Featured article

Fighting fake identities

How the U.S. Federal Reserve’s synthetic identity fraud resources can help the financial sector

Fraudsters create identities from bits and pieces of fictitious or stolen personally identifiable information. The U.S. Federal Reserve provides a one-stop online toolkit with downloadabl resources to help educate financial institutions and other businesses about synthetic identity fraud and how to protect themselves.

Fraudsters hit a gold mine several years ago. They used complex data storage and virtualization machines to combine stolen personally identifiable information (PII) — names, addresses, Social Security numbers (SSNs), birthdates and the like, plus fabricated data — to create “humans.” They used these synthesized identities to automatically open bank accounts and shell companies and to monitor bank activity, patiently waiting for opportunities to cash in.

Then along came the COVID-19 pandemic and emergency relief programs that were deployed to help those affected during these challenging times. The fraudsters were ready to call their dormant identities into action. They quickly created shell companies and repeatedly leveraged thousands of identities to apply for loans for their “employees,” taking millions of dollars from those who needed it most. Investigations are still ongoing, but many of these fraudsters have been prosecuted already, emphasizing the importance of synthetic identity fraud education as we seek to mitigate this type of fraud.

Fictitious identities from real information

We define ourselves — and how others think about us — via our unique identities, comprised of our nationalities, cultures, relationships, interests, likes and dislikes. Identities in the world of payments and security differentiate us and allow financial institutions to authenticate who we are based upon individual characteristics. One of the most frightening fraud scenarios is a stolen identity. Victims can lose money and property, and they’re forced to repair the damage done by nameless and faceless fraudsters. The physical and emotional toll can be immense.

Now, imagine if parts of your identity were used to create an entirely fictitious person. Synthetic identity fraud is the use of a combination of PII to fabricate a person or entity in order to commit a dishonest act for personal or financial gain. This type of fraud is different from traditional identity theft, where a fraudster steals an actual person’s identity. A synthetic identity may include some pieces of PII from a real person — such as a name, date of birth or SSN — with fabricated information — such as a mailing address, phone number or email address. (See “Synthetic Identity Fraud,” the Federal Reserve, FedPayments Improvement.)

However, you may ask, is synthetic identity fraud that big an issue — at least compared to traditional identity theft? The created “person” isn’t real, so the damage to individuals isn’t direct, correct?

Synthetic identity fraud isn’t a victimless crime. In essence, fraudsters may already be using parts of our identities, and we may not know it until it’s too late. Imagine a credit card company declining a teen’s application for a first credit card because a fraudster stole the teen’s SSN and destroyed their credit history.

The Federal Reserve, responding to industry requests, has released the Synthetic Identity Fraud Mitigation Toolkit to help the payments and anti-fraud industries. The toolkit provides an array of information that educates the industry about synthetic identities (also called synthetics), how they’re used in crimes and how to prevent and deter fraud. The toolkit, which was a collaborative effort among numerous industry participants, focuses on identifying important messages, materials and themes that can prove beneficial to end users. The industry said it needed a centralized location for this type of information, which will evolve and grow over time. (See “Synthetic Identity Fraud Mitigation Toolkit,” The Federal Reserve.)

Overview of synthetic identity fraud

Losses from synthetic identity fraud continue to increase and impact financial institutions of all sizes. A recent report estimated 2020 losses of $20 billion, but that number is likely underreported, because many synthetic fraud losses are often undetected or mistakenly reported as credit losses. (See “Report: Synthetic Identity Fraud Results in $20 Billion in Losses in 2020,” ABA Banking Journal, Oct. 20, 2021.)

Synthetic identity fraud can be challenging to detect because fraudsters may intentionally make accounts’ activities look legitimate, and there’s often no visible impact to other customer accounts that would trigger fraud reports or fraud claims.

