To snare a menace

Identity theft attracts fraudsters because they can steal significant amounts with extreme anonymity, and victims and law enforcement can seldom pursue them. However, the authors describe an investigation that yielded the arrest and prosecution of a fraudster who used "synthetic identity theft" and other crimes to steal millions. Learn about their practical methods and a stunning twist.

Our client first knew he had a problem when a department store called him about issuing a credit card he hadn't requested. He thought he might be a victim of identity fraud, but it was a bit more complicated. In the beginning, he was the target of a traditional identity theft. However, the fraudster would soon create multiple synthetic persons to mask his criminal activity and hijack our client's credit history.

The victim (we'll call him Sam) — the son of a high net-worth individual — first asked one of his employees, a CPA who worked for one of his father's companies (whom we'll call Sally), to determine what had occurred.

Sam and Sally quickly learned that the identity theft had extended far beyond the department store. For a short time, Sally — who didn't have any investigative experience — attempted to identify and control via credit reporting agencies the fraudster's numerous successful attempts to open credit card accounts, bank accounts or merchant lines of credit in Sam's name throughout the U.S. However, Sally always seemed to be a step behind the fraudster's actions. So, Sam came to our firm to identify the fraudster and build a case for presentation to either a federal or local prosecutor. (In this article, we disguise or conceal dates, locations, financial institutions and other vendors because the facts are part of active criminal investigations or prosecutions.)

'I am who I am!'

Most of our identity theft clients are extremely frustrated because they're struggling to prove they are who they say they are to credit bureaus, banks, credit card companies and others. We tell them that they might never discover who actually stole their identities or the point of compromise, which is where and how fraudsters are able to steal personal identifiers. Furthermore, the authorities probably won't have the resources to investigate and prosecute. For the same reasons, most of the time our clients don't pursue the fraudsters who've stolen their identities. But this fraudster picked the wrong victim. Sam had the financial means and the will to hunt the fraudster down and refer the activity for prosecution.

In our first phone call with Sam and Sally we began to work on identifying the point of compromise, and we explained the realities of investigating identity theft.

We suggested Sam place fraud alerts with the credit bureaus, obtain credit reports from all three reporting agencies and review them for suspicious activity, such as unfamiliar inquiries, new credit card openings and collection activity. Sally had already begun most of these steps.

Because all the fraudster's attempts were in Sam's name, Sam had the right to see the completed applications and other documents the fraudsters used to open bank and credit card accounts. So, we asked for Sam's permission — client authorization or CA — for certain employees of our firm to act on his behalf to receive documents and materials from financial institutions and other entities where the thief had tried to defraud Sam. (Through the years, we've found that obtaining CAs is a powerful way to encourage banks, credit card companies and other merchants to cooperate in identity theft cases.)

The banks and merchants then produced loan applications, customer-service recordings with source telephone numbers, IP addresses, and photographs or videos of the fraudster. We also used the CA to retrieve mail from three virtual offices throughout the U.S. that the fraudster used to receive mail addressed to our client. This action denied the fraudster access to the credit cards and other documents he'd hoped to use to generate cash or merchandise.

Ultimately, we learned the fraudster — who worked for a company that reviewed apartment purchase applications — had stolen Sam's identity from Sam's application. In total, the fraudster would make about 80 fraud attempts using Sam's stolen identity of which approximately half were successful. The fraudster brazenly allowed himself to be photographed many times — more than any other identity thief we'd investigated. We suspect this experienced fraudster knew, as we've discovered in other cases, that banks and merchants probably wouldn't have photographs and videos of him to provide to law enforcement because of their limited capacity to store them.

The quick combined responses of Sam, Sally and our firm prevented the fraudster from successfully obtaining significant cash or merchandise while generating direct evidence that federal authorities would use in their prosecution for aggravated identity theft.

A stunning twist

As we began to follow the leads gleaned from the vast amount of documents and material that the CA had generated, it became obvious that the fraudster seemed to abandon his previously successful avenues. For example, he failed to retrieve — or send someone to retrieve — the mail that contained credit cards in Sam's name, which were delivered to the virtual offices. This seemed odd and inconsistent with our experience because our investigation had remained covert — or so we thought.

When Sally, Sam's employee, had attempted to place a fraud alert with a credit reporting agency, the agency told her and Sam that the fraud alert was unnecessary because Sam's account was already "locked." The agency explained that Sam had placed the lock because he'd purchased its protection plan — a credit-monitoring service — for $19.95 per month. Of course, the fraudster had purchased the protection plan as part of his scheme. We realized that the fraudster had hijacked Sam's credit file with this particular agency, so we focused our investigative efforts on analyzing the leads in this credit file.

