In the past few years, synthetic identity fraud has skyrocketed. The IRS recently posted a warning to taxpayers telling them that the IRS has seen a surge in unemployment and government benefits fraud, making it more important than ever for businesses to protect their customer data. What makes synthetic identity fraud difficult is that consumers are often unaware of their stolen data until they file for a mortgage or other loans and receive a rejection letter for previous defaults on loans opened with their stolen identities.
After a consumer becomes a victim of identity theft and fraud, it takes years to clean up their credit report and rebuild their credit rating. Identity theft has long-term consequences for consumers, and often, fraudulent activity starts after attackers compromise a business application. Consumers suffer numerous consequences, and businesses lose billions yearly, lending money to fraudsters. Every organization and consumer should test and protect their environment from threats and risk of a compromise.
How Does Synthetic Identity Fraud Work?
When you apply for a loan or credit card, you give a lender your name, social security number (SSN), and address. It does not take a lot of personal information to apply for basic loans such as credit cards or financing home repairs. You can apply for government benefits with your SSN (social security number) and name. This little data and validation lead to many fraudsters being undetected.
With synthetic identity fraud, an attacker has access to an SSN or other Personally Identifiable Information (PII) and uses that information to build new identities. The SSN is valid, but the name is slightly different from the valid name matching the SSN. The address could be a co-conspirator from a hapless victim the cyber-criminal uses to take delivery of credit cards and reship products to the fraudster. The fraudster can convince the victim that they are performing a legitimate job of delivering products. In actuality, the victim is sending goods to the attacker - who could be located in another country.
Synthetic identity works in two ways: manipulated and manufactured.
- Manipulated identity fraud: This type of fraud is based on existing identities. So, fraudsters may change one number of an existing SSN or slightly change the data to match a legitimate number, leading to a real consumer’s identity.
- Manufactured identity fraud: This type of fraud is also based on real identities, but they are a mix of several real identities to make a fraudulent one. In the first type, the identity closely resembles a real consumer, but the latter type is a brand new identity used with random SSNs generated within a legitimate range. Manufactured identities are the most difficult to detect because they are completely new identities used to defraud businesses. With a new identity, the fraudster then applies for credit cards and loans to take off with several thousands of dollars. The business is left losing money, and it can be a costly mistake.
Synthetic Identity Fraud vs. Identity Fraud
Most people are aware of identity theft, where the victim is the consumer. With synthetic identity fraud, there is no individual victim. The identities are synthetic and don’t usually point to one specific individual target. Synthetic identity fraudsters target businesses and defraud them out of billions. Pew Research reported that businesses lost $20 billion in 2020 from synthetic identity fraud.
In a manipulated identity scam, most businesses detect that the fraudulent account has mismatched information. Still, manufactured identity is much more complex and often leads to tremendous monetary loss for a targeted business. In a manufactured identity fraud attack, most victims are banks and lenders. An attacker in synthetic identity fraud aims to steal large amounts of money from banks and lenders rather than targeting small amounts by stealing identities from individuals with the potential of having poor credit scores.
Most synthetic identities use a real SSN so that consumers can be affected. Children or people who rarely apply for loans are targets. These people would not be alerted to problems with their credit until it’s too late. Consumers also suffer from credit report issues for years, and businesses lose billions, so developers must build web applications that stop attackers from account takeover and automated authentication.
How Businesses Can Protect Consumer Data and Prevent Synthetic Identity Fraud
Cyber-criminals obtain user information from compromised web applications and physical threats (e.g., dumpster diving or shoulder surfing). Stolen information is often sold on darknet markets, where an extensive database of consumer information is disclosed. Anyone can buy this data and use it to create synthetic identities. This is the start of identity fraud and why developers must block cyber-attacks.
Surprisingly, most attacks are not targeted at a specific business. They start with an automated scan across several sites. The purpose of an automated scan is first to find a vulnerable business – any vulnerable business. An attacker might scan thousands of web applications, but it usually only takes a few hundred to find a potential target. Some automated scans also automatically exploit vulnerabilities. Automated exploits come from known common vulnerabilities where a proof of concept is already provided.
Developers must test their code for vulnerabilities, but detecting bots used to scan for vulnerabilities is also a viable way to stop attacks before they begin. Detecting bots can be done in several ways. Most of them are complicated and require huge development efforts. Fingerprint, however, lets you plug a library into your code and automatically start detecting automated exploit and scan attempts. It does the heavy lifting for developers and allows them to handle the way bot detection works. A web application could send server error messages or alert administrators to let them know the business is a target.
Fingerprint helps lowers the risk of your business being the next compromise target, so you can avoid hefty fines for compliance violations, losing customers and their loyalty, brand damage, and litigation that can last years. Instead of being reactive, Fingerprint, in combination with your fraud tech stack, helps you be proactive with data loss prevention and cybersecurity. Monitoring and detection shouldn’t be your only form of application protection, but it is a practical first step in stopping cyber-criminals.