The fastest growing financial crime threat to organizations today isn’t real — it’s synthetic. Instead of stealing existing identities, criminals invent them by stitching together real and fake data into a Frankenstein’s monster of a consumer capable of passing know-your-customer (KYC) checks, building credit and maxing out credit cards with no intention of paying off the debts.
According to LexisNexis’ 2026 Cybercrime Report, synthetic identities were used in one in 10 fraud cases globally — an eightfold increase from other years. The report, drawn from more than 116 billion transactions processed in 2025, estimates that global losses to synthetic ID theft are around $20 billion to $40 billion annually, making it one of the costliest fraud threats. Nearly half of U.S. organizations rank synthetic identity fraud as their top-tracked fraud type. In the Asia-Pacific region, synthetic personal data attacks surged 142% year over year.
A particularly troubling aspect is that criminal organizations and nation-states are often behind synthetic identity creation, and they’ve turned it into an industrial-scale business. North Korea uses synthetic identities as a revenue pipeline to fund its weapons program. Hackers working on behalf of the rogue regime scrape photos from social media, generate deepfake headshots through face-swapping tools and produce counterfeit passports. They build fraudulent identities using stolen personal information and forged documents, then secure remote positions at companies around the world; salaries go back to the North Korean government
Fraudsters exploit structural gaps, such as opaque credit bureau records, credit privacy numbers (CPNs) and limited access to verification systems like the Social Security Administration’s Electronic Consent-Based Social Security Number Verification (eCBSV) service, to perpetrate the scheme. And now, with emerging technologies like generative artificial intelligence (GenAI), fraudsters can accelerate synthetic identity creation.
In this article, we present a blueprint for turning system vulnerabilities into defensive measures by reforming credit reporting, expanding eCBSV access and learning from jurisdictions that have mastered digital identity protection. We also detail how the underground economy of credit privacy numbers and fraudulent credit repair companies are a major source of synthetic identity theft.
In the U.S., lenders face more than $3.3 billion in direct exposure to synthetic identities tied to new accounts — an all-time high and a 7% increase from 2024. But the threat goes beyond any single market, and credit card issuers and auto lenders are especially vulnerable. U.S. credit bureau TransUnion found that synthetic identities now account for more than 1% of all credit card application inquiries. Individual synthetic identity fraud attacks cost auto lenders an average of more than $15,000 in charge-offs. An Equifax study of top credit card issuers found that 500,000 accounts had been flagged as potential synthetic identities in a single year.
Overall identity fraud losses — including traditional identity theft — reached $27.2 billion in 2024, with synthetic identity fraud comprising a substantial and growing share of that total. What makes synthetic fraud particularly insidious is its long incubation period. Unlike traditional account takeover fraud, which can take days or weeks to detect, synthetic identities can remain dormant for months or years, quietly building credit before maxing out the account. In the meantime, companies categorize losses as bad debt instead of fraud, masking the scope of the problem.
The trajectory is equally concerning. Global financial fraud losses are projected to surge 153%, from $23 billion in 2025 to $58.3 billion by 2030 — a staggering figure driven primarily by the evolution of synthetic identity techniques, especially as organized fraud networks use AI to create synthetic identities and interact with verification systems in real time.
Organizations now face a stark choice: Invest in reforms to prevent synthetic identities from entering the system or absorb tens of billions of dollars in losses as fraudsters exploit vulnerabilities in systems not designed to detect fabricated identities. The reforms we outline in this article aren’t just a defensive strategy — they’re an economic imperative for organizations.
In the U.S., there’s a shadow economy playing a significant role in the growth of synthetic identity theft: credit privacy numbers (CPN). These numbers are formatted like U.S. Social Security numbers, with nine digits, and unscrupulous credit-repair companies issue them to people in debt. But they’re not a replacement for government-issued identification numbers because they’re a scam.
CPN scams first started appearing in the late 1990s as credit repair companies, looking to generate income, preyed upon consumers’ desperation to hide bad credit. The U.S. Federal Reserve has tracked CPN activity for more than 20 years. [See “A timeline of CPN fraud” at the end of this article.]
What started with small-time credit repair specialists selling stolen government-identification numbers for $75 has transformed into an automated, AI-assisted fraud pipeline. Today, turnkey fraud-as-a-service packages sold openly on social media platforms, websites and encrypted messaging channels like Telegram include prefunded bank accounts using synthetic identities and seeded with funds or credit to appear legitimate for as little as $1,225.
