Summarize this article with
Synthetic identity fraud is a type of fraud where criminals create fictitious identities by combining real and fabricated personal information, such as Social Security numbers, names, and addresses, to open fraudulent accounts and build credit over time.
In the past few years, synthetic identity fraud has skyrocketed, making it more important than ever for businesses to protect their customer data. What makes synthetic identity fraud difficult is that consumers are often unaware of their stolen data until they file for a mortgage or other loans and receive a rejection letter for previous defaults on loans opened with their stolen identities.
After a consumer becomes a victim of identity theft and fraud, it takes years to clean up their credit report and rebuild their credit rating. Identity theft has long-term consequences for consumers, and often, fraudulent activity starts after data breaches where attackers compromise a business application. Consumers suffer numerous consequences, and businesses lose billions yearly, lending money to fraudsters. Every organization and consumer should test and protect their environment from threats and risk of a compromise.
In this article, we'll explain what synthetic identity fraud is, how it works, how it differs from identity theft, and ways businesses can implement effective fraud prevention.
What is synthetic identity fraud?
Synthetic identity fraud occurs when the perpetrator creates a completely fictitious identity with fake information to open a credit account, often using these fake identities to bypass traditional security checks. They may use stolen Social Security numbers, a real date of birth, a phone number, or other personally identifiable information (PII) to create a unique profile that looks like an actual person.
Who is most at risk?
Vulnerable populations:
- Children (whose SSNs are rarely monitored)
- Elderly individuals
- People with limited or no credit history
- Individuals who rarely monitor their credit reports
High-risk industries:
- Banking and lending
- Fintech
- Healthcare
- Online retail
How does synthetic identity fraud work?
When you apply for a loan or credit card, you give a lender your name, social security number (SSN), and address. It does not take a lot of personal information to apply for basic loans such as credit cards or financing home repairs. You can apply for government benefits with your SSN (social security number) and name. This little data and weak KYC (Know Your Customer) identity verification, lacking biometric checks, lead to many fraudsters being undetected.
Synthetic identity fraud is a common example of such misuse. In this scenario, an attacker gains access to an SSN or other Personally Identifiable Information (PII), which they use to forge new identities. While the SSN is valid, the name associated with it may be slightly altered. The address used could belong to an unwitting accomplice who receives credit cards and reships products on behalf of the fraudster.
Under the guise of a legitimate job, the fraudster can manipulate the victim into forwarding goods, potentially to the attacker located in a different country.
Warning signs of synthetic identity fraud
Businesses should monitor for these indicators:
- Mismatched SSN and name combinations
- Thin credit files with sudden activity spikes
- Multiple accounts linked to the same device or IP address
- Bot-like signup patterns or rapid-fire applications
- Inconsistent personal details across multiple applications
The two types of synthetic identity fraud
1. Manipulated Identity Fraud
This type of fraud involves modifying existing identities. Fraudsters may alter a single digit of an existing Social Security Number (SSN) or slightly adjust the data to mimic a valid number, thus stealing a real consumer's identity.
2. Manufactured Identity Fraud
Unlike manipulated identity fraud, manufactured identity fraud combines elements from various real identities to create a fraudulent one. While the former closely resembles a real consumer's identity, the latter is a completely new identity, often using randomly generated SSNs within a valid range.
Manufactured identities pose a significant challenge to detection, as they represent entirely new identities used to deceive businesses. Fraudsters typically use these identities to apply for a credit line, credit cards, and loans, potentially performing a bust-out and absconding with several thousand dollars. This leaves businesses at a loss and can result in substantial financial damage.
Synthetic identity fraud vs. identity theft
Synthetic identity fraud creates entirely new fictitious identities, while traditional identity theft impersonates existing real individuals. This fundamental difference affects how each type of fraud is detected and who becomes the victim.
| Factor | Synthetic Identity Fraud | Traditional Identity Theft |
|---|---|---|
| Victim type | Primarily businesses; no single individual victim | Specific individual whose identity is stolen |
| Data sources used | Combination of real and fabricated information | Stolen personal data from one real person |
| Primary targets | Banks, lenders, financial institutions | Individual consumers |
| Detection difficulty | Very difficult — identities appear legitimate | Easier — victims often notice unauthorized activity |
Most people are aware of identity theft, where the victim is the consumer. With synthetic identity fraud, there is no individual victim. The identities are synthetic and don't usually point to one specific individual target. Synthetic identity fraudsters target businesses and defraud them out of billions. Pew Research reported that businesses lost $20 billion in 2020 from synthetic identity fraud, and losses have continued to grow as fraudsters refine their techniques.
