Traditionally, credit application fraud has been perpetrated in two ways:
- First-party fraud – where the criminal uses their own identity to commit fraud, even if they obscure some details in order to prevent detection. This type of fraud is self-limiting and while fraudsters have stolen significant sums, an organization is unlikely to fall victim to the same fraudster multiple times. Where fraud data sharing is in place, their scope may well be limited across multiple organizations.
- Third-party fraud – where the criminal uses a stolen identity in order to commit fraud. This type of fraud is less likely to be traced back to the perpetrator, but it is also self-limiting in that the fraudster needs access to a unique identity and related dataset in order to commit the crime. As these identities actually belong to someone – the victim of the identity theft, there is someone who can realize their identity has been stolen and report it.
Keen to find a way around these limitations, fraudsters are increasingly turning to a third method – synthetic identity fraud. The availability of personal data due to data breaches means that fraudsters have access to a wealth of personal identity data, but rather than using the identity of a single person they combine elements of real and fictitious identity data to build convincing fake identities. There is no one-to-one correlation of the identities they create to a real person, so they are not limited in the number they can create, and there is no victim to spot and report that their identity is being used to commit fraud.
Synthetic identities give fraudsters the opportunity to scale their activities and industrialize their attacks – once they have found a susceptible organization, they can quickly multiply their fraudulent applications.
The use of synthetic identities to commit fraud, particularly outside the US, is relatively new and is causing some confusion. This was illustrated in a recent poll FICO ran using Linkedin. A panel of 42 fraud experts split almost evenly when asked whether synthetic identity fraud is a subset of first-party fraud, third-party fraud, or is in need of its own category.
How synthetic identity fraud is categorized may seem a relatively trivial matter – but with little agreement in how to classify it, reporting and understanding the scope of the problem is difficult to achieve, let alone tackle.
Synthetic Identity Fraud Is a Growing Problem
According to multiple sources, including the US Department of Justice and a recent white paper from the US Federal Reserve, synthetic identity fraud is now among the fastest growing forms of identity fraud. What is becoming clear is that criminal groups can do great harm using synthetic identities to commit fraud and a fraud trend that first came to attention in the USA is increasingly evident in other countries including in Europe. For example, a couple was arrested in August 2020 after conducting a synthetic identity–based, €23 million crime spree in multiple EU countries.
The crooks used synthetic identities, including fake passports and national ID cards, to open bank accounts under a variety of names in different countries. The accounts were used to deposit money from fraudulent online sales of merchandise such as watches and vintage cars that did not exist. Once the funds from false sales were received in the accounts, accomplices with clean criminal records accessed the cash and transported it back to the criminals’ home country.
The arrested couple was part of a large gang, with local groups across at least 10 countries, which used synthetic identity fraud all over Europe to steal money that in turn funded other criminal activities.
Synthetic identity fraud is so dangerous because it tends to go undetected for long periods of time, as there is no individual who has had their identity stolen to realize what is happening and alert financial institutions. This poor detection and classification of synthetic identity fraud has a knock-on effect, particularly with loans. A lack of payment from the fictional customer results in the account being categorized as delinquent, passed to collections, and ultimately accounted as bad debt. By the time a lender realizes the customer is fake, the money has already gone, and lenders are left trying to chase people that don’t actually exist.
This post is the first in a series looking at the issues around both first-party and synthetic identity fraud. In my next blog I will look at some of the strategies that help financial institutions correctly identify synthetic identity fraud. For more information, see our white paper Combatting First-Party and Synthetic Identity Fraud, which covers the five best practices you need to combat these crimes.