Fraudsters and financial institutions (FIs) are constantly evolving to best each other, and growth in synthetic ID fraud is revealing that many banks must enhance their security measures to stay in the lead. Traditional fraud-fighting methods can fail to detect this subtle form of deception, in which criminals cobble together details from numerous consumers to create unique identities. Fraudsters could pair one individual’s Social Security number with another’s passport information, for example — and these IDs can include some fake details as well.
Cybercriminals often use these identities to set up bank accounts and apply for credit cards and loans. One common attack method — known as bust-out fraud — involves fraudsters tricking banks into letting them open accounts and establishing reputable credit histories until they qualify for sizable loans. These criminals then apply for and receive funding and ultimately vanish without repaying.
Researchers dubbed synthetic ID fraud the “fastest-growing form of identity theft” in the U.S. in 2019, and criminals reportedly used these attacks to make off with $14.7 billion from the nation’s consumers in 2018. Most banks still need to upgrade their security methods to handle the issue, too. One study found that FIs’ traditional fraud detection approaches failed to flag between 85 percent and 95 percent of credit applicants believed to be using synthetic IDs, for example.
Banks have often relied on credit scores to assess these applications, but bad actors using synthetic IDs can develop good credit histories before ultimately busting out. This month’s Deep Dive delves into how synthetic ID fraudsters slip past traditional defenses and examines how FIs can adopt sophisticated fraud-fighting strategies to stop them.
How Cybercriminals Power Synthetic Id Fraud
Banks typically verify new customers’ identities by asking them for personal details such as their employment information, previous addresses and Social Security numbers (SSNs). This data is often publicly available, however, and data breaches have also made it far easier for criminals to obtain such details and use them to fashion compelling and realistic fake IDs. More than 471 million consumer records were exposed in 2018, for example, giving fraudsters ample access to information with which to launch their schemes.
Fraudsters often attempt to victimize consumers who are least likely to realize that their details have been stolen and are being illicitly used. Many cybercriminals take SSNs from elderly consumers, for example, who are less likely to check their credit scores and discover that something is amiss. Bad actors also steal personal data from children, who frequently do not discover that their information has been abused until they are old enough to apply for bank, credit card or mobile phone accounts. This could be why synthetic fraud scams are 51 times more likely to involve children’s SSNs than those of adults. Criminals’ skill at hiding their ploys from consumers makes it all the more important for FIs to shore up their defenses to thwart or catch them.
Frustrating The Fraudsters
FIs must ensure that account applicants provide personal details that truly belong to them, which can involve more rigorously verifying that SSNs line up with other application information. Credit reporting agency Equifax recommends that banks check to see if the names and addresses on applications are associated with SSNs that differ from those given, for example, or if the SSNs provided appear in different consumers’ records. SSNs that cannot be matched with specific consumers could also indicate fraud.
The U.S. Social Security Administration also sought to offer FIs additional identity verification support, creating a digital service that allows FIs to confirm that the SSNs, names and birth dates provided during account openings match those the government has on file. The program was announced last year and launched as a pilot in June, but it is slated to be offered to more participants later this year.
Banks are incorporating harder-to-steal details in their verification processes as well, looking beyond knowledge-based information and gathering details about customers’ online behaviors. FIs might examine whether account opening requests purported to be from certain consumers have been sent from the same devices they typically use when engaging online, for example. FIs can also check whether requests are coming from devices or through channels that could be associated with fraudsters.
Users’ behavioral patterns can likewise help FIs decide whether consumers’ account opening attempts are legitimate as these details can be harder for fraudsters to replicate. Banks can deploy machine learning (ML) tools to sort through and analyze the vast amounts of data required for this approach. Such advanced learning solutions enable FIs to process more information than human staff could, too, empowering banks to gather insights into each user’s unique behaviors.
Effective fraud-fighting requires constant innovation, and FIs need to expand their data collection efforts, tap more resources to verify consumers’ identities and leverage advanced analytics to get ahead of the latest ploys. Moving beyond traditional security approaches can help them tackle synthetic ID fraud and better safeguard the financial industry.