Sponsored Feature Presented by Deduce

Stopping “Frankenstein” identities before they can even get started

By Ari Jacoby, Founder, CEO of Deduce

Synthetic identity fraud is one of the most dangerous threats facing financial and payment providers today. Aite-Novarica Group recently conducted a study in which top fraud executives named this kind of activity one of their biggest threats. And it’s no surprise; in 2020 alone, financial institutions lost an eye-popping $20 billion due to synthetic fraud.

Even the Federal Reserve is sounding the alarm, putting out a video in February of this year to raise awareness of synthetic fraud’s threat.

Synthetic identity fraud occurs when malicious actors use stolen and fabricated identity information to make a fake identity that tricks systems into thinking they are real. Areas we see synthetic fraud pop up in are varied: suspicious auto loan applications, Buy Now, Pay Later fraud, and refund fraud are just a few where synthetic identities can bilk unprepared organizations out of thousands of millions of dollars, and they’re all on the rise. Those auto loan applications are up 260%, and Buy Now, Pay Later increased 66% between 2020 and 2021.

Part of what makes synthetic identity fraud hard to combat is how difficult it is to pinpoint the perpetrator. Investigators can waste time chasing down what might be a random stolen social security number from the internet, or a made-up name, a randomly-inputted address, or some other lead, and find nothing–giving the fraudster more time to put distance between themselves and the act and cover up their tracks. It can feel like chasing a phantom, and it is almost always impossible to track down the guilty party after the money has already been stolen.

The financial losses businesses see from synthetic identity fraud aren’t the only thing to be worried about. Because of the elusiveness of the perpetrator, these money-making schemes naturally are favored by those involved in drug and sex trafficking. These profits have also been tied to terrorist activities. 

Children’s profiles are a fruitful data source for bad actors perpetrating synthetic identity fraud.  Most U.S. parents apply for their newborn’s social security number while still in the hospital. This is required in some cases to receive health benefits, to start a savings account, and other related benefits. Most parents create this number and then neglect to do anything with it for years, giving fraudsters the perfect opportunity to utilize the identity without detection.

School databases and children’s social media accounts have also been hacked, leading to 1.25 million stolen child identities in 2020. This often provides updated city/state records to match a legitimate social security number, and from there, the bad actor starts to fabricate the rest of the identity profile. The legitimacy of such records is what helps the bad actors perpetrate the crime. The effects of some of these hacks might not be felt fully for years, for example, when the child grows up and finds out, when they apply for a credit card, that their identity was stolen. Bad actors may even reinforce their digital “legend” by signing up for and paying legitimate bills such as utilities or securing a pay-as-you-go phone number. All of this makes the bad actor seem legitimate to an unsuspecting business. 

Given how difficult it is to bring perpetrators to justice, the burden now falls on fraud prevention specialists to keep synthetic identity fraud from happening in the first place. As the saying goes, an ounce of prevention is worth a pound of cure.

And the good news is, while it’s not easy, it is possible to foil these fraudsters before they can get into financial and payments systems and do real damage. The key is to stop them at the gate or the point of account creation, and historical identity intelligence is an essential tool you can utilize to make that happen. Not just any data, though. Real-time data – the kind you can use to verify identities on the fly. Not data that’s probably already out there on the web and has been for a while, what we would call “stagnant” data and is, in many cases, widely available to bad actors on the dark web due to previous data breaches.  

Identity checks at the point of registration are among the most effective methods to keep synthetic identities out of your system. And when it’s done well, it happens so fast and automatically that it puts little to no roadblocks in front of legitimate users—something that can be a concern in other areas since many security functions have the unfortunate side effect of being so cumbersome to use customers either disable them, they build a negative association with the brand, or they jump ship entirely. 

By its very nature, account creation is a potentially risky proposition for businesses. After all, the company has never seen this user before, so they have no historical insights for a customer such as; time of day/day of the week of activity, device, IP and onsite or in-app journeys, etc. Having real-time identity-backed behavioral intelligence at scale provides an element of clairvoyance to security teams to determine whether the identity registering has been acting “normally” in telemetry metrics aligned to non-fraudulent activities.  

Those cobbling together synthetic identities to trick financial and payment institutions into giving them access are a patient bunch. They take many steps to make their mashup identities seem real–they may even open bank accounts, set up utilities under the fake name, and more. They usually pay their bills on time, so who would bat an eye? But most fraudsters rely on static, stagnant data to circumvent defenses, and therein lies their weakness: the amount of time, effort, and resources they would have to invest into tricking one of these real-time data networks is massive. And while most are patient, they’re also thrifty, and when their usual tactics don’t work at your company – when you can stay a step ahead – it’s likely they’ll be on their way.