Revamp controls now to battle burgeoning synthetic ID fraud

Last year, CNBC reported that Indiana-based Notre Dame Federal Credit Union had been saddled with a $200,000 credit loss. The borrowers in question had met the qualifications for loan approval, but what the institution later discovered — after the loan payments stopped — was that the borrowers weren’t real people and didn’t exist at all. They were synthetic identities created by fraudsters. (See Criminals are using ‘Frankenstein identities’ to steal from banks and credit unions, by Kate Rooney, CNBC, Jan. 16, 2020.)

Since then, many more financial institutions and unsuspecting citizens have been the victims of insidious synthetic identity (SI) fraud. As people’s lives become increasingly online, mobile and detached from each other, authenticating a person’s identity is becoming increasingly challenging. Synthetic identity fraudsters are aggressively and successfully taking advantage of this difficulty, so it’s critical that fraud fighters and risk management personnel help their organizations understand just how vulnerable they may be.

Collecting pieces of personally identifiable information

Organizations aren’t consistent in how they categorize SI fraud, so its magnitude is difficult to pin down. However, experts agree that SI is the fastest-growing type of financial crime, with losses in the billions of dollars annually. (See Synthetic identities: getting real with customers, Experian, Oct. 26, 2017.)

Experian says that annual SI fraud charge-offs in the U.S. alone could be as high as $11 billion. (See Synthetic Identity Fraud Update: Effects of COVID-19 and a Potential Cure from Experian, by Steven D’Alfonso, IDC, Sept. 15, 2020.)

SI fraud is subtly different from identity theft. In an identity theft paradigm, fraudsters steal victims’ personally identifiable information (PII), such as Social Security numbers, dates of birth, addresses, etc., and use it to make purchases, apply for credit or for some other type of gain. Often, the criminals look to capitalize quickly before victims are aware of the problem, though some identity theft cases can endure for years.

However, synthetic-identity crooks don’t steal whole identities. They create Frankenstein monsters by collecting pieces of real PII from multiple people — often from children, the elderly or other vulnerable groups — and stitching the pieces together to create fake identities with fabricated names.

The fraudsters then proceed to cultivate synthetic identities, as if they were actual persons, by purchasing items online. They also use SIs to apply for credit and loans online. The applications, even if companies deny them, establish the SIs as actual persons in credit systems.

Criminals who cultivate SIs have demonstrated that they’ll go to great lengths to perpetuate their lies and stay a step ahead of fraud controls. For example, an SI’s phone number might be linked with a device a fraudster owns, so if an unsuspecting creditor calls the number, they’ll reach a human being (or a seemingly real message box).

Criminals often will use the credit cards they’ve obtained for the SIs to make small purchases — and pay the bills on time over many months or years — to increase the SIs’ credit ratings and limits so that they are as high as possible before ultimately cashing out. The cash outs, or “bust outs,” leverage SIs’ credit for the largest purchases and/or loans possible. The SIs then disappear.

Criminals often maximize profits by cultivating multiple SIs at one time. (See the FedPayments Improvement webinar, Synthetic Identity Fraud Mitigation: One Approach Does Not Fit All, The Federal Reserve, Aug. 5, 2020.) They might also try to create synthetic business identities, which presumably have access to greater amounts of credit than individuals.

Landscape of opportunity

Multiple factors have led to burgeoning SI fraud. Because of numerous data breaches, fraudsters can buy valuable PII of millions of real people from anywhere in the world via the dark web.

Also, higher payouts give criminals the greatest bang for their buck. As a rule, the longer a fraud perpetuation, the greater the financial losses to victims. SI fraudsters have greater control over synthesized identities so they can spend more time, with less risk, in cultivating their awful deeds. Indeed, SI fraud averages higher losses per case than an average identity fraud scheme. (See “Synthetic Identity Fraud Mitigation: One Approach Does Not Fit All.”)

Meanwhile, many organizations aren’t yet unified in their detection and classification methods of SI fraud, so they might believe their identity fraud controls are sufficient. But they’re probably greatly exposed to SI fraud.

Also, several factors attributable to the COVID-19 pandemic have made circumstances more favorable for those looking to commit SI fraud. (See “Synthetic Identity Fraud Update: Effects of COVID-19 and a Potential Cure from Experian.”) Here are a few examples:

• Weak economic conditions have intensified competition among financial institutions while mobile/digital banking and lending continue to proliferate.
• Many individuals have been applying all at once for unemployment benefits for the first time. SI fraudsters are targeting these benefits.
• Amid lockdowns, stay-at-home orders, mandated face coverings, etc., businesses have had to rethink their control processes and requirements for verifying customer IDs.

With so many factors playing into criminals’ hands, organizations must collaborate with each other to step up their efforts to combat SI fraud.

Fighting back with AI and machine learning

Artificial intelligence (AI) and machine-learning applications hold some promise in the fight against SI fraud and enjoy several advantages over traditional anti-fraud controls.

Criminals can bypass traditional automated controls that are rule-based (i.e. pass/fail based on defined characteristics or thresholds) if they understand those rules and devise ways to work around or fool these controls.

At the same time, these types of controls force organizations to judge how tight or loose to set them based on how many red flags they can reasonably follow up on and their desire to avoid alienating legitimate customers.

By its nature, AI takes a different approach; it applies algorithms to vast amounts of data to assign probability as compared to making rule-based decisions. Therefore, an AI application that can assign a likelihood of fraudulence of identities — based on a wide range of factors — would enable organizations, regardless of their resources, to focus their follow-up efforts on the identities that are most likely synthetic.

However, the capability of AI technology is highly dependent on the quality of data it has access to. Therefore, collaboration among entities in the public and private sectors is critical to combatting SI fraud. To this end, for example, the 2018 U.S. Economic Growth, Regulatory Relief, and Consumer Protection Act directed the Social Security Administration to develop a database to facilitate digital verification of consumer information by certified financial institutions. (See “Synthetic Identity Fraud Update: Effects of COVID-19 and a Potential Cure from Experian.”)

At a time when an organization’s data is one of its greatest assets, it’s understandable that companies might be reluctant to share — particularly in competitive spaces. But just like residential neighbors who impart information to each other to stop criminals, organizations will need to weigh the risks of what and how much to share with their industry neighbors to fight SI fraud. Fraud examiners, internal auditors, security experts and risk management professionals can help their organizations weigh those risks. They can help their organizations understand SI fraud’s unique threats and assess the adequacy of existing controls so leadership can make sound, risk-based judgments.

Prevent Frankenstein IDs

Organizations rely on the integrity of their customers’ identities. But criminals who exploit organizations’ lack of awareness about the specifics of SI fraud are destroying those identities, and inflicting billions of dollars of consumer loan and credit card charge-offs on financial institutions.

Therefore, organizations must include discussions of SI fraud when reevaluating their anti-fraud controls. Growing awareness is the first step toward closing the door on these damaging crimes. Stop the new Frankenstein monsters now.

Kevin M. Alvero, CFE, is senior vice president, internal audit, for Nielson. Contact him at kevin.alvero@nielsen.com.