We learned that the fraudster had used a photocopy of a counterfeit Ohio driver's license — in the name of our client — as "official government identification" and a stolen credit card to purchase the monitoring service.

After the fraudster gained control of Sam's credit file, he changed the date of birth linked to the account, which gave the fraudster total access to the account and effectively blocked Sam's access to his own credit file — whether the file was locked or unlocked.

The fraudster changed Sam's telephone number and address so now the agency would call or write the fraudster whenever it detected any "unusual activity." Thus, the fraudster had an open window into Sam's and Sally's efforts and our investigation almost from the beginning; the credit-reporting agency opened that window by failing to verify whether the Ohio license was legitimate and allowing fundamental changes to personal identifiers. As a result, the fraudster prevented us from seeing his real-time activities. For example, the fraudster could unlock the credit history just before filing a fraudulent loan application so merchants could access his credit history, then lock the account and await responses from those merchants and financial institutions.

The agency should've considered the birth-date change as a red flag, and it should've checked the validity of the driver's license or at least realized that Sam's actual history in its file didn't link Sam to any address in Ohio.

Synthetic persons, identification and eventual prosecution

During the investigation, we learned that the fraudster continued to victimize Sam by creating synthetic persons — defined by law enforcement as combining a real Social Security number (Sam's) with a different date of birth, and a fictitious name and address. (See U.S. postal inspector discusses synthetic identity theft.)

The combinations, of course, are endless. Regardless, the newly created identities impede detection. Although criminals began creating synthetic identities to commit fraud in the late 1990s and early 2000s, only recently have authorities begun prosecuting those they've alleged to be synthetic identity fraudsters.

Ultimately, we were able to identify the fraudster's given name (and numerous synthetic persons with multiple addresses, which the fraudster created) by comparing Sam's actual addresses with those listed in credit reports and with fraudulent information on applications the fraudster submitted to credit card companies, retail merchants and banks. We then were able to link the fraudster to other victims and crimes, which amounted to millions of dollars in losses.

We connected the fraudster to the theft of $2 million from a hedge fund, fraudulent student loan applications and fraudulent receipt of veterans' benefits, among other crimes. We referred all the frauds to the U.S. Postal Inspection Service, which presented the case to the local U.S. attorney's office.

The solid cooperation of Sally — our client's employee — and the helpful relationships with the postal inspectors and federal prosecutors in multiple jurisdictions led to the recent multi-count indictment of the fraudster, who faces significant mandatory jail time.

Other enablers for the fraudster

Though our focus has been on the glaring deficiencies with a credit reporting agency's protection and monitoring service, our investigation discovered additional enablers.

Virtual offices

The nationally known chain operating the three virtual offices the fraudster used throughout the U.S. to receive mail provided its services to him without requiring his complete application or two supporting pieces of identification, which the U.S. Postal Service (USPS) requires for all Commercial Mail Receiving Agencies (CMRA).

Before CMRAs begin to receive mail on behalf of third parties these customers must submit to them the completed USPS Form 1583, "Application for Delivery of Mail Through Agent" with two forms of personal identification plus their photographs.

As we noted above, the fraudster used virtual offices to receive fraudulent credit and debit cards without fear of identification. Once the fraudster realized that we'd located and obtained his mail from these virtual offices, he changed his address directly with financial institutions and merchants rather than filing a change of address form with the USPS or the virtual office. This method of redirecting documents kept the fraudster informed about our investigative progress, while he continued to receive mail in Sam's name and other victims.

Name changes

The fraudster legally changed his name twice in one year — to become different synthetic persons — in local courts in the state of Washington. We couldn't determine what he used as identification to complete these name changes, but it was probably counterfeit identification documents that supported his residence, which the state didn't verify.

IRS PIN and hack

During the investigation, Sally became concerned about the impending tax-filing season. Our experience included numerous instances of fraudsters filing false tax returns before the victims filed their actual returns. When this happens, the U.S. Internal Revenue Service (IRS) reports to the taxpayer that a return has already been filed and the refund issued. Normally, victims will provide proof that their identities were stolen and spend the next year trying to get the IRS to pay them their refunds. The IRS provides identity theft victims with PIN numbers to be used when filing future returns.