While this type of fraud has been around for many years, fraudsters are finding more opportunities partly because of widespread digitization of financial systems and compromised PII. In 2021, the number of reported data breaches increased 68% year over year to the highest total ever, according to the Identity Theft Resource Center. (See “Identity Theft Resource Center’s 2021 Annual Data Breach Report Sets New Record for Number of Compromises,” Identity Theft Resource Center, Jan. 24, 2022.)

Synthetic identity fraud affects numerous organizations across multiple industries. Businesses become victims when they don’t receive payments for goods purchased and they determine those account holders don’t exist. Consumers, meanwhile, may see their credit affected if fraudsters used their SSNs or other PII to create the synthetic identities.

Synthetic identity fraud affects numerous organizations across multiple industries.

Children are especially vulnerable to synthetic identity fraud because their PII can be used for fraudulent activity that’s not detected until years later when they apply for credit or seek employment as young adults. A recent Javelin report estimates that one in 50 children are affected by identity fraud when their SSNs are stolen and possibly used to create synthetic identities. (See “Child Identity Fraud: A Web of Deception and Loss,” by Tracy Kitten, Javelin, Nov. 2, 2021.)

Fraudsters typically apply for a credit line, credit card or account when they want to introduce a synthetic identity into the financial system. Of course, that business often will decline the application because no credit profile history exists for the identity. However, the application establishes a credit file with the credit bureaus. The fraudster then continues applying for credit at multiple institutions until at least one approves an application. The fraudster uses that to build a positive credit history for the synthetic identity by making timely payments on purchases. The goal is to increase the credit limits and expand the financial relationship to gain access to other financial products.

Synthetic identity fraud goes beyond a typical payment default on a loan or line of credit. Fraudsters use these identities to facilitate and support criminal activities, such as human trafficking, terrorist financing and money laundering.

Sometimes, those not intending to commit fraud will create synthetics to repair credit, obtain housing, access utilities or open bank accounts. Their acts may seem benign, but using synthetic identities is still illegal and can result in criminal prosecution.

Evolution of synthetic identity fraud

The look and feel of synthetic identity fraud has evolved, driven primarily by changes in the payments landscape.

Prior to the COVID-19 pandemic, most large financial institutions were either preparing for or actually engaging in digital transformation — migrating their business models and key processes to digital channels — to become more efficient, agile and productive. However, the pandemic accelerated the move to digital channels because many institutions worried about negative customer impact when brick-and-mortar banking centers were shuttered.

This required businesses to quickly change operations and service models to remain competitive. They switched to digital payments and online account openings and credit applications for home and car loans, among others.

While these offerings were available pre-pandemic for many, demand quickly increased. Newly deployed processes often lacked crucial controls required to minimize risk, including in-person validation of physical documentation. Fraudsters exploited vulnerabilities by leveraging established synthetic identities that were lying in wait for the right time to cash out.

In 2021, the number of reported data breaches increased 68% year over year to the highest total ever, according to the Identity Theft Resource Center.

Industry action and progress on fighting synthetic identity fraud

In 2018, the Federal Reserve began working to improve awareness and understanding of synthetic identity fraud and create a sense of urgency about how to identify, prevent and mitigate it.The Federal Reserve, based upon industry feedback, prioritized providing a basic understanding of the issue, establishing a consistent definition for identification and reporting, and fostering an industry focus on detection and mitigation.

Beginning in 2019, the Federal Reserve published the first of three white papers with insights from focused research and industry input. These white papers outline contributing factors to synthetic identity fraud, detection methods and the importance of collaboration in this fight. One key message emerged during the research: “No organization can stop synthetic identity fraud alone.” (See “Synthetic Identity Fraud,” the Federal Reserve.)

Additionally, a focus group of industry fraud and payment experts worked with the Federal Reserve to develop an industry-recommended definition of synthetic identity (released by the Federal Reserve in April 2021 and included earlier in this article). A commonly accepted definition within and across organizations enables them to discuss, identify and classify synthetic identity fraud in similar ways. To supplement the definition and further educate the industry, the group also outlined identity elements that fraudsters may use to create synthetic identities, common uses of synthetics and potential application of the definition.

