Synthetic ID fraud – Probably the fastest growing and most dangerous ID fraud today

Introduction

Fraudsters are always a step ahead, regardless of advances in digital technology. They leverage on financial innovation and the anonymity it creates to design sophisticated scams to defraud. The manufacturing of fictitious or synthetic identities (IDs) is a fraud that is a growing nuisance. A more pressing concern, however, is when we see a growing number of recent cases of global terrorist organizations using synthetic IDs to exploit the global financial system. This post explains what synthetic identity fraud is, shares some statistics of its growth and its key drivers, who is targeted in particular and how such a fraud is commonly perpetrated. It also highlights the kind of questions your organization should start asking about its anti-fraud and know your customer onboarding strategy, and the automated solutions available to mitigate the risk.

What is synthetic ID fraud and why is it so dangerous?

It is important to first know the difference between synthetic ID fraud and what is commonly known as identity theft.

Identity theft is where a fraudster uses your identity to impersonate you. A combination of your stolen information is used mostly to obtain credit or goods and services. Synthetic identity fraud occurs when a fraudster creates fictitious identities using a combination of stolen real identities with fabricated information. Typically, a fraudster will use a valid government issued Social Insurance Number (SIN) with a fictitious name and mailing address. The true danger of synthetic fraud is its anonymity. It may take months, if not years, to detect and the losses are significant.

Synthetic IDs provide a means for terrorists to not only obtain and transfer illicit funds, but also the anonymity to acquire government IDs and passports, cell phones, air tickets and supplies to carryout their operations. For example, in May 2014, Canadian officials learned terrorists on “no fly lists” were using synthetic identities to purchase airline tickets. The scheme included the use of fictitious names to obtain passports for an infamous murder suspect and major drug trafficking groups.

What is the velocity of its growth?

In 2013, the FBI discovered a $200 million credit card scam involved the creation of 7,000 new identities. Closer to home, the CBC reported in 2014 synthetic ID fraud costs Canada $1 billion per year. Today, synthetic identity fraud accounts for 80-85% of all identity fraud in the US according to the Federal Trade Commission. By 2018, Equifax says synthetic ID fraud will have risen to $8 billion in credit card fraud losses annually.

What’s driving its growth?

Your SIN is probably with your banks, credit agencies, brokers, federal government tax database, municipal government property tax database, your educational and healthcare institutions, notwithstanding in your own cyber space. With the well-publicized massive breaches of government and corporate databases, it is likely that your personal identifiable information is already out there.

Furthermore, organizations are providing new and improved ways to enhance customer experience. This is more so in the financial services industry where both rapid advances in technology and the demands of a younger population for frictionless mobile solutions is growing at a rate never seen before. As a result, visiting the local branch and transacting with tellers is fast disappearing with non-face-to-face contact banking becoming the norm.

Another key factor that’s driving the growth of synthetic identity fraud is the exponential growth in the availability of credit, and speed of credit decisions made today. Consumers want instant access to goods and services. As such, financial institutions are relying on credit scores like never before to meet these expectations. The use of automated score based solutions are ubiquitous and have created situations where human intervention in a credit process is entirely eliminated.

Who is targeted in particular?

Fraudsters can use any random SIN to manufacture a synthetic identity. However, they target the SINs of the elderly and deceased, impecunious and minors, in particular. The elderly, over time, require more assistance and care, and as such risk losing their SINs; the deceased don’t see their credit reports. The impoverished such as the financially distressed, homeless and students with little or no money are easily able to sell their SINs to fraudsters without understanding the implications.

The minors, however, are most susceptible. According to a study performed by Carnegie Mellon’s CyLab, children’s SIN are 51 times more likely to be used in a synthetic fraud scheme than those of adults. Such a fraud may be discovered once they apply for a driver’s license or credit card, many years after the SIN was compromised.  In view of the frequency of data breaches today, it is advisable for parents to create a credit file for their children, and instruct the custodian to put a “freeze” on it until they are old enough.

How is synthetic ID fraud carried out?

There are several ways in which fraudsters can exploit the credit process using synthetic IDs. The two most common are when applying for credit with a lender, and the use of an authorized user option on credit cards:

  1. Applying for credit

Fraudsters can manufacture an endless combination of fake identities. With a SIN they can add a name, date of birth and an address they control.  The fraudsters can target a large number of financial institutions and apply for credit at virtually the same time. The initial applications will probably be declined, but new credit files will be created at the credit reference agencies for each application. With this new credit file, the fraudster will apply for a new credit with another financial institution and concurrently repeat this process with other synthetic identities and other financial institutions. The fraudsters will also be able to establish accounts with phone and utility companies as well as create social media profiles.

When a financial institution runs a credit enquiry, the credit reference agency will confirm that a credit file does exist. Although such a file will not have a credit history, there are financial institutions or credit card companies that offer small amounts of credit without the requirement of a credit history. With a new credit account, the fraudster will make legitimate payments to build and establish a good credit history. The fraudster can eventually apply for more credit cards, retail store credit accounts, and the list can go on.

  1. Authorized users of credit cards

Adding authorized users to credit cards such as a spouse or child is a common occurrence.  The fraudster can exploit this process by targeting card holders with a good credit history to add unknown/synthetic identities to the credit card for a few days; these synthetic identities inherit the card owners credit history. The synthetic identity can be subsequently removed but the credit reference agencies maintain the credit history; the fraudster can then apply for credit lines.

In both instances, a fraudster is able to increase the spending limit on a credit line by paying off small purchases with the intention of obtaining larger loans. Eventually, the fraudster will “bust-out” the entire credit line, acquiring a large loan with no intention of paying it back.

What industries are affected?

This is not just a financial services industry issue. Government services such as medical and other public assistance and funding programs are targeted. There have been many publicized cases of fraudulent claims that are yet to be solved due to the use of “ghost IDs”.

The insurance industry is also susceptible. Fraudsters can take advantage of the automated credit application process available to car dealers with synthetic IDs with a ‘good’ credit history. Once obtained the cars are shipped abroad, and a claim is made for a stolen vehicle.

Risk mitigation: What are some of the key questions your organization should ask?

  • Do your customer onboarding policies and procedures address the risk of synthetic identities?
  • Are you complying with FINTRAC’s regulations on verification of customer identification and source of funds?
  • How effective is your reporting of suspicious activity?
  • Does your charge-off policy address whether or not losses from synthetic accounts are credit or fraud losses?
  • Who is the owner of suspected synthetic accounts? I.e. Credit risk, Operations, Collections, Fraud or Compliance
  • How effective is your training of staff and the tools they have to identify synthetic identities?

How can Securefact help in mitigating the risk of synthetic ID fraud?

In addition to advisory services related to industry-specific compliance with Canada’s anti-money laundering regulations, Securefact has developed a powerful, proprietary software solution called SIDni™ (Secure Identification Network for Individuals).

Some of the key features of SIDni™ are as follows:

  • Non-facing customer identification in compliance with Canada’s anti-money laundering regulations using the single match and dual source matching concepts
  • Commercial and residential address verifications
  • Social biometrics algorithms with fraud risk and authenticity scores
  • Digital identity intelligence correlating e-mail, phone, IP address and social media profiles
  • Verification in a matter of seconds
  • Allows to fully customize the integration of SIDni™ into an organization automated business processes or website.