One of the most prevalent forms of attempted fraud that we see in the credit card industry and elsewhere in digital settings is synthetic identity fraud. While it has existed for years, it exacerbated initially in response to the move from magnetic stripes to the EMV standard on credit cards, which improved security and helped prevent physical point-of-sale credit card fraud. That left fraudsters looking for opportunities online, in a card-not-present environment. The fraud landscape deteriorated further last year due to the impact of the COVID-19 pandemic, as businesses increasingly shifted to digital-only environments.
As a result of digital-acceleration and economic pain, we saw a 90% increase in attempted fraud from new credit card applications in March and April of 2020. These fraudulent attempts were thwarted with robust fraud detection technology, but much of it was suspected synthetic identities.
Synthetic identity fraud occurs when a criminal uses elements of someone’s real personal information or entirely fake information to create a fake identity, bolstering the new account with other fake information. It might be based on an actual living address or phone number or Social Security number, or a combination of slightly inaccurate, real personally identifiable information (PII) to beat fuzzy matching algorithms. The idea is to create an account that resembles an actual person but can fly under the radar of traditional fraud detection methods.
One of the main reasons synthetic identity fraud works so well is that the criminal who employs it doesn’t simply create a new account and immediately run up a number of purchases; instead, the account is allowed to “bake” for a while, operated as though it were attached to a viable human being and consumer. Items and services are bought and paid for responsibly, which then builds up a reliable credit score and payment history. These actions reinforce the notion that the fraudulent account is, in fact, genuine. Eventually, the fraudster maxes out the credit line and disappears without paying--leaving the financial institution or other victimized organization on the hook for the loss.
Data breaches have provided the gateway for fraudsters to obtain Social Security numbers or other PII needed to create a synthetic identity. Once a consumer’s Social Security number has been used to create a synthetic identity, it might be years before that is discovered. Further, scammers often target children who have no credit history and would not be regularly monitoring their credit score or profile. By the time that minor grows up and can apply for a credit card, their Social Security number is tarnished in a wave of bad debt.
To help protect themselves, consumers should monitor their credit reports regularly. For their children, they should consider freezing their Social Security number with the credit bureaus from the get-go. Furthermore, consumers should query places like schools, doctors’ offices and summer camps as to why they need a child’s Social Security number, and how they protect it.
For businesses, the best fraud defense is to rely on a multi-layered approach that looks beyond PII elements and leverages ML/AI capabilities and diverse, deep data sets to gain assurance of an applicant’s identity. For synthetic identity fraud specifically, companies should be looking for a provider that employs an unsupervised machine learning model which has been purpose-built and trained with consortium data from financial institutions.