These credit repair companies could be making hundreds of millions of dollars selling stolen identities. One prominent seller online advertises “legal” CPNs for $79 to $200, claiming to have served more than 1 million clients in the last 16 years. That’s just one seller in an industry with tens and thousands of companies, promising consumers a quick way to get auto loans, credit cards, rentals and mortgages.
Browse Instagram today and you’ll find thousands of ads promoting CPNs and credit washing services. On TikTok, a viral video of a woman using a CPN to rent a home spawned a wave of imitators. On Telegram, where CPN-related conversations have surged 300% since June 2024, sellers offer everything from basic CPN numbers, from CPN generation software — automation tools that generate randomized nine-digit numbers mimicking Social Security numbers, match them against stolen identity data and build complete synthetic profiles ready for use on credit applications — to zombie debt reassignment services. These services transfer old, expired or already-settled debts onto synthetic identities, artificially aging the credit profile so that the fabricated person has an established financial history.
A SentiLink investigation in early 2025 found 10 CPN websites and 10 Facebook groups actively selling packages, with tiered pricing from $180 for starter packages to $3,500 for premium bundles projecting credit scores above 780.
The spread of CPN sales on social media is one thing, but AI has the power to dramatically increase the scale of synthetic identity theft.
In January 2025, a software tool called CPN Wizard appeared on Telegram. It promised something that wouldn’t have been possible a few years ago — fully automated synthetic identity creation. For $250 a month or $500 for 90 days, anyone can generate unlimited synthetic identities by clicking a single button.
Equally important is closing the “on ramp” that allows synthetic identities to enter the credit system. Synthetic identity theft often starts small, like opening a prepaid phone account, retail card account or a buy-now-pay-later line where verification standards are weakest. Requiring enhanced verification, even for small credit limits, could break the life cycle of synthetic identity theft schemes.
Credit bureaus must collaborate. Today, a synthetic profile flagged at one bureau may appear “legitimate” at another. A shared alert system governed by privacy and audit standards could mirror how financial institutions exchange suspicious activity reports (SAR), without exposing consumer data. These reforms could transform credit bureaus from passive data repositories to active fraud-prevention partners, creating a credit ecosystem where synthetic identities can’t take root, let alone thrive.
The second part of our blueprint targets the supply side of synthetic identities by cutting off access to false credentials that enable synthetic identity creation. CPNs are often marketed as legal alternatives to government identification numbers for those with poor credit or privacy concerns. However, no legitimate basis exists for using a CPN in place of a government-issued identification on credit applications — it’s false representation. And enforcement is rare, which allows CPNs to become the scaffolding upon which many synthetic identities are built.
Current statutes in the U.S., such as the Fair Credit Reporting Act (FCRA) and the Identity Theft and Assumption Deterrence Act (ITADA), were enacted before CPNs emerged as a widespread fraud tool. Updating these statutes to define and criminalize the creation, sale and use of CPNs could close a gap that fraudsters have exploited for years. Legal ambiguity, combined with a lack of coordination between federal agencies, allows fraudulent CPN sellers to operate unchecked.
While the laws we describe here are U.S.-based, underlying vulnerabilities, such as outdated identity laws and fragmented enforcement, are a global problem.
Jurisdictions should consider updating laws and regulations related to identity and data protection. For example, in the U.S., Congress could amend the FCRA’s criminal penalties provision to explicitly address CPNs. Currently, Section 619 criminalizes obtaining consumer information “under false pretenses.” A new subsection (b) could state: “Any person who knowingly furnishes to a consumer reporting agency, creditor, or other person a Credit Privacy Number, fabricated Social Security number, or other false identifier in place of a valid Social Security number for the purpose of establishing credit or evading accurate credit reporting shall be fined under title 18, United States Code, imprisoned for not more than five years, or both.”
This section of the law already covers fraudulent conduct in the credit reporting system. Adding CPN prohibition to this creates criminal liability without disrupting the structure of the law.
Alternatively, Congress could amend 15 U.S.C. § 1681s-2 (FCRA Section 623), which governs lender responsibilities. A new subsection (a)(9) could state: “No person shall furnish to a consumer reporting agency any information using a Credit Privacy Number, fabricated Social Security number, or any identifier other than the Social Security number issued by the Social Security Administration to the consumer. Any person who knowingly violates this subsection shall be liable for damages under section 1681n or 1681o, and subject to administrative enforcement under section 1681s.”
