By Kevin King, Director of Product Marketing, ID Analytics
The shift to digital transactions and the anonymity it provides, as well as the amount of available data from breaches, has given rise to a type of fraud many enterprises aren’t equipped to combat—synthetic identity fraud.
A 2014 research study from ID:A Labs showed synthetic identity fraud had increased more than 100 percent in three years. Additionally, a 2018 industry report from Aite suggests that synthetic identity losses account for 20 to 30 percent of all credit write-offs, which total $6-9 billion in losses annually (Editor’s note: at the CNP Expo right before Memorial Day, both former fraudster Brett Johnson and FBI cyber intelligence expert Elvis Chan specifically noted synthetic ID fraud in their keynote addresses).
Synthetic identities are a combination of fabricated credentials where the implied identity is not associated with a real person. However, not all synthetic identities are created equal. The techniques fraudsters use to compose a fake identity, and how they build up that identity’s creditworthiness, has a huge impact on the financial harm a synthetic identity can do and how easily it can be detected.
The evolution of synthetic identity fraud
Until recently, fraudsters combined real identity elements from multiple individuals to create a new “synthetic identity.” All of the information was real, but the resulting identity did not match any one person. However, synthetic identities have evolved and are now being created with fictitious information, meaning the individual identity elements used aren’t real and don’t belong to a real person. This is creating what are known as “manufactured synthetics.” The emergence of synthetic identities composed of invalid information makes determining identity legitimacy increasingly difficult.
In 2011 the Social Security Administration (SSA) shifted its policy from issuing Social Security Numbers (SSNs) based on chronology and geography to issuing fully randomized digits. While the decision to randomize the issuance of new numbers addressed the predictability of an individual’s SSN, it also had the unintended consequence of reducing the information available to risk managers for identity management. This change has ultimately contributed to the rise of manufactured synthetics because lenders can’t easily determine if a SSN is valid. Prior to randomization, lenders could verify that a SSN had been issued so it was easy to spot a fake SSN (an unissued SSN is a strong indicator it doesn’t belong to a real person). Randomized SSN issuance has made it easier for fraudsters using “new” SSNs, turning what was a mostly managed threat to a serious problem without a clear solution.
Unlike third-party fraud, synthetic fraud presents a unique challenge—and danger—because there is no specific consumer victim. Initially this might sound like a good thing, but without a consumer to alert businesses of fraudulent activity, fraudsters keep synthetic identity accounts open for months-to-years. This strategy enables fraudsters to build up credit line increases, only to eventually “bust out” by maxing out the credit line and disappearing without a trace.
Additionally, once the account charges off, synthetic frauds are often categorized as credit bads, since there is no clear evidence of fraudulent activity. The action raises the question: Did that customer just stop paying or was the customer ever real?
This is why the U.S. Federal Trade Commission considers synthetic fraud the fastest-growing and hardest-to-detect form of identity theft.
The industry is split: are synthetic identities a fraud or credit problem?
According to our research, slightly more than 50 percent of financial institutions refer to synthetic identity fraud as a credit issue whereas the remainder view it as a fraud issue. The response is important because what FIs call it dictates the scope of the problem and the kind of tools used to address it.
If the institution views synthetic identity fraud as a credit issue they will use a credit score to attack the problem, and if they view it as a fraud issue they will use a fraud score.
Fraud scores and credit scores have several differences in terms of functionality. Credit scores allow financial institutions to take adverse action on credit scores (i.e., deny someone credit without further investigation). With fraud scores you cannot do that, you must take steps to offer the applicant an opportunity to prove that they are who they say they are.
Unfortunately, it appears synthetic identity fraudsters are beating the traditional versions of fraud and credit scores. A recent ID Analytics analysis found between 85 and 95 percent of applications identified as potential synthetic fraud were not flagged as high risk by traditional identity theft fraud models, and over half of synthetic applicants had a traditional bureau-based credit score above 650.
Bottom line—synthetic fraudsters are currently winning the battle against defenses and lenders need better solutions to keep up.
The industry needs to ask new questions: focus on legitimacy and intent
To combat modern synthetic fraudsters, it’s important to reframe the questions being asked to address the core issue. The question “Is this really the applicant?” is critical to stopping some forms of identity theft, but the synthetic identity creators will be able to answer that question.
However, to truly scrutinize identity legitimacy we should be asking, “Is this applicant real?” It sounds simple, but changing how you think about synthetics also changes how attack the problem.
Asking different questions impacts the kind of behaviors we’re looking for to determine if the applicant is behaving normally. For instance, to focus on identity legitimacy we should be asking things like, “Have I seen this combination of identity information associated together over a period of time?” and “Has this combination of identity information ever been reported as fraudulent, or has the contact information (address, phone email) been used by another identity and reported fraudulent?”
This also means paying less attention to behaviors that are considered to be essential to identity theft detection, but which are uncharacteristic of synthetic identities (i.e. submitting a large number of credit applications in a short time period). By assessing the core issue of identity legitimacy, lenders can cast a wider net for identifying synthetic identities, as well as improve customer experience by reducing false positives.
From a credit perspective, businesses need solutions that can effectively evaluate the true intent of the applicant. This is difficult with current scoring as synthetic fraudsters are getting through authentication by building positive credit before going bad. Through advanced analysis with alternative data, organizations can better identify the patterns associated with synthetics and their ultimate intent to abuse credit.
Ultimately, effective methods are emerging to combat synthetic identities regardless of whether your institution considers the threat to be a credit or a fraud issue. With the well-defined strategy, purpose-built synthetic solutions can help answer the critical questions – is this identity real and do they intend to pay me – needed to identify and stop synthetic fraud.
