Protection against synthetic identity fraud is on every business’s agenda these days - or at least it should be. Synthetic identity is a rapidly growing category of fraud where a fraudster cobbles together information from various real identities - typically a stolen government ID, often from children who haven’t established credit yet. This is combined with other data - perhaps a name from one, an address from another along with new information like an email address and maybe a burner cell phone - to create a completely new fictitious identity. A common scheme is for the fraudster to create the identity and apply for credit or open a merchant account. Often these cyber-criminals are very patient, slowly building up a light profile and making some small transactions before they suddenly make a lot of big purchases or obtain large loans over a short period and then bust out.
For example, TransUnion detected one of these scenarios in which the fraudster, a felon with multiple convictions for passing bad checks, breaking and entering and delinquent child support. He used a synthetic identity to open 90 accounts and walked off with $149,000, and subsequently created four additional synthetic profiles in less than a year to walk away with another $104,000 for a total of $253,000 before he was captured by authorities.
A new tactic for perpetrating synthetic identity fraud has been reported by one of our subscribers, Ria Financial. In a recent iovation webinar, Brian Pramov, CFE and Senior Manager, Digital Fraud Strategy & Analysis at Ria described a synthetic fraud scheme that was caught using iovation tools. In this scheme a fraud ring created synthetic identities and then made small changes in the identities to see if they could get any past Ria’s fraud detection system. When Ria did a fraud check with iovation’s evasion detection and geolocation capabilities, they discovered that transaction pretending to come from various locations were attempting to mask their true origin, Nigeria.
Ria uncovered this fraud ring using a mix of personal and digital data - and this is the key to protecting your business from synthetic identity fraud. Checking personal information often is not enough. You have to match the personal identity with the digital fingerprint associated with it to gain a more complete picture of the trustworthiness or riskiness of the transaction. Although a fraudster can create hundreds of false identities, and may employ evasion techniques to avoid detection, good device-based fraud prevention tools, like iovation SureScore and FraudForce, can help you discover that all those false identities are originating transactions from one or a small number of devices, most commonly desktop PCs.
Fraudsters are a tricky bunch. As Pramov said in the webinar, “just when you think you have detected and caught all their schemes, they come up with another one.”
So what’s driving all this new fraud? We’ve taken a look at the rise of synthetic identity fraud and have identified five major drivers.
One of the foremost drivers is the incredible amount of stolen personal information that is available to criminals on the dark web – usernames, password, social security numbers, you name it. According to a 2018 Gartner report, since 2013 nearly 10 billion data records have been exposed. There are so many records available now that, true to the law of supply and demand, the price that criminals need to pay per record has fallen dramatically. Recently a cybercriminal posted over a billion records in clear text for free for anyone who cared to use them.
Competitive Lending Market
Coupled with the availability of stolen records is today’s highly competitive lending market. Economic times are good. Credit and lending institutions are in fierce competition to sign up new accounts, and they are willing to take risks on new customers who may have a sparse financial history or a thin credit profile. This is a perfect setup for a synthetic identity fraudster who is willing to set up a new identity and make a few small transactions over a sometimes-extended period before taking out big loans or making big purchases and then disappearing.
Successful Credit Card Fraud Countermeasures
The success of countermeasures against credit card fraud, such as the EMV initiative, has had the unforeseen consequence of pushing fraudsters away from schemes such as card cloning and into other activities, including synthetic identity fraud.
Social Security Number Assignments
You can bet the US Social Security Administration didn’t see this one coming. In times past a social security number indicated the region where the card was issued. But now the SSA has removed location codes from new SSNs, thereby removing our ability to use that layer of identification of the assignee.
Knowledge Sharing Among Fraudsters
Last, but not least, is the knowledge sharing that’s taking place among cybercriminals. The dark web is more than a simple marketplace for stolen material and malicious code. Just as we exchange tips and techniques for doing, well almost anything, so they exchange tips and techniques on how to defraud businesses and effectively steal from the rest of us.
Losses to synthetic identity fraud are predicted to increase into 2020 and beyond. You need to be vigilant and understand what’s driving it -- and how you can combat it. Deploying comprehensive fraud prevention tools, like those from iovation, can help you protect your business and your customers, and keep out the bad guys.
View the Webinar
Click here to view the recording of our synthetic identity fraud webinar featuring Bala Krishnamurthy, Chief Product Officer at iovation, and Brian Pramov, CFE and Senior Manager, Digital Fraud Strategy & Analysis, Ria Financial.