The IRS declined to provide Sam with a PIN because it couldn't verify his identity through the credit-reporting agency. Of course, we had our conversations with the IRS before we learned that the fraudster had hijacked our client's credit file. Instead of engaging in the time-consuming and awkward process of obtaining a PIN from the IRS, we recommended the client file his 2015 tax return on the earliest possible date that the return would be accepted by the IRS, which was Jan. 19, 2016. So, at a minute past midnight on that date Sally electronically filed Sam's tax return.

In February, the IRS reported that hackers had obtained more than 700,000 PINs that had been issued to identity theft victims. (See Cyber hack got access to over 700,000 IRS accounts, by Kevin McCoy, USA TODAY, Feb. 26, 2016.)

Victims shouldn't carry the burden

We rely upon global institutions that are entrusted with our personal and financial information — and therefore, our identities — to construct robust protocols and controls to protect us. However, they often fail to do this. These entities must develop systems to protect consumers from identity thieves and be vigilant about maintaining them. They need to abide by policies commonly referred to as "know your customer" and "know your vendor" to prevent fraud.

We recommend establishing authentication systems similar to passport applications processes that require mandatory verified government-issued identification before individuals can access credit files or obtain credit protection plans. We believe most consumers would agree that the temporary inconveniences would be worth it if they could have safeguards that would reduce the chances of becoming identity theft victims.

Regardless, all of us share some of the responsibility for protecting ourselves. We must vigilantly check our credit reports, credit card statements and bank transactions for unfamiliar or suspicious activity and shred documents with sensitive PII.

Any of us can become victims of identity fraud, including synthetic-person theft. But it's unacceptable that victims always seem to carry the burden of proving to credit bureaus, financial institutions, and the IRS or other nations' tax agencies that their identities have been compromised.

You shouldn't have to be wealthy, have an attorney on retainer or spend countless hours trying to fix what a criminal has done to you to get your identity back.

For more, see the sidebar, "Immense identity fraud problem."

Anthony P. Valenti, CFE is managing director of Stroz Friedberg LLC in New York. His email address is: AValenti@StrozFriedberg.com

Stephen G. Korinko, CFE, CPP, is vice president of Stroz Friedberg LLC in New York. His email address is: SKorinko@StrozFriedberg.com.

U.S. postal inspector discusses synthetic identity theft

Fraud Magazine recently interviewed Philip Bartlett, inspector in charge, New York Division, U.S. Postal Inspection, about synthetic identity theft.

FM: How prevalent is synthetic ID theft in the U.S.? 
       PB: Synthetic ID theft is alive and well in the United States. It’s difficult to determine actual fraud losses associated with this type of fraud because credit issuers very often do not properly classify losses as fraud rather they are sent to the collections department for resolution.

FM: When did you see your first case of synthetic ID theft and what did it involve? 
       PB: I first learned about this crime in 2001. I assisted on a case involving Pakistani nationals who fraudulently established several synthetic identity credit files. Once established, the credit scores were increased over time and the credit cards were eventually “busted out” at local Pakistani-run businesses in Virginia.

FM: Is there a predominant type of synthetic ID theft or is it all over the map? 
       PB: It’s really all over the map. However we have noted an increase in the use of legitimate Social Security numbers [SSNs] in recent years. Many of the legitimate SSNs are obtained through data breaches and sold to fraudsters through online forums. Fraudsters always pair the SSN with a name not associated with the number. This is what differentiates synthetic identity theft from traditional ID theft.

FM: Apparently, synthetic identity fraudsters often will target children’s SSNs because they’re inactive and will generally remain unchecked up to 18 years. Is that what you’ve seen?
       PB: We have seen several cases where children’s SSNs were used in synthetic ID theft schemes. The misuse of the Social Security number often goes undetected for many years making this a great way for fraudsters to conceal the crime.

A colleague recently shared with me that his daughter had her SSN misused in a synthetic ID theft scheme more than 15 years ago. While at college last year she attempted to establish utility, phone and cable services. Much to her surprise, her applications were denied due to a poor credit history.

A suggested prevention method to protect the misuse of a child’s SSN is to establish a consumer credit file using the child’s personally identifiable information and adding them on to an existing credit card account as an “authorized user.” A consumer credit file will be established with the consumer-reporting agencies [CRAs] once the trade line has been downloaded from this account. Let the child’s consumer credit file mature for a month or so and then freeze the child’s credit file. The rules vary from state to state but in New York you can freeze the credit file for free the first time. A security freeze prohibits the CRAs from releasing the child’s consumer credit report or any information from it without express authorization of the consumer. A Google search will provide links to sites with information on how to freeze a consumer credit file in a specific state.

