A Slippery Slope: How Synthetic Identities Can Slip Through Your Defenses

The problem of synthetic fraud has been consistently growing since the early 2000’s. The way it’s perpetrated, the behaviors that dictate it, and the resulting synthetic fraud patterns that have emerged make it increasingly insidious and problematic for every organization that engages with customers through a digital footprint. The reality of synthetic accounts, and the prevalence of them, in customer portfolios has fraud teams scratching their heads, wondering, “How did these accounts even get in here?”

When synthetic fraud was first identified, it attacked credit card issuers and mobile carriers to make fast cash by running up the balance on a card quickly and sending the fraudulently obtained device to Europe for cash. Over time, these bad actors learned they could slowly build good behavioral patterns that would allow them to “bust out” and increase their profit above the credit limit. 

The advent of large scale “credit washing”  and “piggy backing” websites that help consumers and fraudsters alike append other’s good tradelines to a credit report have led many consumers down the path of “manipulated” synthetic fraud. Their targets are subprime, non-captive and captive auto finance companies so that they can get a car loan, or obtain credit at better terms. 

Since COVID, synthetic fraudsters have substantially changed their patterns and have begun to attack banks and fintechs with depository accounts at high rates. Higher in fact, than any other industry. 

Regardless of industry, the occurrence of synthetic identities leads to synthetic fraud attacks which wreak havoc inside your customer account base. Many ask, “If we know about synthetic identities, why can’t we stop them?”  In a recent Socure webinar, an audience member referred to synthetic fraud as a “keystone cop moment,” which reflects the fact that there is not only too little awareness, but not enough is being done. Simply put, a good majority of U.S. banks and fintechs offering deposit accounts are falling victim to fake identities because they are not looking hard enough.

They can, and they have to, do better.

Why are synthetic fraud attacks successful?

Synthetic fraud is actually fairly easy to solve for if you know what you are doing. 

While the Boston Federal Reserve and others have done a great job of developing standard definitions for synthetic fraud and have built solid education programs, the biggest issue facing our industry has been the lack of education around the problem of synthetic fraud. But even with more awareness and guidance, synthetic fraud attacks can still be hard to detect and therefore, they are able to successfully achieve their goals. 

Common reasons why synthetic fraud continues to run rampant across all industries include:

Reliance on your Customer Identification Program (CIP) to stop synthetic fraud

Relying on your CIP program to identify synthetic fraud is like using a Knowledge Based Authentication (KBA) solution to validate a consumer. Neither are optimized to work properly to stop fraud and the outcome is terrible. It is vitally important to understand that the vast majority of CIP solutions use credit bureau header data as the “authoritative source” of data, and as most know, synthetic fraud is alive and well in the credit reporting system. By incorrectly relying on your CIP programs to detect synthetic fraud, you are actually validating the synthetic identity and breathing life into the possibility of more synthetic identities. Simply put, if you are relying on your CIP program to stop synthetic fraud, you are helping synthetic fraudsters establish identities so that they can continue to build more credit. CIP programs do not stop synthetic fraud. They only help to perpetuate it. And unfortunately, so are you if you rely on CIP for synthetic protection.

Faulty follow-on treatment strategies 

While helpful to identify synthetic fraud at origination, if you don’t have the correct follow-on treatment strategy, you will incorrectly validate the identity and the synthetic fraudsters will be successful in invading your customer base. Most financial services companies do not understand that there are different versions of a synthetic identity. The two most important types of synthetic fraud to know are “manipulated” and “fabricated” synthetic types. The simple definitions are as follows:

• Manipulated: Slightly modified real PII to create a new identity. The modified PII is generally the consumer’s SSN.
• Fabricated: Completely fictitious identity without any real PII

So, as an example, if you identify an applicant as “synthetic” but you don’t know what type of synthetic identity it is, you may choose to validate the synthetic identity by validating their driver license. To continue the example, let’s say you are physically in front of the applicant. They hand you their license, and it looks legitimate. The picture on the license matches your applicant, the DOB and name are exact and they live in the same city (the address is different but who really updates their license immediately upon a move). So, you validate that the person is who they say they are and that the identity of the applicant is not synthetic.

The problem is, the consumer has established a new credit report under a manipulated synthetic identity and the SSN has been changed. So, while the identity will validate using a driver license, the credit report you are looking at is fraudulent, and you will underprice your risk.

If your follow-on validation strategy is not the right one, you will miss synthetic identities and they will end up in your account portfolio.

