Battling Synthetic Identity Fraud
By Jeremy Dalpiaz
There’s a pivotal scene in Ocean’s 11 in which Matt Damon’s character asks if the grand heist is a “smash-and-grab job.” George Clooney’s character replies that it’s “slightly more complicated” and proceeds to reveal a multi-point scheme requiring hefty preparation to pull off.
Why in the world am I talking about a movie plot? Quite simply, it provides the perfect analogy for synthetic identity fraud. It is a major payout and avoids being flagged by 85 to 95 percent of traditional fraud models.
As the fastest-growing type of financial crime in the U.S., synthetic identity fraud has garnered increased attention and was the subject of a Federal Reserve comprehensive report earlier this month. Synthetic Identity Fraud in the U.S. Payment System defines this type of fraud as “a crime in which perpetrators combine fictitious and sometimes real information, such as social security numbers and names, to create new identities to defraud financial institutions, government agencies or individuals.”
How it Works
This type of insidious crime plays out over time in four key steps:
- Establish an identity by combining “real” information purchased on the dark web—such as the Social Security number of a child or one that hasn’t been issued—with fictious identities created and substantiated via P.O. boxes or social media accounts.
- These fraudsters then take their crafted identities to apply for credit. When denied, they create a file that helps legitimatize the false identity and repeatedly apply—via multiple banks and payday lenders as necessary—until they ultimately obtain credit.
- Grow their credit score and credit limits. This false identity is further established through a “piggybacking” process in which perpetrators pay accountholders with good credit to add them as authorized users to their accounts. The goal is to increase their line of credit as high as possible.
- “Bust out” with the money. Once their credit score rises high enough, they “bust out,” leaving maxed-out cards or unpaid loans in their wake, leaving financial institutions to foot the bill. There’s also the potential for unsuspecting consumers to have a lot of financial clean-up to do.
This type of fraud generally goes unreported because its victims are most often individuals who aren’t checking their credit reports, including children, the elderly and the homeless. This means banks are left to pick up the tab for these unpaid charges, estimated at more than $15,000 per attack in 2016 and accounting for up to 20 percent of all credit losses, according to an Auriemma Group study.
So, what can be done? Customer education, for starters. For example, we can let our customers with young children know that they can place a freeze on their children’s accounts with credit bureaus and then lift them when they become old enough to need them. They also can consider “locks” for their own accounts, which are manually turned on and off with a mobile app. In addition, regular credit checks can help keep on top of any changes in ratings.
Having a staff that’s up-to-speed on how this fraud occurs and what to look for in applications will also go a long way in helping to safeguard banks. The Federal Reserve’s white paper is a great tool for opening the conversation; and I expect the Fed will continue its leadership on this subject, so look for more to come. ICBA also is available as a resource. So please feel free to reach out to us if you would to share your thoughts with the Fed on this topic.
The complexity of synthetic identity fraud and the difficulty to detect it is why we must remain vigilant if we hope to stay a step ahead. I’m confident with our collective efforts, the synthetic identity fraud story will end differently than the Ocean’s 11 heist. In our case, we’ll be waiting to bust them as they try to “bust out.”
Jeremy Dalpiaz is vice president of cybersecurity policy at ICBA.