This approach treats CPN use as a violation of the legal obligations that lenders and other data providers have when reporting account information to credit bureaus, enabling both civil enforcement by consumers and administrative action by government agencies. This section of the law is a natural home for obligations about what information can be reported to credit bureaus, making CPN prohibition a clearcut compliance requirement rather than a criminal matter only.
Amending or expanding laws like the Telemarketing Sales Rule and Credit Repair Organizations Act to explicitly prohibit deceptive marketing of CPNs and related services will empower agencies to prosecute deceptive marketing.
The Credit Repair Organizations Act (CROA) already prohibits credit repair companies from requesting payment before services are rendered and requires disclosures, but it doesn’t explicitly address CPN schemes. A targeted amendment could add language clarifying that offering, selling or marketing CPNs as legitimate credit-building tools constitutes a deceptive practice subject to civil penalties under 15 U.S.C. § 16793.
Require credit bureaus and lenders to flag applications indicating CPN use, such as a government-issued ID with no prior credit history paired with a fully formed identity, or an ID number that doesn’t match the applicant’s name or date of birth in government records for authorities or a designated repository, for pattern detection. This would be akin to existing suspicious activity reporting (SAR) frameworks used for anti-money laundering compliance.
In the U.S., financial institutions are required to report suspicious transactions to the Financial Crimes Enforcement Network (FinCEN); extending this obligation to include account applications that appear to be using fabricated identification to apply for loans, credit cards or other financial products could encourage creation of a centralized intelligence database.
Beyond policy, public education is critical. Governments and regulators should clarify that CPNs aren’t legitimate substitutes for government-issued IDs, while social platforms and payment processors should remove advertisements for CPNs. Together, these reforms could go a long way to dismantling the CPN ecosystem at its source — drying up both supply and demand — and establishing a precedent for proactive, cross-agency coordination that can be applied to emerging and evolving fraud schemes.
In Canada, for example, Sections 402.1 and 402.2 of the Criminal Code address identity fraud and the trafficking of identity information, but — like their U.S. counterparts — these provisions were drafted before synthetic identity fraud and CPN-style schemes became widespread. The Canadian Lenders Association has noted that only about 33% of newly created credit files in Canada contain a Social Insurance Number, down from near-universal coverage before 2000, creating a significant identity assurance gap that organized fraud rings are actively exploiting. Similarly, the U.K.’s Fraud Act 2006 and the EU’s revised eIDAS regulation provide frameworks for identity verification and fraud prosecution, but may require updates to address the specific mechanics of fabricated identity documents and credit profile manipulation. Anti-fraud professionals operating in any jurisdiction should assess whether their local identity theft and credit reporting statutes explicitly cover the creation and sale of fabricated identity numbers — and if they don’t, advocate for targeted amendments.
The third part of our blueprint shifts focus from detection to prevention, ensuring that institutions verify identity credentials before synthetic profiles ever gain a foothold. A system to confirm that identity details match government records in real time, such as the Electronic Consent-Based Social Security Number Verification (eCBSV), could, in theory, be a powerful defense; however, in practice, access to these systems is limited and restricted to large, regulated institutions.
Fintechs, credit unions and small, regional banks — often the first organizations to encounter synthetic applicants — are excluded from this system, largely because the U.S. Social Security Administration (SSA) restricts eCBSV access to federally regulated financial institutions, and the cost and technical requirements to implement them are expensive. Moreover, eCBSV requires signed consumer consent for each query, something synthetic identities can’t provide. Any change to consent rules must balance fraud prevention with privacy protection and consumer consent laws. Exceptions should be carefully crafted, such as allowing lenders to verify an identity without the consumer’s consent if specific fraud indicators are present.
The following reforms require government action, but they could make systems such as eCBSV accessible and scalable for smaller organizations.
Broader eCBSV access for smaller lenders could help prevent synthetic identities from ever entering the credit ecosystem. With these reforms in place, financial organizations don’t have to play defense by chasing synthetic identities after they’ve already caused damage. Instead, organizations can block fraudulent credentials when they receive an application and create a hostile environment for identity fabrication schemes before they can spread.
The last part of our blueprint is about implementing structural solutions to combat synthetic IDs by adopting a verified digital identity infrastructure that makes synthetic fraud architecturally impossible. The European Union’s (EU) Electronic Identification, Authentication and Trust Services (eIDAS) regulation provides inspiration.
The eIDAS framework demonstrates what system-wide prevention can achieve. Under eIDAS, every EU citizen can obtain a government-verified digital identity (eID) that links directly to official registries. Financial institutions can authenticate these credentials in real time, eliminating the anonymity that synthetic identities exploit.
