By Christian Mangold, CEO Fraugster
- Synthetic identity fraud, involving the creation of a fake identity by combining stolen IDs with real user data, has grown into a €19.38bn problem for ecommerce, rising by 109% YoY.
- Increasing number of data breaches, ease of access to fake IDs via the dark web and an endless supply of deep fakes has made the barrier of entry fairly low for fraudsters.
- Despite fraudsters engaging in reputation building activities and looking like a legitimate customer, machine learning overlaying hundreds of data points along with linking and behaviour analysis can help spot anomalies to uncover fake identities.
We live in a world where the concept of “truth” is becoming ever more unstable. New technology has made it possible to disseminate fake news to millions worldwide and produce deep fakes that are indistinguishable from the real thing. Elon Musk cited “fake identities” as one of the principal reasons for withdrawing from his Twitter takeover bid. And e-commerce is not immune from this phenomenon.
Over the past 18 months there has been a massive rise in “synthetic identity fraud”; a type of sophisticated fraud where a fake identity is created from a range of stolen credentials covering government ID to social media accounts and financial instruments to bypass Know Your Customer (KYC) checks. This allows bad actors to gain access to a range of services like Buy Now Pay Later (BNPL) accounts, gift cards and online gaming platforms, to name just a few.
This type of fraud has increased by 109% YoY and is now a €19.38bn problem for e-commerce merchants and financial institutions. It is also a highly lucrative enterprise for fraudsters. Based on the calculations of Fraugster’s fraud analysts constructing a convincing synthetic identity can cost as little as €200:
Return On Investment (ROI)
Although relatively cheap to create, synthetic identities do take time to mature. Which means fraudsters attempting to cultivate a convincing online presence need to be patient, and get busy: reputation shopping, building a credit file, posting frequently on social media platforms and building a social media network. But the effort is worth the reward. Experian, a credit bureau, estimates that the median gain from synthetic fraud is €6000, a 30x multiple on the original investment. Not a bad ROI.
Lower Barriers To Entry
The scary reality is that scaling and professionalising this type of fraud has become easier than ever. An increasing number of data breaches are providing more inputs with which to construct fake identities and test credentials. (This is also true for credential stuffing attacks using widely available stolen credit card details).
But this is just the tip of the iceberg. Fraudsters also have access to an endless supply of fake faces generated by AI with which to create convincing fake social media profiles on high trust platforms like Twitter and LinkedIn. So how is it done, and what can the e-commerce ecosystem do to combat this type of fraud?
The Many Steps To A Synthetic Identity
Once a fraudster has their hands on stolen PII (Personal Identifiable Information), financial information and an artificially generated image of a person who doesn’t exist, there is still a lot of work to be done.
When it comes to manipulating and using stolen information, fraudsters employ different tactics. One is to clone someone’s actual PII such as Date of Birth (DOB) or Social Security Number (SSN), email and social media account and then link a stolen financial instrument to start cashing in on this fake identity. Or, they could opt to manipulate an individual’s PII, “mixing and matching” it with real PII.
In either case, the next step is to cultivate a digital presence that mimics the online behaviours of a real person. This can be done by setting up new social media accounts (usually 2-3 at the same time) with fake email addresses. At the same time as building a digital presence the fraudster also builds a credit file with their new synthetic identity. Even if the application is rejected, a credit file is established, which enables the fraudster to apply for credit further. ‘Credit piggybacking’ is also a popular tactic that involves adding a synthetic identity as an authorised user to a legitimate account. The authorised user then inherits good credit history and a positive credit score of the parent account.
The next step is called “approval shopping”, which could involve establishing credit with BNPL solutions or other lenders with more lenient credit disbursement policies i.e. cohorts with thin credit files. Onboarding processes offered by such providers may only require copies of ID cards, a current address and a credit or debit card to register.
Fraudsters will attempt to exhibit normal shopping behaviour by making regular small value purchases and repaying debt against credit cards in a timely fashion to build a good credit score. A study by FiVerity found that leveraging reputation building activities, such fake identities managed to build a FICO score of 742, much higher than the average of 698. Making timely payments also allows for an increase in credit limits until the fraudster finally decides to ‘bust out’ and make a single large purchase or account withdrawal.
An analysis by the Federal reserve found that 70% of suspected cases temporarily exhibited a pattern of great behaviour initially, before finally defaulting. Often a fraudster may create multiple such synthetic identities waiting to engage in large purchases and default collectively. The largest such ring detected till date racked up €193mn worth of losses for banks, from 7000 synthetic identities.
Children’s social security numbers are especially valuable as they are unused and can be easily paired with any name and birth date with limited chances of discovery. Vulnerable adults like the elderly and homeless are also prime targets.
Methods that can be used to combat synthetic identity fraud
Device Fingerprinting: This allows e-commerce merchants and PSPs to spot multiple accounts associated with the same IP address/device. For example, If person X’s device, email address or mobile number is registered with two different accounts, each corresponding to different names, then a case of synthetic identity fraud can be spotted. As real people have real histories, information on email age, social media lookups further helps in mapping online behaviour and thus verifying identities. Device information can also aid in flagging VPNs, TORs, emulators and any malware.
Behavioural analysis: Identified via custom velocity rules, it is key to note aspects like speed of completing onboarding process, typing speed while typing complex information such as SSN, address, payment information. Other behaviour anomalies such as the number of requests to increase a credit limit can also be key to spot synthetic identities.
As a rule of thumb, even the most diligent fraudster will eventually slip up. The devil, and the clue to a fraud, is so often in the detail. Increasingly this means using graph and linking analysis to connect common attributes like email, payment data with things like social media lookups (do they have a digital footprint, how long have their social media accounts existed, are the emails registered to these accounts the same as the one being used to sign up for a BNPL service).
Case of synthetic identity fraud for ecommerce merchants
Fraugster’s data revealed common tactics adopted by fraudsters to engage in such fraud. They were noticed to set up an account by combining stolen PIIs with a fake email address and some of their own information, such as phone numbers. Lower KYC checks put in place by the merchants to ensure a seamless shopping experience for the user, made this process easier. The final step for the fraudster would then be to make several high value purchases also referred to as ‘busting out’.
While such cases could prove to be tricky, linking analysis can be leveraged to list suspicious transactions engaged in by the fraudster using the same shipping address, IP or email address. Machine learning assessing over hundreds of data points further aids in spotting mismatches in shipping address, device location and IP location, which may be easily overlooked by static fraud rules.
Threat signals to look out for as a user:
- Multiple calls/inquiries regarding an unknown account or debt not incurred.
- Dramatic lowering of credit score or a lack of negative information on primary credit report
- Higher fees and interest rates on loans or trouble getting credit.