Synthetic identity theft is the fastest-growing financial crime in the U.S., and despite being predicated on fake identities, it’s not a victimless crime. In fact, synthetic identity theft has far-reaching repercussions that can cost individuals thousands and businesses billions. Here’s what you need to know about what synthetic identity theft is and how to prevent it.
What is synthetic identity theft?
Synthetic identity theft is a type of identity theft when criminals create fake identities to commit fraud. The fake identities can be completely bogus, or a combination of fake information and information stolen from real people. Fraudsters then use this fake identity to take out loans, commit financial fraud, defraud government agencies, launder money, and even perpetrate serious crimes such as terrorism and human trafficking.
Synthetic identity fraud is a growing problem as criminals have discovered it’s lucrative and difficult to detect. Consider these statistics:
- Synthetic identity theft costs banks and other financial institutions $20 billion per year (American Bankers Association)
- Thieves who target banks steal an average of $81,000 to $97,000 before the fraud is discovered (ABA)
- As many as 1 in 50 children are victims of synthetic identity fraud, and it costs an average of $1,000 to repair a child’s stolen ID (PYMNTS)
- The average creditor charge-off due to synthetic identity fraud is $15,000 (KPMG)
- Synthetic identity theft cost businesses nearly $2.5 billion in 2022 and is expected to reach $5 billion by 2024 (Forbes)
Anyone can fall victim to synthetic identity theft, but fraudsters most eagerly target vulnerable populations such as senior citizens, children, prisoners, and the homeless – people who aren’t likely to closely monitor their credit reports. After all, few parents think about checking their children’s credit reports or even know they have them. Thieves also target banks, government agencies, and even deceased individuals.
Despite being based on spoofed IDs, synthetic identity theft is not a victimless crime as it can have a negative and potentially devastating impact on both consumers and businesses.
Thieves can take out loans in your name, wreck your credit score, and limit your ability to get a new credit line. In some cases, you can end up with a fragmented credit file that links your Social Security number or other personally identifiable information (PII) with someone else’s name. The fragmented information negatively impacts your credit score but doesn’t show up on credit reports.
If any piece of your personally identifiable information is used in illegal activity such as fraud, trafficking, or terrorism, it could traced back to you and you could face criminal charges. Victims of synthetic identity fraud can face a long, costly, and emotionally distressing battle that takes months or even years to resolve.
Businesses and financial institutions
Businesses, banks, financial institutions, and creditors stand to lose significant money to synthetic identity thieves who create a new identity to commit financial fraud and take out large loans, max out credit cards, or make fraudulent purchases and disappear. Moreover, businesses can face fines for Know Your Customer (KYC) noncompliance, lawsuits from customers whose identities have been compromised, reputational damage, and loss of trust.
Consider these real-world synthetic ID theft cases:
- Two Florida men were charged with using synthetic identities to swindle banks and steal more than $3 million from COVID-19 relief programs (Dept. of Justice)
- A Georgia man was sentenced to prison for his part in a nationwide fraud ring that used multiple identities to steal nearly $2 million. The synthetic identities were created using stolen Social Security numbers, including those from children (Dept. of Homeland Security)
- An Arkansas man was startled to discover a bank account in his name that he didn’t open. It was his first clue that he was a victim of synthetic identity fraud. He later discovered that scammers stole his information to create a new identity, then used the account to make payments totaling $15,000 (NBC)
Unfortunately, synthetic identity theft can have long-lasting repercussions, as victims must prove they’re not responsible for any debt incurred by identity thieves – often an expensive and time-consuming process.
Who creates synthetic identities and why?
Synthetic identities are typically created by criminals, either individual fraudsters or as part of organized crime rings that run sophisticated schemes to swindle banks, businesses, creditors, and individuals out of billions each year.
Scammers can use a fictitious identity to:
- Build credit and make major purchases: Crooks create a new identity, then establish strong credit and a low-risk buyer profile. Finally, they apply for new credit accounts and loans
- Repair credit: In some schemes, individuals use synthetic identities to conceal poor credit history so they’re eligible for mortgages, auto loans, and other lines of credit
- Conceal identities: Fraudsters hide their true identities to obtain housing, utility services, or to apply for jobs. Rather than steal money, the goal is to conceal who they really are
- Avoid arrest or prosecution: Similarly, some people create fake IDs to hide from police, prosecutors, and similar authorities. Synthetic IDs allow them to open bank accounts and new credit accounts or obtain employment, housing, and other necessities without being detected, arrested, and prosecuted
- Defraud the government: Some scammers create fake IDs to defraud various government programs and agencies, including unemployment, Medicare, Medicaid, the IRS, and the Paycheck Protection Program. For example, an identity thief could use a stolen SSN and other information to create a false identity and access government benefits, including unemployment benefits
- Commit other criminal activities: Synthetic identity fraud can be used to facilitate numerous other illegal activities, including money laundering, human trafficking, illicit drugs, and even terrorism
Once you understand how synthetic identity theft works, it’s easy to see why it’s an attractive scam for many criminals.
