When trying to deceive businesses, fraudsters use plenty of techniques, both basic and sophisticated. Creating synthetic identities falls under the second category.
Personal data breaches, technology democratization, and the growth of remote user scenarios in organizations make the rise of synthetic identity fraud inevitable.
This article gives you a deep insight into the threat that KPMG analysts called a $6 billion problem.
What is synthetic identity fraud?
In a nutshell, synthetic identity fraud is making a fake identity based on the personal data of real people to access digital services and goods.
For instance, scammers can invent a new persona by combining the legitimate information of several random people. They also can use just one genuine component complemented with AI-generated demographics.
Plus, scammers often submit their email addresses and phone numbers as a way to control the account and withdraw money.
There are many variations of synthetic identities. The main idea is that these synthetic identities are not real humans, but figments of malicious imagination.
Synthetic identity fraud is connected to identity theft, where fraudsters get unauthorized access to a victim's identification data: name, address, date of birth, ID number, etc. This data will serve them as raw material for new fake identities. Scammers can gain this information deceptively, e.g., through phishing emails, or by buying it on the dark web, where terabytes of stolen databases are stashed.
What companies are on the fraudsters’ radar?
Primarily, synthetic identity fraud is used to cheat finance-related businesses. By submitting fake identification data remotely, fraudsters apply for loans they will never pay back. Sometimes, they can gradually build credibility while impersonating a law-abiding and responsible customer to increase their credit line and eventually get more loot. After “busting out” the account connected to a synthetic identity, fraudsters abandon it and disappear with the money.
However, the problem is significant not exclusively for banks and lenders: 46% of organizations worldwide experienced synthetic identity fraud in the past year, according to our identity fraud statistics. Companies in the USA seem to be the most concerned: about 91% of organizations consider synthetic identities a growing threat.
Digital businesses, such as goods and services platforms, are also targeted. According to PwC research on platform fraud, 21% of companies claim synthetic identity fraud as a tool bad actors use for unauthorized purchases and transactions when impersonating merchants and customers.
Why synthetic identity fraud remains a continual threat
First, this type of fraud costs businesses a lot of money. On average, the charge-off balance is $15,000 per synthetic identity fraud case, as The Federal Reserve study revealed. The Deloitte Center for Financial Services anticipates synthetic identity fraud will generate at least $23 billion in losses by 2030. This growth partly corresponds to an increase in noncash payments globally.
Second, each grave personal data breach allows fraudsters to avail themselves of compromised identification information. Once identity thieves have someone’s personal data, they can open new accounts using a synthetic identity as a shield.
Third, identity thieves don’t need to steal a complete identification package to make a synthetic identity. In the US, they may use a Social Security Number (SSN) as a genuine component. By the way, this is one of the reasons why local businesses take the threat most seriously.
How can businesses cope with synthetic identities?
Since synthetic identities can penetrate a company’s systems at the customer onboarding stage, it seems reasonable to focus all efforts on this point. However, it’s a tricky task: preventing synthetic identity fraud requires a comprehensive plan that embraces all security risks.
Here are some recommendations based on the best practices of industry leaders and Regula’s experts:
Enhance identity verification flow
According to McKinsey analysts, if a customer onboarding process doesn't include in-person verification of documents or biometric screening, it potentially leaves room for synthetic identity fraud. Yet, more financial services companies today omit in-person applications, trying to keep up with the growing demand for remote processes.
To stay reliable and secure, this approach should be complemented with a complete IDV process, including fraud detection software. That means you need to validate all facets of the applicant's identity:
Verify that the submitted identity document is valid and genuine by conducting a set of authenticity checks.
Ensure that the applicant is entirely associated with the submitted ID.
Check that the user is a live person through biometric verification with a liveness detection component, for example, by matching the user’s selfie and the photo in their ID.
Check for passive fraud signals, such as mismatches between the applicant's IP address/geolocation and the submitted address.
See if the user is not on a sanctions list or other blacklist.
You can also add government-based data registries to your customer verification flow. In the US, where an SSN is a cornerstone of many synthetic identities, there are free and fee-based services powered by the Social Security Administration (SSA). The Social Security Number Verification Service (SSNVS) and Consent Based Social Security Number Verification (CBSV) enable you to match a person’s name, date of birth, and SSN with SSA records. However, neither services offer identity verification; they can only be used for SSN validation.
Advance your security policies
According to the 2023 Business Impact Report by ITRC, most small businesses don’t utilize tools such as multi-factor authentication (MFA) for employees and customers. Many also neglect role-based access for employee access to sensitive data and the mandatory use of strong passwords. The adoption rates of these solutions vary between 20% and 34%, depending on the tool.
A zero-trust security model based on biometrics can help you mitigate synthetic identity fraud risks. Putting forward the idea that all incoming traffic is malicious, companies can successfully adopt the “never trust, always verify” approach. That also implies implementing biometric components at all access points of the system.
By adding more defense layers to your perimeter through implementing more advanced solutions, you can prevent identity theft and personal data breaches. Both of these security threats contribute to the mushrooming of synthetic identity fraud.
Educate your employees and customers
Unfortunately, synthetic identities with positive credit scores can already be in your customer database. That means you should also develop monitoring procedures that help your employees flag all suspicious accounts at earlier stages. Skilled staff accessing special training is heavy armor in the fight against synthetic identity fraud.
Running educational campaigns for customers via email and social media can also be fruitful. Articles, videos, and blog posts dedicated to synthetic identity fraud and identity theft issues increase user awareness of the threat. Educated customers become your allies. They will perceive complex identity verification procedures as an extra anti-fraud measure, not a pitfall that negatively affects their experience with your digital services.
The further development of AI technology and security gaps turns the cat-and-mouse game between fraudsters and businesses into a prolonged war. Therefore, an effective strategy is needed to avoid losing the next battle, in which the enemy’s troops may include synthetic identities.
Regula’s experts are ready to consult you on elaborating and ensuring remote ID verification procedures.