New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study


More Attackers Using Synthetic Identity Fraud to Commit Financial Crimes

June 10, 2022

Identity theft remains a popular way for cybercriminals to ruin credit scores. But to steal even more and evade detection, a growing number of crooks are resorting to what’s called “synthetic identity fraud,” which involves creating fake personas to dupe lending agencies. “This is growing. It’s got big numbers tied to $20 billion-plus (in losses), and we’re not really seeing a drop in it,” said Michael Timoney, VP of Secure Payments at the Federal Reserve Bank of Boston. “Due to the pandemic, the numbers have gotten even higher.” At the RSA conference in San Francisco, Timoney outlined how the threat exploits a major hole in the US financial system: Many companies don’t always vet a customer’s identity when they apply for a credit card or a loan. Timoney described synthetic identity fraud as using a combination of personally identifiable information to fabricate an entirely new person. “It’s different from traditional identity theft because if someone stole my identity they would be acting in my name,” he said. “I would go into my bank account and see my money is gone or I’d try to log into my account, but I’d be locked out.” As a result, a victim can identify the fraud reasonably quickly. However, synthetic identity fraud involves generating a new and unique persona, although details such as the Social Security number and address might have been stolen from a real person. “Because of data breaches, there is so much information out there for sale,” he said. In other cases, the crooks will alter or make up the Social Security number and address data entirely with the hopes the companies won’t catch on. “Once you apply for credit with your brand-new identity, there is no credit file out there for you, but one gets created immediately. So right off the bat, you now have a credit file associated with this synthetic. So, it sort of validates the identity. Now you got an identity, and it has a credit record,” he added.  The fraudster will then work to build up the credit rating for the fake persona with the goal of securing bigger loans or credit card limits and then bailing without ever paying the lending agency. “The fraudster will pay their balances, ask for more credit,” he added. “Then they get to the point where ‘Okay enough is enough, I’m going to take the money and run.’” According to Timoney, the fraudsters have also been using fake personas to apply for unemployment benefits and to secure loans from the Paycheck Protection Program, which started during the pandemic to help businesses pay their workers. 

Analyst Notes

To stop synthetic identity fraud, the US is developing the Electronic Consent Based Social Security Number Verification service, which is capable of checking whether a Social Security number matches known records. However, Timoney said the system will only be available to financial institutions, not to other industries that also offer credit to customers. In response, Timoney said it’s important for companies to look out for red flags associated with synthetic identity fraud. This might include details in the applicant’s background that don’t quite add up. For example, a person who is 60 years old, but never had a credit history, despite living in the US their entire life. Or an 18-year-old who has a credit score over 800. Another way to detect synthetic identity fraud is to examine whether a loan applicant has any confirmed family members. “There’s a lot of things we should be looking at more than just the name, address, and Social [Security number],” he added.