A new kind of identity theft that combines stolen personal data with fabricated information is on the rise, and it’s helping more digital thieves ruin Americans’ credit without fear of detection, according to a new white paper from the U.S. Federal Reserve.
Known as “synthetic identity theft,” the tactic is distinct from traditional forms of identity fraud. Instead of stealing a person’s name, Social Security number and opening lines of credit, thieves combine a fake name and other fictional personal data such as a date of birth with a true Social Security number. It’s the fastest-growing type of financial crime in the U.S. thanks mostly to a huge uptick of personal information exposed in data breaches in recent years, according to the paper published Monday.
“With synthetic ID fraud you can run the same playbook over and over again with 10 or 20 identities and they can’t even track you down because it’s not even a real identity,” Geoff Miller, head of global fraud and identity solutions at TransUnion, told CyberScoop in a recent interview. “Over the past six or seven years, they’ve come up with a pretty plan where they can walk away with up to $250,000 without getting caught.”
The U.S. Department of Justice last month unsealed indictments against 11 defendants accused of using synthetic identities to make $3 million in charges that were never repaid. With fake identities, defendants allegedly obtained credit cards that were then used to purchase residential properties in Queens, New York and set up shell companies. In another case, the Justice Department in 2013 charged 18 people with involvement in a decade-long scam that spanned 28 states and eight countries to fraudulently obtain more than 25,000 credit cards and rack up $200 million in charges.
More than 446 million records were exposed between 2017 and 2018, according to recent figures from the Identity Theft Resource Center. Those addresses, social media accounts, identity documents, names, dates of birth and SSNs provide plenty of fodder for scammers who combine that information with fake versions to defeat bank security controls.
Financial “Know Your Customer” rules require banks and lenders to verify the identities of their clients to ensure they’re not doing business with criminals or engaging in illegal activity. Synthetic identity thieves can meet these requirements with real stolen information, while masking their true identity with falsified data that won’t trigger any red flags at the bank.
Synthetic identity fraud cost lenders $6 billion in 2016, according to the consultancy firm Auriemma Insights, the most recent numbers cited in the Federal Reserve report.
“Banks will not look at every instance of fraud,” said Miller. “They’ll look at evidence if it’s significant enough, but that happens very rarely…There’s the customer expectation that whoever brings me service the fastest gets my business, and that opens the door for more fraud.”
The Fed does not propose any solutions to the ongoing crime spree. In fact, it says it’s difficult to even know the full extent of synthetic identity theft in the payments industry because of a lack of consistency in identifying synthetic identities, a lack of investigation, a lack of awareness and a lack of reporting.