How synthetic identity theft occurs
In perhaps the most common scenario, fraudsters create a synthetic identity to build credit and cash out.
- Scammers acquire personally identifiable information via the dark web, people-search sites, and other means to create a synthetic identity
- The bad actors then use the synthetic identity to apply for credit, trying multiple institutions until they get approved
- Fraudsters slowly build credit over time, often up to 18 months or more, to establish a long credit history
- Once they’ve established a strong, long credit history and low-risk buyer profile, they’ll make a major purchase or take out a significant loan
- Finally, the scammers disappear with their stolen goods or money
Criminals often employ sophisticated strategies to reinforce the idea that the synthetic identity represents a real person. For example, they might:
- Set up and maintain social media accounts
- Open utility accounts (electric, water, gas, Internet, etc.)
- Create fake driver’s licenses, passports, and other “official” documents
- Join rewards programs
- Use PO boxes or vacation homes as “drop addresses” where they can receive credit cards or products without revealing their true locations
Though everyone’s personally identifiable information is unique, it’s relatively easy for criminals to create synthetic identities, make them appear legitimate and use them to commit fraud.
How are synthetic identities created?
According to the Federal Reserve, criminals use three primary methods to create synthetic identities:
- Identity fabrication: Criminals spoof Social Security numbers and other personally identifiable information to create a completely fake identity. For example, a thief could imagine a new name, choose a random date of birth, and create an SSN that mimics a valid number.
- Identity manipulation: Criminals modify real PII to create a fake identity. For example, a thief could use their real but slightly altered name, date of birth, and SSN to form a new identity.
- Identity compilation: Criminals mix legitimate Social Security numbers and other personally identifiable information from real people with fake information to create synthetic IDs. For example, a thief could pair your stolen Social Security number with a fictitious name and a PO box. This type of synthetic identity is sometimes referred to as a “Frankenstein” identity since it combines real and fake information.
The core components of a synthetic identity
A synthetic identity is typically comprised of primary and secondary elements:
- Primary: Personally identifiable information such as a name, SSN, date of birth, and tax ID
- Secondary: Phone numbers, email addresses, mailing addresses, and even digital footprints such as social media accounts and IP addresses
Primary elements are unique to an individual, while secondary elements help validate that the synthetic identity represents a “real” person. Fraudsters employ various methods to acquire this information, including:
- Phishing, smishing, and phone scams
- Data brokers and people-search sites
- The dark web
- Data breaches
- Physical theft
Though many scams are sophisticated, identity thieves only need a few tidbits of information to make synthetic IDs appear legitimate enough to avoid detection.
Why are synthetic IDs used for fraudulent activity?
Criminals use synthetic identities for fraudulent activity because they’re difficult to detect. Here’s why:
- Synthetic ID theft goes unreported: Though it’s not a victimless crime, many victims are unaware that their personally identifiable information is being used as part of a synthetic identity – and years can go by before they discover it
- The identities are fake: By their very nature, synthetic identities are fake, so it’s difficult for authorities to track down the real people behind them
- Synthetic IDs pass identification verification: Up to 95% of synthetic identities aren’t flagged by traditional identity verification models used by banks, creditors, and businesses
The best way for consumers to protect themselves against synthetic identity theft is to take steps to prevent it in the first place.
Prevention tips for consumers
1. Opt out of people-search sites
To prevent criminals from using your PII to create synthetic identities, you need to hide it from them in the first place. However, making your social media accounts private isn’t enough. Try Googling your first name + last name + city + state – you’ll see links not only to your social media but to your profiles on data broker and people-search sites as well.
Data brokers scour a wide range of public records and commercial sources like retailers to gather your personal information, combine it into “background reports”, and share them online for a profit. Such reports usually include your full name, phone number, date of birth, address history, marriage and divorce records, family members, voter registrations, and many other details that can be used to create synthetic IDs.
Subsequently, removing your information from data brokers and people-search sites is crucial for protecting your identity. However, this process is long and tedious since you must send a removal request to each individual site, and even if they do remove your information, there’s a good chance they’ll just republish it later. With hundreds of people-search sites on the web, you’d need to invest hundreds of hours each year to keep your data private.
Onerep saves your time by scanning 199 sites and automatically removing your personal information for you. Then, we continually monitor each site to ensure your information isn’t republished. If it is, we begin the removal process all over again.
