Synthetic Identity Theft: Analyzing Recent Cases and Best Practices - Mastercard

Uncovering synthetic identity theft with real-life cases and examples

As the fastest-growing financial crime in the United States, when it comes to synthetic identity fraud, we have had our finger on the pulse for some time; producing eBooks and blogs with the latest global statistics and best practices for preventing and detecting this nefarious behavior. However, when it comes to getting a solid grasp of the subject of synthetic identity theft and gaining a clearer understanding of the consequences of this fraud, there is nothing better than real-life case studies and examples.

Before we start, let’s define synthetic identity fraud. In short, this type of identity theft involves combining real (often stolen) and fake identity information to fraudulently create accounts or make purchases.

The synthetic identities that stole more than $1 million.

Have you heard this one? A highly sophisticated synthetic identity fraud scheme recently caught the eye of law enforcement and led to a nationwide investigation across the United States. Here are the footnotes: In 2021, 13 individuals were charged with creating synthetic identities with stolen Social Security numbers that didn’t have an associated credit history attached (or, in some cases were unlikely to be actively monitored due to belonging to children, recent immigrants, elderly individuals, the incarcerated and even dead people).

The fraudsters then took the time to ensure these identities appeared legitimate; setting up emails and public service accounts and then creating shell companies that reported the synthetic identities to credit reporting agencies. This enabled the synthetic identities to build credit to obtain loans and credit cards that they then went on to max out and not repay. All in all, these fraudsters created 20 synthetic identities to defraud 19 different financial institutions and steal more than $1 million.

The case of two men and 700 synthetic identities.

How’s this for a tall but true tale? Two Floridian gentlemen got to work back in 2017 to establish some 700 synthetic identities – a combination of real, albeit stolen identity information such as Social Security numbers, with fraudulent identity information, such as fake names and dates of birth. Using these synthetic identities, they created bank accounts and shell companies. Now, here is when things really took off. Come 2020, amidst a global pandemic, the men and their co-conspirators took advantage of programs established to provide aid, relief and financial security to small businesses.  Specifically, the men used these already-established synthetic identities to defraud the Paycheck Protection Program (PPP), receiving over $3 million dollars illegally. The fraudsters have been charged in the Miami Federal Court and are awaiting sentencing.

The situation with state systems scammed by synthetic identity schemes.

 While the pandemic wasn’t the first time we saw a surge in synthetic identity scams, it did usher in an unprecedented opportunity for fraudsters to take advantage of relief packages intended for legitimate, struggling citizens. Indeed, individuals across the US, in desperate need of state benefits, have felt the sting of state crackdowns for some time now, with their thin-file identities often investigated unfairly, while actual fraudsters fall through the cracks.

The real issue at hand is how easy it has been for synthetic identity rings to target those states that are particularly generous with unemployment benefits. Specifically, states like Washington and Nevada, which not only started distributing benefits sooner than other states, but also, without a state income tax, have no income records to help substantiate claims, have been hit hardest by fraudsters. These agencies could likely benefit from dynamic identity verification in the cases of thin-file applicants.

The synthetic identity theft scheme that was investigated by Homeland Security.

 More recently, a fraudster from Georgia was sentenced to more than seven years in federal prison in 2022 for his role in a nationwide synthetic fraud ring. As part of the scheme, this fraudster established a commercial mail-receiving agency in his home state where he and his co-conspirators received bank account and credit card statements related to their established synthetic identities, while protecting their personal addresses. Using these synthetic identities, including a stolen Californian driver’s license, the fraudster even rented an apartment to receive correspondence from financial institutions.

The conspiracy was eventually investigated by Homeland Security and the fraudster has been ordered to pay back nearly $2 million in restitution.

As the prosecutor in this case explained:

“[This fraudster] and his co-conspirators built their wealth off the backs of the people whose identities they stole, many of them children… Both the effects on these victims’ credit histories and their sense of violation are impossible to quantify, but they provide a further reminder of the seriousness of [his] crime and the callousness of his conduct.”

synthetic identity fraud and theft

Victims of synthetic identity fraud are not alone.

The victims of synthetic identity fraud and the industries affected by the schemes that come of it are not alone. Indeed, despite the above cases outlining instances of synthetic identity theft that have affected the United States, this is a crime that TransUnion research has uncovered accounted for over 5% of global online fraud in 2022, up by 132%. However, in the United States, the same report shows that data breaches have increased by 83% over just two years, with synthetic identities becoming a record-setting problem in the country in 2022.

More research still indicates that nearly half (46%) of global organizations have experienced synthetic identity fraud in the past 12 months. The banking sector is most vulnerable, with nearly all (92%) of surveyed financial institutions perceiving synthetic identity fraud as a real threat to their business.

What can be done to prevent cases of synthetic identity fraud?

It is worth repeating the benefits – and the necessity – of a multi-layered approach to digital identity validation in your efforts to curb cases of synthetic identity fraud. Because synthetic identities do not typically exhibit characteristics that would immediately put them on a blacklist, a sophisticated approach is required. This strategy should involve machine learning that leverages dynamic identity attributes, adding a layer of security that enables you to delineate legitimate individuals from bad actors.

The power of dynamic data in detecting synthetic identities.

Here’s the thing; synthetic identities behave differently from other types of stolen identities. This means they generate different types of risk signals. For example, the relationship between a synthetic identity’s name and email or name and phone may only actually exist once before those attributes as cycled through by the scammer to use in other synthetic identities. This is why the use and observations of dynamic identity data can help detect – and ultimately prevent – synthetic identities.

Unlike a static attribute, such as a Social Security number that is country-specific and usually based on one key unique parameter, dynamic attributes are global and can leverage multiple dynamic linkages, metadata, history and activity patterns to validate a user. These attributes are commonly used to verify legitimate identities, which means they are also relevant in assessing synthetic identities. The big difference is how the importance of each signal changes.

For example, the link between identity elements matters a lot more for synthetic identities because there is likely low consistency between elements. With metadata, looking at address history versus the length of credit history is a useful indicator because the duration should be similar. Finally, behavior elements have lots of strong indicators. One such example is IP risk, which is particularly effective in detecting the origination and location of an identity. The bottom line is that these elements can help identify good thin-file customers as well as high-risk customers using synthetic identities.

Based on what the customer has entered in a record, whether it be an account opening application or a transaction, the information can be evaluated. The results rely on a probabilistic risk assessment and can provide predictive signals of potential synthetic identity fraud by validating dynamic attributes and how they are linked.

online payment fraud

The Identity Engine: the synthetic identity fraud fighting machine.

The Identity Engine is comprised of two differentiated data sets that are built around five core elements: name, phone number, email address, home address and IP address. The first data set is referred to as the Identity Graph. These global providers have been vetted with rigid acceptance criteria to ensure accuracy and security compliance.

But in the digital world, this only shows half the picture. These core elements are just the starting point given that fraudsters could still obtain these data points and pretend to be someone they are not.

That’s why the Engine’s second unique data set, Identity Network, looks at how the identity elements are being used online, whether by a legitimate customer or by a fraudster. It leverages a network made up of over 200  queries to derive activity patterns and understand how the identity elements are being used in the digital world. A synthetic identity thief may be able to use data from a legitimate customer, but they do not act like that person. And ultimately? This is how they get caught.

To learn more about how the Identity Engine can power your approach to preventing cases of synthetic identity theft, contact us today.

Start a Free Trial

See how Ekata can reduce fraud risk for your business, contact us for a Demo.