In the past few years, synthetic identity fraud has skyrocketed. The IRS recently posted a warning to taxpayers telling them that the IRS has seen a surge in unemployment and government benefits fraud, making it more important than ever for businesses to protect their customer data. What makes synthetic identity fraud difficult is that consumers are often unaware of their stolen data until they file for a mortgage or other loans and receive a rejection letter for previous defaults on loans opened with their stolen identities.

After a consumer becomes a victim of identity theft and fraud, it takes years to clean up their credit report and rebuild their credit rating. Identity theft has long-term consequences for consumers, and often, fraudulent activity starts after attackers compromise a business application. Consumers suffer numerous consequences, and businesses lose billions yearly, lending money to fraudsters. Every organization and consumer should test and protect their environment from threats and risk of a compromise. 

In this article, we’re explain what synthetic identity fraud is, how it works, how it differs from identity theft, and ways businesses can prevent it. 

What is Synthetic Identity Fraud?

Synthetic identity fraud occurs when the perpetrator creates a completely fictitious identity with fake information. They may use stolen Social Security numbers or other personally identifiable information (PII) to create a unique profile that looks like an actual person.

How Does Synthetic Identity Fraud Work?

When you apply for a loan or credit card, you give a lender your name, social security number (SSN), and address. It does not take a lot of personal information to apply for basic loans such as credit cards or financing home repairs. You can apply for government benefits with your SSN (social security number) and name. This little data and validation lead to many fraudsters being undetected.

Synthetic identity fraud is a common example of such misuse. In this scenario, an attacker gains access to an SSN or other Personally Identifiable Information (PII), which they use to forge new identities. While the SSN is valid, the name associated with it may be slightly altered. The address used could belong to an unwitting accomplice who receives credit cards and reships products on behalf of the fraudster.

Under the guise of a legitimate job, the fraudster can manipulate the victim into forwarding goods, potentially to the attacker located in a different country.

The two types of synthetic identity fraud

Manipulated Identity Fraud

This type of fraud involves modifying existing identities. Fraudsters may alter a single digit of an existing Social Security Number (SSN) or slightly adjust the data to mimic a valid number, thus stealing a real consumer's identity.

Manufactured Identity Fraud

Unlike manipulated identity fraud, manufactured identity fraud combines elements from various real identities to create a fraudulent one. While the former closely resembles a real consumer's identity, the latter is a completely new identity, often using randomly generated SSNs within a valid range.

Manufactured identities pose a significant challenge to detection, as they represent entirely new identities used to deceive businesses. Fraudsters typically use these identities to apply for credit cards and loans, potentially absconding with several thousand dollars. This leaves businesses at a loss and can result in substantial financial damage.

Synthetic Identity Fraud vs. Identity Theft

Most people are aware of identity theft, where the victim is the consumer. With synthetic identity fraud, there is no individual victim. The identities are synthetic and don’t usually point to one specific individual target. Synthetic identity fraudsters target businesses and defraud them out of billions. Pew Research reported that businesses lost $20 billion in 2020 from synthetic identity fraud.

In a manipulated identity scam, most businesses detect that the fraudulent account has mismatched information. Still, manufactured identity is much more complex and often leads to tremendous monetary loss for a targeted business. In a manufactured identity fraud attack, most victims are banks and lenders. An attacker in synthetic identity fraud aims to steal large amounts of money from banks and lenders rather than targeting small amounts by stealing identities from individuals with the potential of having poor credit scores.

Synthetic identities often use real Social Security Numbers (SSNs), which can impact consumers. The targets are usually children or individuals who seldom apply for loans, who wouldn't be alerted to credit issues until it's too late. Consumers also suffer from credit report issues for years, and businesses lose billions,  so developers must build web applications that stop attackers from account takeover and automated authentication.

How businesses can prevent synthetic identity fraud

Cyber-criminals obtain user information from compromised web applications and physical threats (e.g., dumpster diving or shoulder surfing). Stolen information is often sold on darknet markets, where an extensive database of consumer information is disclosed. Anyone can buy this data and use it to create synthetic identities. This is the start of identity fraud and why developers must block cyber-attacks.

Surprisingly, most attacks are not targeted at a specific business. They start with an automated scan across several sites. The purpose of an automated scan is first to find a vulnerable business – any vulnerable business. An attacker might scan thousands of web applications, but it usually only takes a few hundred to find a potential target. Some automated scans also automatically exploit vulnerabilities. Automated exploits come from known common vulnerabilities where a proof of concept is already provided.

Developers must test their code for vulnerabilities, but detecting bots used to scan for vulnerabilities is also a viable way to stop attacks before they begin. Detecting bots can be done in several ways. Most of them are complicated and require huge development efforts. 

Using a device intelligence solution

Fingerprint, however, lets you plug a library into your code and automatically start detecting automated exploit and scan attempts. It does the heavy lifting for developers and allows them to handle the way bot detection works. A web application could send server error messages or alert administrators to let them know the business is a target. 

Fingerprint helps lower the risk of your business being the next compromise target, so you can avoid hefty fines for compliance violations, losing customers and their loyalty, brand damage, and litigation that can last years. Instead of being reactive, Fingerprint, in combination with your fraud tech stack, helps you be proactive with data loss prevention and cybersecurity. Monitoring and detection shouldn’t be your only form of application protection, but it is a practical first step in stopping cyber-criminals.

Try out the Fingerprint demo, or sign up and get started.