A Guide to Synthetic Identity Fraud: Definition, Targets, and Precautions

In a nutshell, synthetic identity fraud is making a fake identity based on the personal data of real people to access digital services and goods.

For instance, scammers can invent a new persona by combining the legitimate information of several random people. They also can use just one genuine component complemented with AI-generated demographics.

Plus, scammers often submit their email addresses and phone numbers as a way to control the account and withdraw money. 

There are many variations of synthetic identities. The main idea is that these synthetic identities are not real humans, but figments of malicious imagination. 

Synthetic identity fraud is connected to identity theft, where fraudsters get unauthorized access to a victim's identification data: name, address, date of birth, ID number, etc. This data will serve them as raw material for new fake identities. Scammers can gain this information deceptively, e.g., through phishing emails, or by buying it on the dark web, where terabytes of stolen databases are stashed.

What is synthetic identity fraud compared to its traditional counterpart? The biggest difference can be summed up as this: synthetic identity theft generates completely new fake identities instead of taking an existing one.

Traditional identity theft involves assuming the identity of an existing person. Criminals initially gather different personal information (like the victim's name, Social Security number (SSN), date of birth, address, etc.) which they then use to access current accounts or establish new ones.

For our comparison, we’d also like to highlight that this type of fraud generally inflicts immediate harm on the victim. It appears in different forms (a drained bank account or a loan taken without approval), yet the ultimate outcome remains unchanged—money lost.

As mentioned previously, synthetic identity theft means combining stolen real data with fabricated elements to create a hybrid identity—a Frankenstein-type persona. This way, a criminal might pair a real stolen SSN with a fake name, a fake date of birth, and an address of their choosing. In some cases, they even might use a child’s SSN or one from a deceased individual, as these are less likely to raise immediate red flags.

In contrast to traditional identity theft, the aim here is not to immediately exploit the fake identity for financial gain. Instead, criminals invest their time in creating a credible credit profile through applying for small lines of credit. Then, over months or even years, the fake persona finally gains the full trust of financial institutions, which paves the way for the long-awaited big scam.

The biggest problem with uncovering synthetic identity theft is the absence of a clear, identifiable victim. Unlike a situation where the real person can step up and report the anomalies, synthetic identity theft creates victims that don’t truly exist. 

Additionally, synthetic identities tend to mimic the profiles of individuals with limited credit histories, such as young adults or immigrants. Credit bureaus, which heavily rely on the SSN as a unique identifier, inadvertently help the process when they generate credit profiles for these fake identities. Once established, these profiles blend into the system, making detection even more challenging.

Primarily, synthetic identity fraud is used to cheat finance-related businesses. By submitting fake identification data remotely, fraudsters apply for loans they will never pay back. Sometimes, they can gradually build credibility while impersonating a law-abiding and responsible customer to increase their credit line and eventually get more loot. After “busting out” the account connected to a synthetic identity, fraudsters abandon it and disappear with the money. 

Not surprisingly, 92% of companies in Banking surveyed by Regula perceive synthetic identity fraud as a real threat. The cost of identity fraud in the sector reaches hundreds of thousands of dollars.

However, the problem is significant not exclusively for banks and lenders: 46% of organizations worldwide experienced synthetic identity fraud in the past year, according to our identity fraud statistics. Companies in the USA seem to be the most concerned: about 91% of organizations consider synthetic identities a growing threat.

Digital businesses, such as goods and services platforms, are also targeted. According to PwC research on platform fraud, 21% of companies claim synthetic identity fraud as a tool bad actors use for unauthorized purchases and transactions when impersonating merchants and customers.

What is synthetic identity fraud capable of? First, this type of fraud costs businesses a lot of money. On average, the charge-off balance is $15,000 per synthetic identity fraud case, as The Federal Reserve study revealed. The Deloitte Center for Financial Services anticipates synthetic identity fraud will generate at least $23 billion in losses by 2030. This growth partly corresponds to an increase in noncash payments globally. 

Second, each grave personal data breach allows fraudsters to avail themselves of compromised identification information. Once identity thieves have someone’s personal data, they can open new accounts using a synthetic identity as a shield. 

In 2022, Banking was one of the three industry sectors with the highest rate of data breaches. Moreover, the number of such incidents in the US has increased tenfold within the last two decades. 

Third, identity thieves don’t need to steal a complete identification package to make a synthetic identity. In the US, they may use a Social Security Number (SSN) as a genuine component. By the way, this is one of the reasons why local businesses take the threat most seriously.

Now that we’ve answered the question of “What is synthetic identity theft?”, let’s dive deep into its process, step by step. This way, you’ll get a better understanding of what exactly to be prepared for.

It all starts with obtaining genuine personal data, with SSNs often being the go-to option. Fraudsters focus on SSNs that are less likely to attract attention, such as those of children, the elderly, or deceased persons.

And where is this data coming from? The dark web is a common source, featuring black-market platforms that sell Social Security numbers, birth dates, and other personal data. Phishing scams and data leaks also greatly add to this data pool.

Once criminals get their hands on a legitimate SSN, they pair it with a number of made up details, such as a fake name, birth date, and address, to create a synthetic identity. More rarely, they might even use their real name and address to pair with the stolen SSN.

The critical thing here is to make sure that the fabricated details look plausible. For this purpose, fraudsters use public databases to match the fake identity with some demographic trends or geographical data.

A new synthetic identity has no value without a credit profile. To create this profile, criminals employ methods such as piggybacking—they gain authorized access to another person's credit account, often by taking advantage of breached accounts or weaknesses in authorization systems.

Another approach is to seek credit from lenders who specialize in helping those with little or no credit history. Even if the first applications are rejected, the mere act of applying already establishes a record for the synthetic identity.

