Synthetic identity fraud occurs when criminals combine real and false information into new, bogus identities in order to commit financial crimes. The identity thieves use the fake profiles to engage in fraudulent activity such as creating phony credit files or opening sham credit card and bank accounts.
How synthetic identity fraud started…
Prior to 2011, one could determine the year and location a social security number was issued based on the last four digits. And if one knew the last four digits, it was easy to discover the first five numbers which, in turn, increased financial crimes such as application fraud, medical identify theft, and even child identify theft.
In 2011, and in an effort to protect personal identities and help law enforcement fight identity thieves, the Social Security Administration (SSA) randomized all newly issued social security numbers (SSNs). Criminals could no longer steal SSNs based on information coded in the last four digits, but an unintended consequence created entirely new fraud schemes.
If the SSA could randomize SSNs, then so could the identity thieves. They simply used the SSA’s algorithm to generate their own, random, nine-digit numbers then ran those fake numbers through a social security number validator. If it showed unissued, bingo, they had a counterfeit SSN at their disposal to commit synthetic identity fraud.
…And how it works today
The most popular way to commit synthetic identity fraud is to establish a false credit file built on a real SSN or Individual Taxpayer Identification Number (ITIN). Some thieves use SSNs belonging to people who have been incarcerated for a long period of time, but many begin with a child’s SSN that was issued after 2011. Once they choose a fake name, address, and phone number, along with a birth year that makes the person belonging to this artificial profile holder at least 18 years old, they are ready to establish a credit file for this bogus person’s identity.
Credit bureaus maintain credit files on millions of individuals, including people who do not even exist! When a thief uses a synthetic identity to apply for credit, perhaps to finance a purchase or open a new merchant account, the credit bureau’s system denies the application based on not recognizing the person’s identity data. But, that’s OK, for now. The real goal is the new credit file the system set up automatically when the fraudster applied for credit with fake information.
Now there’s an actual credit report, albeit with a zero-credit history, attached to the synthetic profile. Next, the identity thief needs to pump up the credit scores for this fake file as fast as possible without raising red flags to the suspicious activity by enhancing the non-credit bureau information about the bogus credit file.
Enhancing the non-credit bureau public data: Open Source Intelligence (OSINT)
Many credit-approval systems use information other than what is included in the credit file to validate personal information when reviewing credit applications. In order to avoid these fraud detection tools, financial criminals enter the synthetic identity into public databases such as listyourself.net or open social media, grocery store, or airline frequent flyer accounts using the fake person’s identity. When the computer systems match the synthetic identify with the open source (i.e. public) data, the credit card companies or lenders are more likely to approve the fake application.
Using OSINT to build credit
With a current credit file, and OSINT in place to pass initial identify verification systems, identity thieves continue implementing their fraud schemes by using the synthetic identity to apply for a secured credit card. Capital One is popular since they offer a $200 secured credit line for a mere $39 deposit. Granted, this low limit does not give the fraudster significant purchasing power or raise their fake person’s credit score, but it does update the false credit history to include a primary line of credit.
Cybercriminals also boost credit scores for synthetic identities by adding authorized users to credit card accounts. Also known as credit piggybacking, the thief attaches the synthetic identity as an authorized user on an account in good standing. If this account has a strong credit history, a good debt ratio, and has been open long enough, a synthetic profile can go from a poor credit score to a high 700 score in 30 days without setting off any fraud alerts. And the higher the credit score, the lower the risk for the thief when applying for fraudulent accounts. A stronger, more established credit history easier also makes it easier to bypass fraud and anti-money laundering detection software. Still, there is one powerful tool to help law enforcement and identity theft victims: identity verification software.
Opening new accounts requires documentation
Even with a synthetic identity built from a real SSN and fake personal information, and even if a criminal succeeds in opening a secured line of credit or establishing public data for the fake person’s identity, they will very likely need identity documentation to apply for a bank loan, a line of credit, or open a new bank account in the fake name.
The most common type of identity documents used to commit synthetic ID fraud are physical counterfeit driver’s licenses or bogus licenses uploaded online. The physical fraud license has the synthetic identity profile—name, address, birth date—but the actual criminal’s photo so it will pass manual inspection. The fake digital license shows someone else’s photo and the false personal information that matches what the criminal entered in the online loan or account application.
The right identity verification software can help you change the game in the fight against synthetic identity fraud by improving identity verification standards and giving honest consumers new ways to more easily do business online.
By Brett Johnson, keynote speaker and consultant on cybersecurity, cybercrime and identity theft