Image: Shutterstock/PabloLagart

Digital criminals are creating new and effective ways to con businesses and financial institutions by using synthetic identity fraud. They are having enough success that those in the know at McKinsey and Company are more than a little concerned:

“By our estimates, synthetic identity fraud is the fastest-growing type of financial crime in the United States, accounting for ten to fifteen percent of charge-offs in a typical unsecured lending portfolio.”

Laura Hoffner, current chief of staff at Concentric and former naval intelligence officer, is also concerned. “We’re seeing a huge increase in synthetic identity fraud — the process of combining real and fake personal information to create an identity and commit fraud,” Hoffner said during an email conversation. “It’s really growing, fueled by easy criminal access to corporate networks and Ransomware as a Service (RaaS) tools.”

Part of the problem, according to Hoffner, is the amount of personally identifiable information (PII) that has been compromised over the last 10 years. “Access to compromised networks is cheap, thanks to the availability of initial-access brokers and RaaS tools that can turn everyday petty crooks into full-blown cybercriminals in an afternoon,” Hoffner said. “This trend is most prevalent in the United States because of the emphasis on static PII to verify identity.”

The popularity of social media is another reason for the increase in synthetic identity fraud. People are more comfortable putting personal information on the internet. What appears to be benign questions such as place of birth, first car or first boyfriend or girlfriend are details that can be used as identity confirmations.

SEE: Password Management Policy (TechRepublic Premium)

What exactly is synthetic identity fraud?

Synthetic identity fraud melds factual information with fake information to create a unique identity that cybercriminals can exploit. An example of factual information commonly used by digital fraudsters would be Social Security numbers (SSNs) — especially SSNs of young children and deceased adults, due to a lack of activity and monitoring of those accounts. False information tends to include fake addresses, social media profiles or any required information to complete the targeted financial application. “Together, this creates an entirely new identity through which fraudulent and illicit activity can go unchecked,” Hoffner said.

Another option open to digital fraudsters is using several identities simultaneously. This allows the creation of multiple accounts and the possibility of keeping one or more available for months before they’re all discovered.

And let’s not forget the successful dark-side tactic appropriately named bust-out fraud. In that scenario, cybercriminals use synthetic identities to create a typical usage pattern and repayment history — and then “max out the card with no intention of paying the bill.”

How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

What can be done to avoid synthetic identity fraud?

Sadly, synthetic identity fraud is difficult to detect and thus, hard to prevent. And as mentioned earlier, we consumers can do little to protect ourselves. Buyers have to rely on businesses and financial institutions to have sophisticated equipment to spot synthetic identity fraud.

One way to reduce the chance of falling victim to synthetic identity fraud is to use the minimum amount of information needed to complete the online task. Additionally, Hoffner suggested, “Use a password manager that can securely store passwords, and let the user know if the site is genuine or not, as password managers will not fill in additional personal information if the site or address is suspect.”

Hoffner also looked at what other countries are doing, as they’re not affected by synthetic identity fraud nearly as much as the United States. It seems the key is dynamic identification. “Dynamic identification relies on behavioral information, such as checking if the user is browsing on an unfamiliar device, whether they’re logging in from an unfamiliar location, or whether they’re clicking through a page faster or slower than usual,” Hoffner said. “By focusing on the user’s behavior, the proven identity is more personal and harder to turn into a synthetic identity.”

Final thoughts

Synthetic identity fraud is a growing problem in the United States. Because of its broad scope — consumers, businesses, financial institutions and government agencies — synthetic identity fraud can’t be successfully addressed by individual organizations. It will require all stakeholders working together to mitigate the financial burden created by synthetic identity fraud in the United States.