Synthetic identity theft is a serious security problem for both individuals and merchants. According to The Federal Reserve, it is the fastest-growing type of financial crime in the U.S. and particularly insidious because this type of payment fraud is difficult to spot.
The pressure on all parties involved in payment processing is greater than ever to prevent cyber criminals from causing damage to companies, consumers, and financial institutions through synthetic identity fraud.
In this article, learn how synthetic identity theft works, ways of detecting it, and how to prevent it from happening to your customers.
What Is Synthetic Identity Theft?
Synthetic identity theft (also called synthetic identity fraud) happens when cyber criminals steal the data of real people (e.g., their Social Security Number and date of birth) and combine it with fabricated data to create new identities.
Fraudsters use these fake identities to obtain bank accounts and credit cards, take out loans, make fraudulent purchases, and facilitate other criminal activity (human and drug trafficking, terrorism, etc.).
Synthetic vs. Traditional Identity Theft
Traditional online identity theft most commonly involves account takeover. Cyber criminals gain unauthorized access to customers’ accounts and use them for their own gain. They access the customers’ information via hacking, data breaches, or by tricking them to reveal the information themselves.
On the other hand, synthetic ID theft combines real and falsified information to create new, “synthetic” identities. In this case, cyber criminals do not use existing accounts to perform fraudulent activities, but rather to steal real information and then create new accounts based on it.
Note: One of the ways criminals exploit account takeover is to abuse a merchant's loyalty program. Read more about loyalty fraud and how to prevent it in our blog article.
How Does Synthetic Identity Theft Work?
Synthetic identity fraudsters create two types of fictional identities.
- Manipulated synthetic identities. Fraudsters create false identities by making slight changes to real information, such as the SSN or date of birth. They are easier to detect since they can be compared against a real person.
- Manufactured synthetic identities. These identities are based on combined information from several real people. Criminals will take a real Social Security Number (SSN), address, P.O. box, name, and date of birth to create a so-called “Frankenstein” identity. These synthetic identities are hard to detect since all the data points are individually verifiable and there is no single clearly identifiable victim.
Note: Synthetic identity fraud schemes often involve address fraud - using fictitious or incorrect addresses under someone else's name for personal gain. For more information on what it is, how to spot it, and how to prevent it, check out our comprehensive guide to address fraud.
Cyber criminals play the long game when it comes to synthetic ID theft. Typically, these false accounts go months or even years without any activity, or fraudsters use them responsibly to build up a credit score and history. Based on this, they apply for bank accounts, credit cards, and bank loans. In some cases, they use these fabricated identities to file tax returns and apply for medical care or unemployment benefits. Additionally, some cyber criminals use synthetic identities to pose as victims of fraud to get their credit lines restored so they can continue committing fraud.
The most common victims of synthetic identity fraud are children, the elderly, incarcerated, and homeless, in other words, people who do not actively use or access their credit information. Because of this, these attacks on their identities remain unnoticed for a long time.
How Does Synthetic Identity Theft Impact Merchants?
Synthetic identity theft significantly impacts merchants. These malicious attacks on customers’ identities result in them filing for chargebacks with their banks. Despite the merchant not being at fault, they are still required to cover chargeback costs, which significantly impacts the bottom line.
The fraudsters themselves will also frequently file for chargebacks. Namely, they will pose as legitimate cardholders and claim they did not receive the items, committing friendly fraud.
How to Detect Synthetic Identity Theft?
Merchants, card companies, and financial institutions must constantly improve their efforts to detect synthetic identity theft. Here are the most effective ways to do this:
- Constantly analyze data. By analyzing and cross-referencing customer and third-party data across multiple accounts, portfolios, and organizations, companies and institutions can spot suspicious accounts.
- Frequently verify customers’ documents. Fraudsters do not have an actual document to submit as proof of identity. This is the surest way to spot a synthetic identity fraud attempt.
- Require biometric verification. Institutions can detect synthetic identity fraud attempts by requiring customers to submit some form of biometric verification. Since fraudsters’ biometrics do not match any synthetic identity, they will avoid submitting it.
- Learn customer behavior patterns. Machine learning (ML) and artificial intelligence (AI) solutions can spot anomalies in customer behavior, making it easier to detect fraud attempts.
How to Prevent Synthetic Identity Theft?
Individuals need to be on high alert for synthetic identity theft attempts. Here are ways for merchants to prevent damage to their business, and help customers protect their identities online.
What Can Merchants Do?
- Enforce strict credentials. Merchants need to compel customers to use unique passwords and change them regularly as the first line of defense against account takeover.
- Inform customers about potential attacks on their identities. Merchants should be upfront about a synthetic identity theft attempt or data breaches so customers can protect themselves.
- Work with the payment processor to secure customer data. Working with a reliable payment processor or a merchant acquirer adds another layer of security. It gives merchants peace of mind since they are putting their trust into a party that specializes in providing security to their accounts and resources.
Note: CCBill has decades of experience in providing secure payment processing to merchants and their consumers. With various fraud prevention tools and round-the-clock support, merchants and consumers can rest easy knowing their payment data is safe.
What Can Customers Do?
Every individual must assume responsibility for protecting their valuable information. Here are some essential data-safety guidelines:
- Protect SSNs. Social Security Numbers are private and should not be shared with anyone. This means even limiting sharing with family members and always keeping one’s Social Security card in a safe place to avoid misuse.
- Regularly check credit score. Customers must regularly check their and their children’s credit reports and credit scores for irregularities. If they suspect fraud, they can freeze their credit.
- Watch out for unusual mail. Customers should beware of suspicious mail, such as mail regarding social security statements, government benefits, or preapproved credit for children.
- Beware of phishing attempts. Both individuals and organizations should be aware of phishing scams, which are specifically aimed to steal their sensitive information via phone, email, or text.
Note: Ecommerce websites face numerous threats. Read up on how to ensure the security of your ecommerce website against cybersecurity threats.
Synthetic identity theft is one of the most prevalent forms of financial fraud. It hurts both individuals, whose personal information is abused, and organizations, which typically end up footing the bill. Merchants, financial institutions, and customers must work to enhance customer information protection and implement regular and thorough identity checks to prevent synthetic identity theft.