2. Safeguard your personal information
Keep your Social Security number and other personally identifiable information safe to avoid falling victim to synthetic ID theft. Never share more than you need to with online sites or on social media, keep sensitive documents under lock and key at home, shred any documents you do not need, and secure your wallet, purse, and mobile devices in public to avoid theft that could expose your personally identifiable information to criminals.
3. Check credit reports regularly
Keep an eye out for suspicious activity on your credit report, including unrecognized credit lines and credit applications. If your credit history is inaccurate or if your credit score seems to be dropping without explanation, that could be a red flag signaling that your Social Security number or other personally identifiable information is being used for synthetic identity fraud.
You can get a free copy of your credit report annually at AnnualCreditReport.com. Currently, all three major agencies – Equifax, Experian, and TransUnion – offer free weekly credit reports.
4. Review your Social Security statement
Your Social Security statement details your earnings history, future benefits, and other information about your account. Review it annually, at minimum, to check for errors or suspicious activity. The Social Security Administration mails statements to workers 60 years and older each year, but you can create a my Social Security account to view your statement online any time.
5. Set up account alerts and check your banking history
Set up alerts with your bank and other financial institutions to be automatically notified of large purchases, transfers, ATM transactions, low balances, and suspected fraud. Investigate any unexpected alerts about your bank accounts to help prevent synthetic identity fraud.
In addition, you can order a free copy of your consumer report from Early Warning, a consumer reporting agency co-owned by banking stalwarts such as Capital One, JP Morgan Chase, Wells Fargo, and Bank of America. Early Warning collects consumer banking information and shares it with financial institutions to help detect synthetic identity fraud.
The Fair Credit Reporting Act entitles you to a copy of your report, which includes information such as banking activity, balances, closed bank accounts, and which entities have recently accessed your data. If you discover inaccurate information in your report, you can contact Early Warning to dispute it.
6. Install antimalware on your devices
Antimalware scans your devices for viruses and other malicious software that can record your keystrokes, access your accounts, and steal your PII. Be sure to install it on all your devices, including desktop computers, laptops, tablets, and mobile phones, to help prevent synthetic identity fraud.
7. Sign up for ID theft protection services
Identity theft protection services typically include some combination of insurance to cover attorney fees, theft reimbursement, and credit monitoring. You can purchase identity protection services from many different companies, but first check your homeowner’s and auto insurance policies because some bundle it in with standard packages.
8. Review tax records
You should also review your IRS account to check for suspicious activity, such as someone using your Social Security number to claim tax refunds. Sign up for an account and review your records at IRS.gov to monitor for signs of synthetic identity fraud.
9. Learn to recognize common scams
Scammers employ various tactics to steal your personally identifiable information. Phishing and smishing scams may ask you to respond to emails or texts with PII or to click links that install malware on your devices. Bogus ecommerce sites, phone scams, and social engineering can trick you into giving up your sensitive personal and financial information. Some criminals are bold enough to steal your snail mail out of your mailbox to get the data they need to commit synthetic identity fraud.
10. Use strong passwords and two-factor authentication
Use strong passwords on all websites, apps, and bank accounts, and change them often. When possible, enable 2FA to provide an extra layer of security and keep hackers out of your online accounts. You can use a free service such as StrongPasswordGenerator.com to generate complex passwords that are difficult to crack.
Prevention tips for businesses
Businesses can prevent synthetic identity fraud by investing in fraud detection systems designed to identify, flag, and even block users based on risk factors and pre-set policies. Look for fraud detection systems with the following features:
1. Adaptive authentication
Traditional account authentication requires a username and password. If a user has the correct credentials, they can access online accounts.
Adaptive authentication takes account security to a deeper level. Instead of relying solely on login credentials, the system monitors risk factors such as user behavior and location, then assigns a risk score to each login attempt. Depending on the risk score, the system can then grant, block, or challenge access. Many systems leverage artificial intelligence machine learning to determine whether a user exhibits normal or suspicious behavior that suggests synthetic identity fraud.
The following scenarios help illustrate how adaptive authentication works:
- A user attempts to access their account from their laptop in New York City at 2 p.m. The user has logged in from the same device and location at around the same time every day for a month, so the system grants access
- The same user attempts to access their account from a mobile phone in New York City at 2 p.m. The system recognizes a new device and challenges the user with two-factor authentication
- The same user attempts to access their account from a desktop computer in India at 3 a.m. The system recognizes a new device, location, and time, and either blocks access or requires additional authentication methods, such as biometric verification
Adaptive authentication is part of a zero-trust framework in which the system considers every user fraudulent until proven otherwise.
