What do you get when you combine real identity data with fabricated data? You get what is commonly termed a “synthetic identity.” It exists only in the virtual world but can wreak havoc in the real one.
The foundation of a synthetic identity is personally identifiable information along with a compromised Social Security number that acts as the essential linchpin. In order to avoid detection, fraudsters prefer to use Social Security numbers of those least likely to use credit, such as the elderly and children. This synthetic identity may be comprised of one person’s name, a second person’s Social Security number, a third person’s physical address, and some fabricated information such as a fictitious place of employment. This semblance of an identity — made from combining just enough real data and just a bit of fake data — allows fraudsters to apply for credit, make major purchases, and establish a convincing financial history over time.
And the use of synthetic identities is growing. According to the Justice Department, synthetic identities derived from compromised Social Security numbers is one of the fastest growing forms of identity theft in the United States. TransUnion reports that a record $355 million in outstanding credit-card balances are owed by people who it suspects did not exist in 2017. Lastly, Accenture PLC listed synthetic identity fraud as one of the biggest threats facing financial institutions in 2018, and reports it will cost billions of dollars and countless hours as financial institutions “chase down people who don’t even exist.”
The difficulty in detecting the fraudulent use of Social Security numbers is, in part, an unintended consequence of the Social Security Administration’s attempt to reduce identity fraud. In the past, a Social Security number was comprised of a three-digit geographic number, a two-digit age group number, and a four-digit serial number. However, in July 2011, the agency began randomizing Social Security numbers partly in response to concerns that fraudsters could reconstruct them from public records. Because of randomization, financial institutions can no longer pair a Social Security number with a credit applicant’s place and date of birth to help verify the applicant’s identity.
An active synthetic identity fraud also creates a fragmented credit file. A fragmented credit file refers to additional credit report information, comprised of some combination of real and fabricated data, tied to a valid Social Security number. Negative information entered into a fragmented file that is linked to a consumer’s Social Security number has the potential to cause real world harm. For example, if a synthetic identity fraud results in a defaulted loan, the fraud can result in harm to a real consumer’s credit rating even though the name and date of birth attached to the fraud are different. Credit blocks and alert notification services tied to a valid credit file are not effective when it comes to monitoring activity on a fragmented credit file.
Often credit unions rely on data analytics or information provided by third parties to detect traditional forms of identity fraud. Data analytics typically focus on suspicious activity, such as accounts with large transactions, transactions made in geographic areas deemed high-risk, and patterns of insufficient payments or bounced checks. They often look for rapid changes in customer behavior consistent with traditional identity fraud. Unfortunately, building a financial history with a synthetic identity is typically a slower process, so a credit union may not realize an account is fraudulent until after fraud has already occurred, if at all.
Despite the difficultly, there are a few things a credit union can do to increase its chances of identifying a possible synthetic identity. These include:
- Utilizing a more effective data analytic tool that flags seemingly unconnected accounts based on similar data fields such as a phone number;
- Monitoring for any Social Security number that matches a different consumer while no credit file is available for the requested applicant; and
- Monitoring for credit files where the name and address of the applicant match, but the Social Security number matches a different consumer and vice versa.
Likewise, there are a few things consumers and credit union members can do determine if their Social Security number is associated with a synthetic identity:
Check their annual Social Security statement to ensure that the reported income figure is in line with what was actually earned.
Be on the lookout for mail that is sent to their home with someone else’s name on it.
- U.S. Department of Justice, “Identity Thief sentenced for using a new form of fraud Synthetic Identities,” April 2017;
- U.S. Government Accountability Office, “Highlights of a Forum: Combating Synthetic Identity Fraud,” July 2017;
- Accenture Consulting, “Driving the Future of Payments,” 2017;
- Equifax “The New Reality of Synthetic ID Fraud How to Battle the Leading Identity Fraud Tactic in the Digital Age”