Synthetic identities can “slip through” even the best defenses

All good synthetic solutions are analytical scores purpose-built to identity identities that are most likely synthetic. The best solutions identify a high percentage of synthetic identities with great precision, capturing over 50% of synthetic applicants (Fraud Capture Rate, or FCR) in the highest scoring 1% or less of scored applicants, all with a False Positive Rate (FPR) of less than 1:1. Most importantly, the greatest synthetic scores return an accurate indicator for “manipulated” or “fabricated” synthetic types. So, even the greatest synthetic scores will capture synthetic identities below the score threshold (marginal score population) or, miss the synthetic identity entirely giving them a score in the good range (a False Negative). Which means, even if you try your best, you will likely still have synthetic identities in your portfolio attacking consumers, the government, and you.

Inadequate protection at account origination

Every industry that offers a credit or deposit account should use a layered approach to solving for fraud. Today, if you do not have three distinct fraud solutions for (1) third-party fraud, (2) first party fraud and (3) synthetic fraud, you are absolutely sub-optimizing your new application fraud stack. Each of these categories is perpetrating fraud right now in your system, and each of their behaviors is completely different and can only be identified and stopped by specific technologies developed uniquely to stop each type of fraud. Unfortunately, you can not solve these fraud types on your own but there are solution providers who can help you. It’s up to individuals who hold Fraud Strategy, Fraud Operations and Fraud Exec positions to ensure they are adequately protected for each type, including synthetic fraud. If you have employed a synthetic fraud-specific solution yet, 2023 is going to be a very bad year, especially if you hold deposit accounts in your portfolio. The good news, that can all be rectified.

Bad buying decisions for third-party solutions

Large, sophisticated credit card issuers are doing the best job of stopping synthetic fraud at origination simply because they recognized early on the size of the losses they were taking. In the early 2000’s, it still took a few years to convince even the most sophisticated issuers that 20% of their credit charge-offs were from synthetic identities, but eventually the card issuing industry began to believe, and now, it’s hard to find a card issuer worth their salt who does not have good upfront synthetic protection. That said, even the most sophisticated card issuers have synthetics in their portfolios (see “slip through” above). 

However, there are some industries that do not understand the problem of synthetic fraud as deeply as card issuers and auto finance companies. I’m calling out traditional bank and fintech depository institutions who offer demand deposit accounts (DDA), savings and investment accounts. These financial services companies don’t fully understand (yet) the damage that synthetic identities do to consumers, the U.S. government, and even their own account base. Why is this? Card issuers and auto lenders both take a high loss for each synthetic identity of roughly $12-$14k or more per fraudulent account. However, deposit accounts tend to have a low loss rate, roughly $250-$400, because these accounts do not take all the financial loss that synthetic identities create with consumers, instead shouldering the larger portion of the financial burden. 

Because of the bad math these depository organizations use to make buying decisions for solution at point of origination, they tend to walk away from the bargaining table and generally make the decision to not buy an outside third-party synthetic solution Instead, they rely on their CIP program to stop synthetic fraud (see “Reliance on CIP programs” above). This is why the deposit industry generally has the highest rate of synthetic frauds operating in their accounts performing P2P scams, unemployment fraud, money laundering and/or humans and drug trafficking.

Lack of education

Again, the biggest issue we have as an industry is lack of education about the problem of synthetic fraud and how to stop it.

What can you do to help eradicate synthetic identities from your accounts?

So, as you can see, the problem of synthetic fraud is pervasive, and even with the best defenses, you will still have these fake identities within your accounts.  

How much synthetic fraud is in your portfolio? The answer is, it depends, and we’ll cover that in our next blog. Until then, keep up the good fight and let’s eradicate synthetic fraud by 2026. Working together, we can do it.

Socure’s Sigma Synthetic Fraud provides a purpose-built synthetic identity fraud detection solution that delivers holistic protection through multi-layered controls to block harmful synthetic identities from entering an ecosystem at account creation. The model employs both advanced ML techniques cyclically trained with expert human-in-the-loop analysis to mitigate rapidly evolving and complex synthetic patterns. It results in the ability to deploy the right tools at the right time to hone your decisioning strategy, whether the goal is to capture more synthetic fraud or create a lower-friction user experience.

Companies are testing Sigma Synthetic Fraud to determine the number of synthetic identities hiding in their existing portfolios. To schedule your proof of concept, book a meeting today.