Synthetic identities: why fraudsters need imaginary friends

Can you tell the difference between a real face and one that was generated by A.I.?

None of these are real people. Source: This person does not exist

Facebook, Twitter, and other social platforms have recently sounded the alarm on sophisticated fake user profiles—some of which even feature artificially-generated human faces.

To most observers, these profiles look real. But in truth, they’re part of coordinated disinformation campaigns, and the people they claim to be are made up out of thin air. It’s surprisingly easy to create convincing fakes with the right tools, and once a fake profile starts to amass likes, follows, and retweets, they can be used to commit fraud or spread disinformation on a massive scale.

The same thing is happening in financial services. They’re called “synthetic identities”: not-real identities that fraudsters are getting better at making look real. These phony identities are used to defraud financial institutions (FIs) for billions of dollars, and the Federal Reserve has called them “the fastest-growing type of financial crime in the U.S.”

We’re here to ask: where do synthetic identities come from? What makes them so dangerous? And what can be done to stop them?

A synthetic is born

No two synthetic identities share the same origin story.

Oftentimes, however, they begin with a stolen social security number (SSN). Fraudsters like to steal valid SSNs belonging to deceased people, children, or incarcerated or homeless people who don’t have an established credit history. The next step is to assign each stolen SSN a new set of Personally Identifiable Information (PII), including name, date of birth, and address. The PII may itself be a combination of real and fake information. The result is a made-up identity which could, in theory, look real.

It doesn’t stop there. To make synthetic identities appear genuine, fraudsters will often set up a digital “footprint” for each one, including:

• Creating new email addresses

• Applying for new phone numbers

• Enrolling in rewards programs

• Setting up social media profiles

• Adding the identity to other public databases

With a real SSN, matching phony PII, and digital footprint in place, the synthetic identity is ready. But how are these identities used to commit fraud? And where do fraudsters look when they’re trying to find vulnerabilities?

Fool me twice

A fraudster can’t exactly walk into a bank branch and apply for a loan using a synthetic identity. But online, they can. This begs the question: who would offer credit online to a fake person with no financial history?

The answer is that fraudsters have ways to make their synthetic identities look like they do have a financial history—and more than a few FIs have been fooled.

Frequently, fraudsters’ first step using their synthetic identity is to apply for a credit product. This results in a rejection because the credit bureau will indicate to the FI that the applicant has no credit history. However, this very process also triggers the credit bureau to generate a new file belonging to the synthetic identity. So the next time the fraudster applies for a product using this identity, the credit bureau will show a history—one that may be almost indistinguishable from that of a legitimate thin-file applicant.

The fraudster can then use this thin (but seemingly legitimate) credit file to either:

• Apply for every credit product under the sun until they’re approved for one, then max out the line of credit and disappear

Or:

• Apply for various financial products and establish a pattern of “good behavior” sufficient to qualify for a major credit product, then max out the line of credit and disappear.

There are variations in these basic schemes. A fraudster might somehow get the synthetic identity added as an authorized user on a legitimate account, for example, or establish a credit history using utility bills. But in nearly all cases, the synthetic identity is used to obtain credit and later “bust out”, leaving the lending institution with delinquent accounts and no easy way to collect.

Stopping synthetic fraud

There are certain giveaways in the case of A.I.-generated faces: mismatched earrings, blurry backgrounds, or oddly symmetrical eye placement.

Mismatched earrings can give away an A.I.-generated face.

But given that a synthetic identity isn’t something you can look at, how can you tell one apart?

Evaluating new applicants using a synthetic-specific fraud module should catch a majority of synthetic identities. These ML-based modules can tell when a SSN was generated, how many credit inquiries are associated with it, and whether the PII elements provided are actually a match.

There are also certain traits that fraud teams can use to manually identify a set of identities as synthetic—but only if the identities are assessed altogether, and not in isolation.

For example: if you see multiple applicants with shared PII attributes, what are the chances they are legitimate? It could be that two individuals sharing the same last name and address applied for the same product at the same time. But this could also suggest that a fraud ring has generated multiple synthetic identities and used them to apply for multiple lines of credit with your FI.

Creating synthetic identities is hard work, even for professional fraudsters. Fraud rings go to such extraordinary lengths to make synthetic identities look real because the eventual payday can be worth it—in some cases up to six-figure sums per synthetic ID. Stopping them is hard work too. Synthetic fraud modules and behavioral analytics can automatically spot synthetic identities, but you’ll have to integrate these tools and configure them to suit your specific risk tolerance.

So—who’s keeping it real? This question matters because synthetic fraud is a growing problem. Making sure that each of your customers is real today will help you avoid potential losses tomorrow.