Fake and Bake: How Synthetic Identities are Created and Cultivated for a Life of Crime

A common thought from the comics and movies, when evil geniuses build giant machines to steal all the oxygen from the earth’s atmosphere, or carve their initials in the moon, is “Why don’t they use all that brilliance for good instead of bad?” The criminals in “Die Hard” obviously were smart enough to generate a huge budget for henchmen and military hardware. If only they’d put those smarts to better use, they could have avoided getting blown up by Bruce Willis.

The answer as to why they went wrong in life is obvious. They may or may not be caught, but they’re willing to take the chance, for the opportunity to net a big score. And in order to reach that score, they’re willing to invest their brains and even some budget.

It’s the same in financial crimes. Identity theft, which often results in third party fraud (in which a perpetrator leverages stolen, private information, then pretends to be another individual in order to acquire loans, credit cards, and other undeserved benefits), is a relatively simple crime to execute. It requires only the acquisition and application of appropriated data. In a way, it’s a smash-and-grab. Steal the data, use the data. This data is typically name, address, SSN, email, phone, driver’s license, etc. The criminal applies for a loan or credit card in the victim’s name but substitutes his/her own contact info (phone and email) to intercept the benefits. The person whose identity has been taken may not find out they’ve been cloned until it’s too late. After the bad guy scores a card or loan, he takes off, leaving the wreckage for the victim and the lender to iron out.

Fake Identities, Real Crimes

A far more involved and insidious type of identity fraud involves the use of synthetic identities. Private information is still stolen and used, but instead of pretending to be a real person, the perpetrator creates an entirely new identity from parts. The building blocks are still the pieces of others’ backgrounds used to provide credit and other foundational data, but the actual identity is fabricated. And here’s why. The more foundation and history an identity has, the more chance it has of acquiring a serious set of cards or loans. Not just a starter, but something with a bigger credit line. This means investment.

What is the perpetrator investing?

• Effort. Third party fraud requires the effort, and maybe the minimal cost, of grabbing others’ data. Synthetic identity fraud requires the same thing. But then the data is used in the creation of phony people. Almost immediately after the ingredients have been combined to create a fake ID, the criminal has it apply for credit. And then come the Twitter and Facebook accounts to continue building a digital footprint.

• Cash. These ghosts are often gifted with bank accounts, with real (and very small) deposits. These ghosts might even make purchases and payments. They apply for other, random accounts. And these include the ultimate financial assets that will render the greatest return.

• Time. The credit that gets applied for immediately after ‘birth?’ Even when denied, that application becomes part of the history. After enough activity and background has baked, and sufficient financial and social history has been assembled, the phony identities are ready to be launched. This means that the perpetrator is ready to make the best use of these bogus bodies. That history enables the thief to get the most mileage out of the ill-gotten timelines and “bust out,” the term (similar to first-party fraud) for when synthetic identities have paved the way for the crook to max out credit cards and loans and walk away.

The Rub: What Makes Synthetic So Hard to Catch

The thing that allows synthetic fraudsters to get away with building that history is the synthetic part. There is no actual person to be alerted that activity is being generated on their behalf. The named victim receives no alert to take action, because there is no actual named victim. That said, synthetic identity fraud is not “victimless,” as it’s often called. The financial institution itself is the victim, and the costs of fraud, while often a write-off, still trickle down with measurable impact.

What could trip up this scheme? If an application using a very real SSN triggers an alert to the SSN holder. For this reason, synthetic fraudsters often steal the SSNs of individuals who are less likely to be alerted. Commonly, newborns are the victims. They won’t be applying for credit any time soon, and so the theft of their data may go undetected for many years. The consequences of this crime are therefore terrible now and into the future.

To prevent the success of synthetic identity, institutions need to ensure that all those who apply for credit are, in fact, who they say they are. This seems obvious, of course, and is the reasoning behind standard CIP (Customer Identification Program) and KYC (Know Your Customer) laws and policies. But with enough stolen personal data and a healthy dose of false history, synthetic identities can present themselves as perfectly legitimate.

Most KYC tools have not been designed to unearth fake identities, but rather only to match name/DOB/SSN to header data. Fraud solutions, on the other hand, are tooled to be a bit more sophisticated, but still look for an alignment of data points, which fraudsters have learned to artfully recreate. Therefore, deeper penetration into the identity, using more insightful fraud prevention tools, is needed to ensure that all the elements actually align into a holistic identity, and are not strung together from purloined parts.

Outsmarting the Fake

So how do you retool solutions to outsmart the fake? Certainly, the usual precautions must be taken in terms of assuring the basics of identity. But then it is necessary to combat the very essence of synthetic identities: the combination of stolen data elements, and the invention of phony history.

The first is battled by the correlation of those elements. Do the name, address, email, phone, SSN, etc. all belong to the same person? Do they add up to a holistic identity, i.e. a collection of data that are owned by a single entity?

The second is thwarted by going right at that phony history. Digging deeper, to examine the age of that phone, the age of that email, the history of that identity across public and private sources, can help reveal a synthetic identity as an empty suit. As this fraud increasingly leverages real accounts, associations with real credit holders, and occasionally abetting real merchants, it will be necessary to discern these illegitimate ties as part of a comprehensive effort to discover and defeat synthetic ids.

If the perpetrators have no conscience, they certainly have the intelligence to be a threat, and contribute to a type of fraud that costs American lenders and issuers billions every year, accounting for perhaps a fifth of all credit fraud. This means that the defenders of the financial frontier must be even smarter, to fight synthetic fraud now in its current forms, and in the future as it evolves. New financial products and digital channels mean more opportunities for consumers, as well as for fraudsters who continue to use their brainpower for evil. Fortunately, there are plenty of smart people building identity verification platforms to fight that fraud. Because they’ve chosen to use their powers for good.

Jeff Scheidel is Head of Training and Development at Socure