; they can simply synthesize it. 

Synthetic identity fraud relies on the use of an identity that has been created in one of three ways:

• Pair a legitimate social security number (SSN) with a fake name
• Use an “inactive” social security number with a real name (typically a child or a deceased person)
• Completely fabricate both SSN and name

Creating a synthetic ID is not a very hard process, either. Due to large-scale data compromises, fraudsters have easy access to customer identities.

According to online fraud pioneer Brett Johnson, “A complete identity profile of a specific victim is sold on cybercrime forums and DarkNet marketplaces every day for as low as USD 10.”

What’s worse, there are ways to speed up this process. Fraudsters will now “piggyback” onto a legitimate cardholder’s account as an authorized user. How is this accomplished? The tactics are very similar to those used on social media to convince people to deposit bad checks or receive a fraudulent wire transfer.

Today: a clear and present threat

This shift requires a more sophisticated approach to predicting and assessing risk, and so does prevention. The growth of synthetic ID fraud shows few signs of slowing down. Easy access to data that fraudsters use to create synthetic IDs will continue to make fraud an attractive option. Javelin Strategy & Research estimated that new-account fraud will soar 44% between 2014 and 2018, rising from USD 5 billion in annual losses to a projected USD 8 billion. 

Here’s how to fight back

There’s one key piece that fraudsters need to successfully commit synthetic ID fraud: an email address. That’s where Emailage comes in. To identify potential synthetic IDs, we use crowdsourced network intelligence to look for behaviour changes around the use of the email address in transactions.

Our predictive online fraud risk scoring uses email address metadata as the core for transactional risk assessment and identity validation. Our online identity profiles fuse this data with other elements, such as phone number, address and customer name.

We help combat synthetic ID fraud by delivering insights that detect linkages and suspicious patterns, which help determine that the applicant is a real person. We also have a very strong network, with members that report suspected events associated with an email. Our network includes: 4 of the top 6 global credit card issuers, the top 5 global money transfer providers and 3 of the top 5 marketplace lenders.

About Amador Testa

Amador is a fraud prevention expert with extensive experience in leading product management and strategy to combat fraud. He is an industry leader in online fraud, identity theft mitigation and cybercrime investigations.

About Emailage

Emailage, founded in 2012 and with offices in Phoenix, London and Sao Paulo, is a leader in helping companies significantly reduce online fraud. Through key partnerships, proprietary data, and machine-learning technology, Emailage builds a multi-dimensional profile associated with a customer’s email address and renders a predictive risk score.