In a manipulated identity scam, most businesses detect that the fraudulent account has mismatched information. Still, manufactured identity is much more complex and often leads to tremendous monetary loss for a targeted business. In a manufactured identity fraud attack, most victims are banks, lenders, and other financial services. An attacker in synthetic identity fraud aims to steal large amounts of money from banks and lenders rather than targeting small amounts by stealing identities from individuals with the potential of having poor credit scores.
Synthetic identities often use real Social Security Numbers (SSNs), which can impact consumers. The targets are usually children or individuals who seldom apply for loans, who wouldn't be alerted to credit issues until it's too late. Consumers also suffer from credit report issues for years, and businesses lose billions, so developers must build web applications that stop attackers from account takeover and automated authentication.
How businesses can prevent synthetic identity fraud
Cyber-criminals obtain user information from compromised web applications, social media, and physical threats. Stolen information is often sold on darknet markets and the dark web, where an extensive database of consumer information is disclosed. Anyone can buy this data and use it to create synthetic identities. This is the start of identity fraud and why stopping cyber-attacks is a critical task for developers and fraud teams.
Surprisingly, most attacks are not targeted at a specific business. They start with an automated scan across several sites. The purpose of an automated scan is first to find a vulnerable business – any vulnerable business. An attacker might scan thousands of web applications, but it usually only takes a few hundred to find a potential target. Some automated scans also automatically exploit vulnerabilities. Automated exploits come from known common vulnerabilities where a proof of concept is already provided.
Developers must test their code for vulnerabilities, but detecting bots used to scan for vulnerabilities is also a viable way to stop attacks before they begin. Detecting bots can be done in several ways. Rate limiting, HTTP header analysis, and CDN-level traffic filtering can flag suspicious or non-human traffic. Behavioral signals like mouse movement and interaction timing can also help distinguish bots from real users.
Beyond bot detection, businesses can take broader steps to reduce their exposure to synthetic identity fraud. At account creation, third-party identity verification services can cross-reference government IDs, selfies, and public records to confirm that the person behind an account is who they claim to be. Additionally, fraud teams should monitor velocity signals. When multiple accounts are created from the same device, email domain pattern, or address in a short window, it is a strong indicator of synthetic identity farming and warrants action.
How device intelligence helps prevent synthetic identity fraud
Device intelligence solutions can detect when the same device submits multiple applications with different identities—a key behavioral pattern in synthetic fraud schemes. By assigning a persistent identifier to each device, businesses can link seemingly unrelated applications back to the same source, even when fraudsters use different names, SSNs, or email addresses. This device-level enforcement makes fraud detection possible at the device level, not just by account or identity details.
Using a device intelligence solution
Fingerprint is a device intelligence platform that integrates in minutes and immediately begins generating persistent device identifiers, giving your fraud stack the device-level details it needs to link suspicious applications and flag bot-driven account creation without requiring significant engineering effort.
Fingerprint helps lower the risk of your business being the next compromise target, so you can avoid hefty fines for compliance violations, losing customers and their loyalty, brand damage, and litigation that can last years. Instead of being reactive, Fingerprint, in combination with your fraud tech stack, helps you be proactive with data loss prevention and cybersecurity. Monitoring and detection shouldn't be your only form of application protection, but it is a practical first step in stopping cyber-criminals.
Try out the Fingerprint demo or create a free account to get started.
Frequently Asked Questions
What is the difference between synthetic identity fraud and traditional identity theft?
Synthetic identity fraud creates entirely new fictitious identities by combining real and fabricated information, while traditional identity theft involves impersonating an existing real individual. With synthetic fraud, businesses are the primary victims since there's no single person whose identity was stolen. Traditional identity theft directly victimizes the individual whose personal information was compromised.
Differentiating between synthetic identity fraud and traditional forms of identity theft can be challenging because both involve the misuse of personal information. However, synthetic identity fraud is unique in that it involves the creation of a new, fictitious identity, often using a combination of real and fabricated information. Advanced fraud detection systems that can identify anomalies and inconsistencies in personal data can be helpful in detecting synthetic identity fraud.
How can consumers protect themselves from synthetic identity fraud?
Consumers should be vigilant about protecting their personal information. This includes not sharing sensitive details like Social Security numbers or bank account information unless absolutely necessary, and even then, only with trusted entities. Regularly monitoring credit reports for any unusual activity can also help detect instances of synthetic identity fraud.
Which industries are most at risk for synthetic identity fraud?
Any sector dealing with financial transactions or personal data could be at risk and prone to synthetic identity fraud. This includes banking and finance, healthcare, and online retail. These industries often require customers to provide personal information, making them attractive targets for fraudsters looking to create synthetic identities.
