What Is Synthetic Identity Fraud? Defend Against Growing Cyber Threat

While phishing and other cyber incidents have long been used as a way for threat actors to gain unauthorized access to steal information and cause financial harm, synthetic identity fraud underscores the importance of staying vigilant against ever-changing cyber threats.

The number of synthetic identity thefts has been rising rapidly, with devastating financial consequences. 

According to Thomson Reuters, synthetic identity fraud costs businesses a whopping $20 billion to $40 billion a year.

In this article, we’ll detail what synthetic identity fraud is, how it works, and ways you can protect your business.

What Is Synthetic Identity Fraud?

Synthetic identity fraud has the dubious nickname of “Frankenstein fraud” since it involves stitching together different pieces of genuine and made up personal information to create a “Frankenstein ID.”

With this pieced-together virtual identity, scammers can then use it to take out personal and business loans, open credit cards and lines of credit, purchase real estate, buy cars, and commit other financial fraud with these made up identities.

Attackers can use different tactics to carry out the schemes when targeting businesses. 

For instance, they could establish fake vendor accounts to submit fraudulent invoices for payment, or even to gain unauthorized access to a company’s network.

This could trigger an avalanche of problems, including stolen or compromised data, financial loss, reputational damage, or even legal ramifications. 

Outside of the financial sector, retailers, insurers, manufacturers, auto dealers, healthcare organizations, and businesses in many other industries have also been defrauded.

Even local, state, and federal governments haven’t been immune to this type of deception.

Attackers have been able to use synthetic identity theft to successfully make fraudulent government benefits claims, obtain loans, carry out tax fraud, and make unauthorized purchases.

An estimated 95 percent of synthetic identities aren’t spotted during onboarding, according to a recent report, with many businesses either never learning they’ve been duped, or they write it off as a business loss.

What’s The Difference Between Synthetic Identity Fraud And Traditional Identity Fraud?

Both schemes have the same goal: fraudsters use them as a means to an end to steal money by pretending to be someone they’re not. The main difference, however, is in the approach.

With traditional identity theft, attackers steal an individual’s entire identity to access their existing financial accounts. The goal is to steal the personal information of an unsuspecting victim, including name, address, phone number, email, and financial account information.

Related Article: Social Engineering Incident Response: Tools To Help Prevent An Attack

Threat actors then use the stolen information to gain unauthorized access to drain the victim’s bank accounts or make unauthorized credit card purchases.

While these attacks are known for targeting individuals, businesses can also fall prey.

With synthetic identity theft, on the other hand, fraudsters focus on the most vulnerable groups, including the deceased and minors.

In this type of theft, the goal is to steal a person’s real social security number and combine it with authentic and made-up personal information and images to create a whole new identity to secure new lines of credit.

How Does Synthetic Identify Fraud Work?

The key to this type of fraud is its reliance on real social security numbers and other personal information such as names and dates of birth from various defenseless individuals, including those who are deceased, minors, elderly, homeless, or incarcerated.

This means such attacks often go undetected for years, if discovered at all.

The scheme is pretty straightforward.

A cybercriminal may apply for a credit card using a legitimate social security number, a fake picture, and the phone number, email, and mailing address of random other people. They may even set up fake social media accounts to help lend credibility.

Once approved for the credit card, the fraudsters then rack up charges on the card until it’s maxed out, then discard it with no intention to pay the balance owed.

Then, rinse and repeat.

As we mentioned, this type of fraud isn’t limited to just individuals or financial services organizations. Businesses across various industries have been impacted. 

For instance, let’s say your business has recently ramped up your e-commerce focus, aiming to generate more online sales. Your efforts seem to be getting traction, with a surge in signups.

You find out after the fact, however, that it was all a mirage. Those new customers you thought you were onboarding were really just part of a larger synthetic identity fraud campaign.

It’s also important to note that while malicious actors in this type of cybercrime may initially get rejected, they will keep trying until they get credit approval.

Once they’re approved, some may take the win and cash in right away. Others may drag out the fraud by using it to quickly build credit for a chance at an even bigger score. If and when the ruse is detected, the damage is already done.

According to Thomson Reuters, an estimated 95 percent of synthetic identities are not detected during onboarding at financial institutions.

Since synthetic identity theft uses the stolen social security numbers of real people in combination with made up information, there’s no “real” victim, making it even harder to fight or detect.

In fact, synthetic identity fraud is the fastest-growing financial crime in the United States, according to KPMG. Globally, it also represents the fastest-growing segment of cybercrime across industries, jumping 153 percent from late 2023 to mid-2024, according to TransUnion.

How Can Businesses Reduce The Risk Of Falling Victim To Synthetic Identity Fraud?

Synthetic identity fraud is actually not new.

In fact, the Federal Reserve explored the effects of this type of cybercrime in its July 2019 whitepaper “Synthetic Identity Fraud in the U.S. Payment System.”

More recently, its escalating frequency and financial damage is raising alarm bells, prompting government agencies such as the Federal Trade Commission and cybersecurity organizations to warn businesses of the rising threat and the importance of implementing strong controls to mitigate risk.

Generative AI and deepfake technology are only helping to make the process of generating made up images to pair with valid social security numbers even easier.

While detecting such fraud can be hard, there are some steps you can take to protect your business.

Here are 5 security measures you can take to fortify your security defenses to combat this latest security threat and protect your sensitive information.

1. Adaptive authentication

• Implement robust authentication controls that can adjust user identity verification requirements depending on changing risks, such as user behavior, device, geographic location, or time of day. 
  
  
• Multi-factor authentication, passkeys, and identity and access management (IAM) security solutions can be effective tools to use in risk-based adaptive authentication

Related Article: How Token Theft Bypasses MFA & How Conditional Access Can Reduce Risk

2. AI tools

• Using cybersecurity tools with Gen AI and machine learning can offer advanced data analytics, allowing you to check for anomalies or irregularities such as personal information that doesn’t match public records, IP addresses that don’t align geographically with the stated physical address, or other inconsistencies

Related Article: How AI Tools Can Boost Your Cyber Threat Detection and Response Times

3. Deploy anti-bot software

• Use anti-bot platforms to quickly distinguish fake, automated bots from real people
  
  
• Can prevent bots from accessing your website or other online resources before an attack

4. Establish strong onboarding screening practices

• Set up a system to verify identities throughout the application and review process, including names, social security numbers, physical addresses, email addresses, phone numbers, driver’s licenses, and other personally identifiable information

5. Employee cybersecurity awareness training

• Provide regular cybersecurity awareness training to your employees and educate them on your security policies and procedures to minimize risks and foster a cybersecurity culture within your organization

The Bottom Line: Protecting Your Business From Synthetic Identity Theft

Bad actors are getting craftier in their methods for stealing sensitive information to line their pockets. That doesn’t mean you have to wait for a crime to happen before you take action.

After reading this article, you understand what synthetic identity fraud is and how to protect your sensitive data and your business from ever-lurking bad actors looking to exploit a weakness within your security defenses.

Can your business withstand a cyber incident?

New and emerging cybersecurity threats are found every day. Do you know if your company is secure? Do you have the right cybersecurity policies in place to prevent incidents?

If you’re unsure, click the button to schedule a brief call to find out preventative steps you can take on your own and ways we may be able to help strengthen your security controls and protect your business.