Ever wondered how synthetic identity fraud works? Let's take a quick dip. This is not fraud advice.
What are synthetic identities and how are they created?
Synthetic identities are a combination of fabricated credentials (PII) where the implied identity is not associated with a real person. That being said, these identities are based in truth, most often a social security number.
There are a couple of ways to go about obtaining a social security number. A fraudster may:
- phish it, or
- Have one issued by the Social Security Agency.
How does a fraudster go about this process?
Phishing. A notorious fraudster, Matthew Cox, provides the perfect case study. Cox was driving around North Carolina, passing by a group of homeless people when he came across a realization: None of these people are using their social security number.
He decided to pose as a social worker, put on an orange mesh vest, and take $100 with him. He would approach the homeless, saying he was conducting a city survey. In exchange for answering a couple of questions, they would receive $20. He would then plainly ask for a full name and social security number.
Issuing. Based on conditions surrounding birth and documentation, some children under 12 months old do not yet have an SSN. If you have a "child" that doesn't have an SSN, you can go to the Social Security Agency with her birth certificate and her list of shots, and they will issue you one. This is often the case for children not born in hospitals. By forging a birth certificate, a fraudster is now empowered to create an entire identity, “true” by record, with a name of their choosing.
Moving Forward → Fraud
Armed with a valid SSN, financial identity around that SSN needs to be created. This is where people get confused. Many think that there is some omnipresent database, or source of truth, containing all of your information. In reality, Credit bureaus are the source of truth for your personal information and they only know because at one point, you provided it.
Providing your information builds a credit profile. I’m willing to bet you got denied the first time you applied for a credit card. This is simply because in the eyes of the Credit bureau, you don’t “exist”. By telling them your accurate or synthetic information, both done in very similar ways, you now “exist,” in their eyes.
The next step is to apply for a credit card. Using your new social security number plus some fake information like date of birth, address, etc. you will be denied. In truth, it’s not an outright denial. You will receive a secured card, limited and capped, set on helping build credit while mitigating issuer risk. Regularly use and pay these secured cards. Since bureaus aren't updating very frequently it may be about a year of payments before you have a credit score.
You’ve made it this far and now have a new credit score. Utilizing your new credit score, you can start small, personal loans and actual credit cards. The focus here is to keep building and improving your credit score.After about a year, your updated credit score will likely be 650+.
Voilà. You can now secure somewhere in the range of $40-$100k in loans and credit cards.
Synthetic identities are tough to catch. Because you aren't stealing an in use identity, it can take a significant amount of time for anyone to realize their data is being misused if they ever do. By building up a credit profile with this synthetic identity, you look like a real person in these major databases. That is why there is only so much fraud that a backend tool can catch.
At Footprint, we combine behavioral fraud signals with a machine learning model trained on hundreds of thousands of internal labels to stop synthetic identity fraud at the time of onboarding.