A 2019 U.S. Federal Reserve analysis found that synthetic identity fraud has disproportionately affected the U.S., largely because the U.S identity system relies on static personally identifiable information (PII) like Social Security numbers. Credit bureaus automatically generate new profiles when they receive a first-time inquiry — even if rejected — effectively handing fraudsters a “proof of existence” just for applying.
But the landscape has shifted considerably since the Fed’s 2019 assessment. Synthetic identity fraud is no longer unique to the U.S. Rapid growth in digital lending, financial services apps on mobile phones and people with limited credit histories in many regions, have created fertile ground for synthetic fraud schemes globally. Vulnerabilities rooted in the U.S.’s credit infrastructure can now be found in other systems where digital identity verification hasn’t kept pace with financial product access.
The U.S. still relies on a fragmented patchwork of Social Security numbers, and other government-issued IDs like drivers’ licenses and passports not designed for digital verification. For example, the Social Security number, created in 1936 to track retirement benefits, was never intended as a universal identifier. When the Social Security Administration randomized identification number assignments in 2011, it inadvertently made synthetic fraud easier by eliminating geographic validation checks that previously helped detect fabricated numbers.
Having a nationwide digital identity framework, akin to eIDAS, could change that. Verified credentials could be stored in privacy-preserving digital wallets and provide real-time authentication without sharing unnecessary data. It could also provide a portable, privacy-protected way to prove identity.
Synthetic identity fraud has evolved from a niche problem into a multibillion-dollar crisis that threatens the integrity of global credit systems. We’ve outlined a high-level action plan to transform credit bureaus from passive data repositories into active fraud-prevention partners through transparency and collaboration, but fraud examiners are a necessary ingredient in our blueprint.
For fraud examiners and anti-fraud professionals, the blueprint provides concrete, actionable steps:
Each part of our blueprint addresses a distinct vulnerability, but together they create a defensive architecture that makes synthetic fraud exponentially harder for fraudsters to execute. Credit bureau reforms eliminate the opacity fraudsters exploit to build false histories. CPN enforcement cuts off the supply of fraudulent credentials at the source. Expanded eCBSV access enables institutions to block mismatched identities before they enter the system. And digital identity infrastructure offers a long-term structural solution that renders the entire synthetic-identity fraud playbook obsolete.
Implementation will require coordination across federal agencies, legislative action to close statutory gaps, industry investment in verification infrastructure and public education to reduce consumer vulnerability. Early wins might include pilot programs for eCBSV-tiered certification, Metro 2 provenance field trials and inter-bureau alert-sharing agreements. These foundational steps would demonstrate feasibility and build momentum for larger structural reforms like digital identity frameworks.
The financial services industry stands at an inflection point. The tools exist. The blueprint is clear. What remains is the collective will to modernize identity verification for the digital age — not just to recover billions already lost, but to prevent the tens of billions in losses that lie ahead if synthetic fraud continues unchecked. A future where every identity can be verified with confidence is within reach, but first we must choose to build it.
Dustin Eaton, CFE, is a principal of fraud & AML at Taktile. Contact him at dustin.eaton@taktile.com.
Frank McKenna is the chief fraud strategist of Point Predictive. Contact him at fmckenna@pointpredictive.com.
What began as a fringe scheme in the late 1990s is now one of the costliest frauds affecting lenders in the U.S. A few key inflection points tell the story:
1998 — Credit privacy numbers (CPN) appear as a niche credit repair scam, marketed to consumers with damaged credit.
2008 — The housing crisis in the early 2000s, sparked by the mortgage collapse of 2008, causes economic desperation and drives more consumers toward credit repair schemes. CPNs get a foothold in mainstream fraud networks.
2020 — The flood of government stimulus programs, combined with overwhelmed lenders processing applications at unprecedented volume during the COVID-19 pandemic, creates the ideal conditions for synthetic identities to emerge.
2023 — CPN-backed synthetic identities increasingly target auto lenders grappling with rising delinquencies and inflated vehicle values.
2024/2025 — Artificial intelligence (AI) tools allow bad actors to generate convincing synthetic identities at scale — complete with fabricated credit histories. Analysts call this the “exponential threat curve.”
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 6 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Roger Seifert, CPA, ABV, CFF
Jamal Ahmad, J.D., CFE, CPA/CFF
Read Time: 6 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
Read Time: 5 mins
Written By:
Robert E. Holtfreter, Ph.D., CFE