2. New account identity verification
A good fraud detection system employs sophisticated identity verification to prevent fraudsters from opening new accounts.
When a new user attempts to open an account, the system can compare their submitted information to data found on global networks to verify name, address, phone number, and other PII. The system can also monitor the user’s digital footprint to assign a risk score. For example, if a new user claims they live in New York City, but their IP address places them in India, the system can automatically flag the account or deny access to prevent synthetic identity fraud.
3. Behavior monitoring
Fraud detection systems can continually monitor user behavior and employ artificial intelligence to grant, block, and challenge access or to approve and decline transactions.
For example, the system can track user profiles and identify typical purchase values and when and where purchases are made. If the system identifies a suspect transaction – such as a user who makes an abnormally expensive purchase or a transaction originating halfway across the globe – the system can flag the transaction and either challenge or block it according to pre-set policies.
How to resolve synthetic identity theft
Follow these steps if criminals have used your PII in synthetic identity theft schemes.
1. File a report at IdentityTheft.gov
Visit the Federal Trade Commission’s official site to report identity theft and create a recovery plan. The FTC also outlines steps to report fraud to companies and creditors as well as what to do in special circumstances such as tax fraud and child identity theft.
2. Place a fraud alert with credit bureaus and review your credit report
Place a one-year fraud alert on your credit with all three major credit reporting bureaus. A fraud alert requires businesses to verify your identity before they can extend credit to anyone using your name. You can renew the fraud alert for up to seven years. Here are links to place fraud alerts at each agency:
You should also request a copy of your credit report from each bureau and review it for unrecognized activity, then formally request corrections. The FTC provides a sample letter to request corrections and recommends including your official FTC identity theft report.
3. Report fraud to the OIG
Report fraud to the Social Security Administration’s Office of the Inspector General (OIG), especially if you believe your Social Security number has been compromised. You can also consult your local Social Security office. Use the Social Security Office Locator to find the closest location.
4. File a report with your local police department
Your local police department may or may not actively pursue your case – or they may refer you to other authorities – but having an official police report can help with creditors and law enforcement if you must prove you’re not the person responsible for fraudulent or other criminal activity.
You can also contact your state’s Attorney General to see if their office provides any synthetic identity fraud resources. Some states issue identity theft passports you can use to prove you’re the victim of identity theft to creditors, businesses, and law enforcement agencies.
5. Stop debt collectors
If you’ve received collection notices or calls for a debt you didn’t incur, contact each company within 30 days and explain you’re a victim of synthetic identity theft. The FTC recommends including your identity theft report and provides a sample letter to send to debt collection agencies.
6. Contact affected companies and close fraudulent accounts
Contact any companies where your name or PII might have been used for synthetic identity theft, and close any accounts opened in your name. If companies or creditors associate you with purchases or loans, request that they be removed from your account.
7. Lock your Social Security number
You can also consider locking your Social Security number, which prevents scammers from using it for employment purposes or from reporting income in your name to government agencies such as the IRS and Social Security Administration. Note that this feature is only available to those who use E-Verify, a service designed to confirm employment eligibility.
8. Change passwords and set up multi-factor authentication
Synthetic identity thieves might not access your online accounts since their scam is built around fake IDs, but it’s still a good idea to change your online and app passwords and set up multi-factor authentication. Create complex passwords and consider using advanced authentication methods such as biometric verification to keep scammers out of your accounts.
What is an example of synthetic identity theft?
An example of synthetic identity theft is when a criminal creates a “new” ID using your Social Security number and a fake name, address, and phone number. The scammer then builds a strong credit history before making a major purchase or taking out a large loan, then disappears.
What is the difference between identity theft and synthetic identity theft?
Traditional identity theft is when fraudsters steal your real identity and use it to make purchases, obtain medical services, or commit other types of fraud. Synthetic identity theft is when criminals use a combination of real and fake information to create a completely fake profile to perpetrate similar frauds. Regular identity theft is easier to detect because it targets real people, while synthetic identity fraud is more difficult to thwart.
How common is synthetic identity theft?
Synthetic identity theft is the fastest-growing type of financial crime in the United States. Globally, experts estimate that 46% of organizations have been victims of synthetic ID theft.
What is synthetic identity theft best defined as?
Synthetic identity theft is best defined as creating a fake identity to commit fraud for financial gain.
What are the red flags for synthetic ID?
Red flags for synthetic identity theft include lack of identifying documents (such as a driver's license), employment history, insurance coverage, or housing records; multiple opened accounts or transactions in rapid succession; a significant increase in credit score over a short period of time; mismatched PII; and numerous credit applications or requests for credit line increases.