FM: Can you briefly describe how synthetic identity fraudsters create a synthetic identity and build a credit profile? 
       PB: The scheme is fairly simple. Synthetic identities are usually established in one of two ways. The fraudster applies for credit using a name, Social Security number — real or bogus — and date of birth. The credit issuer queries one of the credit reporting agencies [CRAs] in an effort to determine the risk through the credit history and credit score. Through this inquiry, a new credit file is established using the name, SSN, date of birth and address on the application. Over time, the fraudsters initiate a number of techniques to increase the credit score. Another way to establish a synthetic identity credit file is by adding the synthetic identity to an existing credit card account as an “authorized user.” The synthetic identity can be removed as an authorized user after the trade line has been downloaded. This usually takes less than 10 days. As a result, a new synthetic identity credit file is established with the CRAs with an associated favorable credit score.

FM: How does the data-furnishing method work for creating synthetic ID’s? 
       PB: This method is not as prevalent today as it was before the recession — 2007-2009. Through this method fraudsters use existing businesses or establish new small businesses that extend credit to customers such as furniture stores, used car dealerships, etc. A line of credit is extended to the person associated with the synthetic identity. The credit history and related credit score associated with the synthetic identity is bolstered when the business reports regular on-time monthly payments made on the account.

Here are some proposed methods to mitigate risks associated with this crime:

1. Increased due diligence on behalf of credit issuers. If the CRAs report there is no credit history associated with a credit file then the application for credit should be denied. The industry has done a pretty good job over the past few years by building into their decision-making models some innovative risk assessment tools.
2. I think the best way to have a significant impact on this crime is to legislatively mandate the Social Security Administration (SSA) to allow credit-reporting agencies to query the SSA to determine if a Social Security number is legitimate, and if so, is it associated with the name provided to the CRAs? For example, was SSN XXX-XX-XXXX issued to Philip Bartlett? The SSA would respond with either a yes or no answer. If the CRA receives a negative response, the CRA would not establish a new credit file. This method should also be used to identify and purge existing bogus consumer credit files established through synthetic identity theft schemes.

Immense identity fraud problem

In September 2015, the U.S. Department of Justice, Office of Justice Programs, Bureau of Justice Statistics (BJS), reported more than 17 million victims of identity theft with estimated out-of-pocket losses of approximately $15.4 billion in 2014, which is the latest year statistics are available. (See Victims of Identity Theft, 2014, by Erika Harrell, Ph.D., BJS statistician.)

Losses shown in the report don’t appear to include reimbursements paid by banks, credit card companies or merchants. And the BJS statistics don’t reflect losses of the Internal Revenue Service from false filings for refunds. (See the report’s summary.)

For the past few years, fraudsters have evolved their activities from traditional identity thefts to creating synthetic persons to accomplish fraud. In fact, in 2014, InformationWeek reported that use of synthetic persons accounts for 80 percent of all credit card losses and nearly 20 percent of credit card charge-offs. (See Synthetic Identity Fraud: A Fast Growing Category, by Erica Chickowski, InformationWeek, Oct. 21, 2014.)

The BJS statistics don’t reflect either the emotional toll on victims or the second-hand suffering of their family members, co-workers and friends. In our experience, victims spend years attempting to recover from these crimes and often are continuously re-victimized as their personally identifiable information is circulated among criminals.

Every indication shows that identify theft will only continue to rise. One report states that in 2015 the number of identity fraud victims was at its second-highest level in six years and cost $112 billion. (See 2016 Identity Fraud: Fraud Hit an Inflection Point, February 2, by Al Pascual, Kyle Marchini and Sarah Miller, Javelin.)

According to the media, local law enforcement is reporting that criminal gangs are stealing identities to generate cash, especially through fraudulent tax refunds because it’s more lucrative than other types of crime with almost zero chance of arrest or punishment. (See More Street Gangs Turn to Financial Crimes, by Nicole Hong, The Wall Street Journal, March 7; Bloods-linked gang members charged with running $414G identity-theft ring, by John Annese and Shayna Jacobs, April 27; and Identity Theft Resource Center, Aug. 18, 2015.)

— Anthony P. Valenti and Stephen G. Korinko