Feedback during industry engagements consistently identified a need for a comprehensive mitigation toolkit, which would be an informative resource for financial institutions to aid them in their fight against this fraud.

Toolkit organized into modules

The Fed published the Synthetic Identity Fraud Mitigation Toolkit in February 2022. We all learn differently, so the toolkit delivers information via multiple mechanisms. The toolkit contains downloadable documents, videos, questionnaires and interactive tools that show different scenarios to challenge site visitors to spot synthetics. It begins with an overview and moves to progressively more detailed documents based on the level of complexity requested by stakeholders. The goal is to provide straightforward and engaging content that covers specific components.

The toolkit’s design, which is based on industry feedback, follows a series of modules that are segmented to make the information consumable. The toolkit highlights topics, such as basic education on synthetic identities, uncovering synthetics that may unknowingly be part of a portfolio and information on how consumers can handle becoming a victim of synthetic identity fraud. Here are the highlights:

Modules 1 to 4

The industry-recommended definition is recapped to establish a common understanding of synthetic identity fraud.

The modules then describe how synthetic identity fraud is perpetrated. They also outline contributing factors and uses where a synthetic identity might be lurking, disguised as a good customer.

To make the story relatable to users, one section is dedicated to use cases, which show how fraudsters can use synthetic identities to capitalize on various situations. The modules include consumer-facing resources that financial institutions can make available to customers to help them protect PII and obtain assistance if their information is compromised. The toolkit landing page delivers content in an informative and fast-paced style for readers with limited time. It’s headlined by an educational video that offers an overview of synthetic identity fraud.

Modules 5 and 6

The documents in these modules discuss detecting and mitigating synthetic identities throughout the life cycle of a relationship with the customer — beginning with account opening, then by looking within a portfolio and then after a loss. Validating an identity is a difficult task, and if organizations are better aware of tools that can assist, they can more quickly identify synthetic identities before they do harm. These modules also offer a series of videos and interactive demos that track the life cycle of a relationship and provide unique learning experiences throughout.

Modules 7 and 8

The content in these modules explores the use of alternative data and artificial intelligence/machine learning for validation and detection of synthetics. They include detection and mitigation success stories and detail different scenarios where technology has played a key role in reducing losses from synthetic identity fraud. The modules outline the importance of data and data strategy. They also emphasize that comprehensive, accurate reporting is crucial to understanding synthetics within your portfolio, and ultimately to detecting and preventing them.

Many financial institutions continue to experience losses because of synthetic identity fraud, but it’s challenging for them to quantify because they often classify the losses as credit losses and don’t identify the underlying frauds causing them. These modules end by highlighting the importance of collaboration in the fight against synthetic identity fraud. Most synthetics aren’t unique to one organization, so working together can play a crucial role in shutting down these attacks.

Dynamic repository

The Federal Reserve created the toolkit to be a valuable industry resource in the fight against synthetic identity fraud. The Fed will continue to add content to support the industry, which will make the toolkit a dynamic repository.

Learn more by visiting the Synthetic Identity Fraud Mitigation Toolkit at fedpaymentsimprovement.org to see how it can benefit your organization, colleagues and customers.

If you have feedback on the insights and resources in the toolkit, or thoughts on new information and materials we should include, contact the Federal Reserve’s secure payments team at securepayments@bos.frb.org.

Any views expressed herein are solely those of the authors and do not necessarily represent the views of the Federal Reserve System.

Mike Timoney, CFE, vice president of secure payments at the Federal Reserve Bank of Boston, leads the team responsible for the Federal Reserve System’s strategy for payment security. Contact him at Michael.Timoney@bos.frb.org.

Staci Shatsoff, assistant vice president of secure payments at the Federal Reserve Bank of Boston, leads the execution of programs that advance payment security and fraud mitigation. Contact her at Staci.Shatsoff@bos.frb.org.

[See sidebar: “How to spot a synthetic identity”.]