What is synthetic identity fraud?

What is synthetic identity fraud? Why is it dangerous?



Imagine spending months planning, designing, and launching a new brand website, which onboards crowds of new customers in the first month.

Article at a glance:

  • Synthetic identity fraud occurs when a fraudster merges pieces of their target’s identity with falsified personal information to create a new “synthetic identity.”
  • This type of fraud is incredibly difficult to pin down due to its long-term timeframe and sophisticated nature.
  • By implementing a multi-layered security approach, businesses stand a better chance at combating synthetic identity theft and protecting their users.

Sometime down the line (perhaps even years later), you discover the crowd was smaller than you thought — a good portion of these new users were actually fraudulent. And it’s almost impossible to say who is real, and who isn’t.

You can stop imagining now, because this fear is far from hypothetical. It’s what happens as a result of synthetic identity fraud.

Synthetic identity fraud occurs when a fraudster merges pieces of real personal information (names, email addresses, social security numbers) from a variety of sources to create a new “synthetic identity.” Once fraudsters using this technique make it past your initial identity verification measures, it becomes very difficult to detect them, creating a challenging data quality problem.

Fortunately, by better understanding the threat of synthetic identity fraud and implementing more advanced identity solutions, you can outsmart fraudsters and keep your trusted users’ identities safe.

The nefarious nature of synthetic identity fraud

Synthetic identity fraud has become one of the fastest-growing cybersecurity threats. It accounts for nearly 80% of all identity fraud in the U.S. and is estimated to cost businesses close to $5 billion in 2024. What makes this type of fraud so damaging? There are two main factors at play: The sophistication of the attacks, and the difficulty of verifying when they’ve even occurred.

Synthetic identity fraud is considered sophisticated because it’s a long-term play. After creating an identity based on personal identifying information (PII) secured from the dark web, they may spend years nurturing it to establish baseline credibility. Meanwhile, the targeted user has no clue that their likeness has been stolen. It’s only after years of deception that the fraudster will then open new financial accounts, make expensive purchases, or execute other types of fraud.

Fraudsters often use the information of individuals who are without an existing credit history or who fail to monitor their credit carefully, such as children. It’s not uncommon for synthetic identity fraud to be discovered when a child becomes an adult and applies for their first credit card.

The massive scope of these attacks makes them extremely difficult to detect. For example, if a user successfully proves their identity after your business questions it, they’ve successfully built trust with you. Since synthetic identity fraud blurs the lines between real and fabricated information, these fraudsters are better equipped to pass common security checkpoints. Once they’ve done so, detection becomes that much harder.

What can businesses do to confront the problem of synthetic identity theft? The answer lies in the quality of security solutions you have in place to combat it.

A multi-layered approach to combatting synthetic identity theft

Given the relative ease fraudsters have obtaining a user’s PII and building a profile over time, your business’ best opportunity to stop synthetic identity fraud is to apply extreme vigilance to user verification. As we’ve mentioned, bypassing initial identity verification steps makes it easier for fraudsters to escape detection. Unfortunately, many businesses rely solely on static, one-time verification methods that most fraudsters know how to evade.

To avoid this, your business needs to invest in more dynamic, multi-layered security measures that monitor users throughout their interactions, instead of just at login.

The specific measures that are best for you will depend on your business needs and specific industry profile. For example, a mid-sized bank might consider a variety of anti-money laundering (AML) measures, such as:

  • Multifaceted verification processes: More robust verification processes involve cross-referencing information through multi-factor authentication.
  • Watchlist screening and monitoring: In this process, customer information is gathered and then referenced against global watchlists that monitor individuals associated with cybercrimes and other illegal activities.
  • Enhanced due diligence (EDD): EDD involves putting high-risk customers through a thorough investigation that examines their financial history, business relationships, and other identifying factors. This isn’t a tool to rely on too extensively, but can be useful in certain situations.

In other industries, businesses can also use biometric authentication tools like fingerprint and facial recognition software that are more difficult to replicate. One subset of biometric authentication that provides more continuous verification is behavioral biometrics. These tools take a zero-trust approach, assuming that all users are not to be trusted unless proven otherwise.

Effectively disguising their attacks becomes more difficult for fraudsters when they have to constantly authenticate themselves. With every interaction, the algorithm understands the user’s behaviors more — and can provide your business with a risk score that can indicate whether more comprehensive identity verification could be appropriate. Creating more touchpoints where fraudsters must prove their identities increase the likelihood of them being caught.

Identity verification

Don’t let fraudsters get away with fabricated identities

There’s no way around it: Synthetic identity fraud is difficult to pin down. Fraudsters will continue to play the long game, hoping your security measures don’t become advanced enough to catch them.

Don’t let this happen. Recognize that static identity proofing strategies are a poor fit for the sophisticated nature of synthetic identity fraud. Only by embracing a continuous multi-layer approach to security can you keep your users’ identities safe.

Related content