Once a synthetic identity secures an initial, small line of credit, the fraudsters begin nurturing the profile. They periodically make small purchases and consistently pay off their balances to build a positive credit history.

As their creditworthiness grows, criminals gain access to higher credit limits and more lucrative financial products, such as personal loans or larger credit cards.

The concluding stage of synthetic identity fraud is when the criminal finally cashes out, commonly known as a “bust-out”. They simply exhaust every available credit line, never repay them, and disappear without a sign. And since the synthetic identity isn't linked to an actual individual, there is no victim to track down or report the fraudulent activity.

Special attention should be paid to the problem of children’s data being misused. According to Javelin’s 2024 research, every 19th child fell victim to identity fraud over the past six years in the US. Children’s SSNs are particularly sought after by fraudsters because they are essentially untapped resources. Unlike adults, children typically have no credit history, making their SSNs “clean slates.” 

Criminals can create synthetic identities using a child’s SSN and let it sit for years, only activating it when the child reaches adulthood. By this time, the synthetic identity often has an established credit history, making it even harder to detect the fraud.

It must be said that detecting all synthetic identity fraud is near impossible, that’s why the best any organisation can do is effective damage limitation. As mentioned before, the primary obstacle here is the fraud’s extremely subtle nature and the absence of an identifiable victim. 

So let’s take a look at the measures you can take to spot synthetic identity fraud early on.

Synthetic identities can sometimes follow somewhat unusual credit patterns that can become glaring upon closer inspection. For example:

• Sparse public records: A synthetic identity might have a legitimate SSN but no associated public records like voter registrations, tax filings, or prior credit histories.

• Rapid credit building: If criminals are too hasty with their scheme, their synthetic identities can show a rapid credit-building timeline, gaining significant creditworthiness within months.

Unusual address histories: It’s not uncommon that criminals use one address for multiple unrelated identities. Cross-referencing these addresses can help you identify patterns indicative of fraud.

If you employ some advanced fraud detection systems, you will have access to deep behavioral analytics. These will help you uncover inconsistencies that fraudsters could simply miss out on.

This way, slight variations in reported income, job titles, or employer names might hint at an incoming bust-out.

Developing on the topic of technology, you can make full use of a range of solutions such as the aforementioned fraud detection systems that can track anomalies. But there’s more.

If possible, you can use collaborative databases that aggregate fraud data from banks, lenders, and credit bureaus, which will also help identify suspicious patterns. On top of that, you can use services like the Social Security Administration’s Consent-Based SSN Verification (CBSV), to verify whether an SSN matches the name and date of birth provided during account opening.

Since synthetic identities can penetrate a company’s systems at the customer onboarding stage, it seems reasonable to focus all efforts on this point. However, it’s a tricky task: preventing synthetic identity fraud requires a comprehensive plan that embraces all security risks.

Here are some recommendations based on the best practices of industry leaders and Regula’s experts:

According to McKinsey analysts, if a customer onboarding process doesn't include in-person verification of documents or biometric screening, it potentially leaves room for synthetic identity fraud. Yet, more financial services companies today omit in-person applications, trying to keep up with the growing demand for remote processes. 

To stay reliable and secure, this approach should be complemented with a complete IDV process, including fraud detection software. That means you need to validate all facets of the applicant's identity:

• Verify that the submitted identity document is valid and genuine by conducting a set of authenticity checks.

• Ensure that the applicant is entirely associated with the submitted ID.

• Check that the user is a live person through biometric verification with a liveness detection component, for example, by matching the user’s selfie and the photo in their ID.

• Check for passive fraud signals, such as mismatches between the applicant's IP address/geolocation and the submitted address.

• See if the user is not on a sanctions list or other blacklist.

According to the 2023 Business Impact Report by ITRC, most small businesses don’t utilize tools such as multi-factor authentication (MFA) for employees and customers. Many also neglect role-based access for employee access to sensitive data and the mandatory use of strong passwords. The adoption rates of these solutions vary between 20% and 34%, depending on the tool. 

A zero-trust security model based on biometrics can help you mitigate synthetic identity fraud risks. Putting forward the idea that all incoming traffic is malicious, companies can successfully adopt the “never trust, always verify” approach. That also implies implementing biometric components at all access points of the system. 

By adding more defense layers to your perimeter through implementing more advanced solutions, you can prevent identity theft and personal data breaches. Both of these security threats contribute to the mushrooming of synthetic identity fraud.

Unfortunately, synthetic identities with positive credit scores can already be in your customer database. That means you should also develop monitoring procedures that help your employees flag all suspicious accounts at earlier stages. Skilled staff accessing special training is heavy armor in the fight against synthetic identity fraud.

Running educational campaigns for customers via email and social media can also be fruitful. Articles, videos, and blog posts dedicated to synthetic identity fraud and identity theft issues increase user awareness of the threat. Educated customers become your allies. They will perceive complex identity verification procedures as an extra anti-fraud measure, not a pitfall that negatively affects their experience with your digital services.

Synthetic identity theft is a sophisticated and persistent threat that exploits systemic vulnerabilities in identity verification processes. By combining stolen data with fabricated details, fraudsters create convincing credit profiles capable of evading detection for years. 

How to prevent synthetic identity theft? It will likely require an evolution of your security measures as well as cutting-edge technology to support it. 

And you can find such technology in solutions like Regula Face SDK—with it, you can verify that an identity is represented by the same, real person through biometric verification from live camera feed. What’s more, if fraudsters try to exploit stolen images, videos, or even 3D-printed masks, they will fail. Regula’s liveness detection can examine subtle cues, like light reflection on the skin or natural micro-movements, to confirm a live human presence.