Is synthetic identity fraud a victimless crime?

After all, the “person” whose identity is used to commit the fraud isn’t a person at all. It’s a collection of personal information, some fictitious, some stolen, that’s combined to create an individual who only exists electronically. No single person’s identity is taken and misused. No one person sees his or her name and hard-earned reputation traded on and violated.

But just because this kind of identity fraud doesn’t steal from a named victim, it doesn’t mean there aren’t victims. In fact, they come from all over.

They include the people – often children – whose Social Security numbers are taken by synthetic identity fraudsters, and who later find their credit ruined.

They include individuals and businesses who struggled to survive the pandemic after synthetic identities “borrowed” millions in loans that could have gone to them.

And they include those devastated by crimes the fraud underwrites, including human trafficking and terrorist financing.

The damage done by synthetic identity fraud is far-reaching – with losses estimated at $20 billion in 2020 – and the list of victims keeps growing. That’s why the Federal Reserve is researching it, educating the industry about it, and encouraging action to address it.

A synthetic identity is painstakingly built

The building blocks of synthetic identity fraud are “personally identifiable information,” or PII. This includes names, birthdates, and Social Security numbers. Children often are targeted because the theft can go undetected for years, until they’re old enough to apply for credit or a job.

The fraudsters combine PII with fabricated information, such as a phone number or email address, to build a synthetic identity. They then use that identity to apply for a line of credit. The application often is rejected because no credit profile history exists. But now the credit bureaus have a credit file for the synthetic identity.

The fraudster keeps applying for credit as the synthetic identity until it is approved and they can start building a positive credit history. The goal? Higher credit limits and access to more sophisticated financial products and services, so there’s more to steal.

Synthetic identity fraud is not new. But new opportunities to commit it exist with the widespread digitization of financial systems and a rise in compromised PII, including a 68% year-over-year increase in reported data breaches in 2021.

The Fed first mobilized against synthetic identity fraud in 2018, when we began working with the payments industry to raise awareness. We have researched how this type of fraud is defined, committed, detected, and mitigated.

Initial findings were detailed in a series of three white papers in 2019 and 2020. We then worked with fraud experts from across the industry to develop a common definition of synthetic identity fraud.

That definition was incorporated into our FraudClassifier^SM model to help organizations and industries more consistently classify and track this type of fraud. Most recently, we released a Synthetic Identity Fraud Mitigation Toolkit.

New toolkit aims to simplify complex problem, equip orgs to deal with it

The Fed created the toolkit in partnership with the industry to be a dynamic repository for information about synthetic identities, how they’re used, and how to mitigate this type of fraud.

We all learn differently, so the toolkit aims to appeal to the different ways people consume information. It has downloadable documents, videos, and interactive tools that challenge readers to spot synthetic identities in various scenarios.

Our goal was to make the complex information more accessible by organizing the toolkit into modules that focus on particular topics. The first four modules focus on the definition, background, and mechanics of synthetic identity fraud. They also aim to raise awareness about how to spot synthetic identities that may be cloaked as good customers.

The next two modules discuss ways to validate identities and detect synthetics, from the time a “customer” opens an account through the aftermath of a fraud loss.

The remaining two modules emphasize the importance of technology and fraud data strategy, including how artificial intelligence/machine learning can be used to root out synthetic identities. They also stress that collaboration is critical. Synthetic identities usually aren’t unique to a single organization, so it can be easier to shut down attacks when organizations work together.

It’s important that organizations understand that synthetic identity fraud is not an emerging threat – it’s a clear and present one. They also need to know that we at the Fed will continue to partner with them to help deal with it.