In modern history, Frankenstein is remembered as an 8-foot-tall monster with mismatched body parts crudely sewn together by jagged stitches.
He’s an apt visual for synthetic identity fraud: a scam where fraudsters stitch together fragments of personal information to create a fake, yet real identity.
It sounds like an oxymoron, but when a fraudster takes a legitimate Social Security Number (SSN) from one person and mixes in other valid identity elements from another, like email and phone number, it results in a fake identity made up of real components that don’t belong together.
That identity can then be used to defraud legal, financial, and other institutions. Even worse, AI is supercharging this crime. To avoid falling victim, it’s important to understand synthetic identity fraud, how it works, AI’s role in it, and trusted strategies for protecting your business
What Is Synthetic Identity Fraud and How Does It Work?
Synthetic Identity Fraud (SIF) is the combination of a real social security number with stolen fragments of personally identifiable information (PII) from multiple people to fabricate an identity that’s impossible to distinguish from a real one because the components are legitimate.
What does this mean practically?
Every day, 93.1% of Americans, including employees, clients, and business partners, access the internet. Each time they browse, they leave behind small pieces of their identity, like their names, email addresses, dates of birth, and more, scattered across websites, apps, and databases.
Identity thieves collect this information and use it to create fake personas that can pass deep scrutiny in corporations across multiple sectors.
Real-World Synthetic Identity Theft Case
In 2013, the Department of Justice in the United States charged 18 individuals as co-conspirators in a crime ring that had operated for over a decade, spanning 8 countries and 28 states.
The fraudsters succeeded in creating 7,000 synthetic identities by combining unused SSNs with fake personal information.
At the height of their operation, they maintained 1,800 drop addresses, which they used as mailing addresses, and obtained 25,000 credit cards with high credit limits from multiple financial institutions. They also created over 80 sham companies and used them to build credit scores and take out lines of credit.
When authorities finally discovered the ring, industry experts estimated that they had stolen over $1 billion.
The case is now closed, and most of the co-conspirators pleaded guilty and served time. Still, it demonstrates the harm synthetic identities can cause when it comes to financial fraud through credit accounts. It’s also a strong example of how long it can take for businesses to discover fraud without proper detection and protection strategies.
How AI Has Changed the Face of Synthetic Identity Theft
AI has impacted not only identity theft but the entire cybersecurity industry. It has become a double-edged sword that helps with finding threats but also makes it easier for bad actors to automate attacks.
With synthetic ID scams in particular, artificial intelligence has:
- Eased the process of gathering publicly available information spread out on the internet.
- Enabled faster creation of identities.
- Facilitated the development of fraud tools.
AI-Powered Data Collection for Fraudulent Activities
Fraudsters use AI-powered web scrapers or even LLMs like GPT to collect real names, birthdates, social media posts, and genealogy records.
The tools also scrape public breach databases such as HaveIBeenPwned to find real phone numbers or SSNs that have leaked online.
Once the information is collected, the scammer uses artificial intelligence to create a realistic backstory, photos, and a cloned voice print for phone verification. The result is a unique, almost undetectable identity that can:
- Apply for credit cards and build credit histories
- Take out loans
- Build a company and take out lines of credit
- Employ the services of a law firm to legitimize the identity
- Target insurance companies with fake claims
- Impersonate job applicants in virtual interviews, securing the job and siphoning salaries.
With time, the criminal sets up AI bots to monitor credit bureau responses so that they can adjust the identity when necessary. The bots also learn from previous failures and perfect this type of fraud by facilitating better identities.
AI Generates Many Fake Identities Within a Short Period of Time
AI can mine and combine data much faster than a human. This allows identity scammers to create many versions of a fake profile that can pass identity checks.
In contrast, before AI, criminals spent a lot of time (sometimes months) working on one good falsified identity.
The Emergence of AI Tools That Facilitate Crime (Fraud-as-a-Service)
Software developers have taken advantage of artificial intelligence to build AI tools that expedite synthetic IDs. These tools and services crop up daily, and as an organization, it can be difficult to keep up.
One such tool is BeenVerified. It’s a paid service that only requires the name of a person to scour the internet for digital footprints and generate a detailed report with information such as:
- Parents’ names
- Siblings
- The first apartment
- All cars registered to an individual
- Nicknames
- Neighbors
- Ex-in-laws
This kind of information is a gold mine for bad actors looking to build a comprehensive fictitious identity that can bypass most detection systems and put regular identity theft to shame.
How Synthetic Fraud Differs From Regular Identity Theft
Traditional identity theft involves using real identities to commit fraud. Consider a scenario where Jane Smith, a 42-year-old accountant from Ohio, gets an email from her bank that seems real. The email asks her to check for unusual activity on her account.
She clicks the link, enters her username, password, and answers several security questions. Within minutes, the identity thief logs into the account, changes the email and password, transfers all the money to a secondary bank account, and uses Jane’s account to apply for a credit card, then orders things online.
The thief is using the identity of a real person (Jane) to defraud the bank. While the fraud is damaging, the wreckage is limited because eventually, Jane will discover the anomaly and report it to the bank.
In contrast, synthetic identity theft has differences that make it sophisticated and dangerous.
- Creates a new identity instead of stealing one, making it harder to catch (In Hong Kong, fraudsters used deep fakes to modify publicly available real data to create a fake identity of the company’s CFO and trick a worker into remitting $25.6 million).
- Often, victims never realize pieces of their identity have been stolen. Allows fraudsters to use a single identity for years to target businesses/government.
- Identity appears as legitimate to most systems designed to detect fraud (In 2022, Adam Arena and his co-conspirator were sentenced to 5.5 years in federal prison for successfully defrauding the government of almost $1 million in federal PPP loans).
- Synthetic ID fraud takes time to catch (sometimes decades), allowing it to do a lot of damage
How to Detect Synthetic Identity Fraud
Cybercrime, AI fraud, and deepfakes are the top expected challenges businesses predict they'll encounter in the next 2–3 years. Detecting synthetic identity fraud is a three-step process.
1. Monitor Unusual Account Activities
Monitoring means establishing a system that continually checks all the accounts in the organization to assess for behavior that deviates from the norm. It applies irrespective of the industry.
For a financial institution, monitoring includes keeping an eye on new accounts to identify accounts that are rapidly building good credit reports.
For a medical company, it includes flagging personas that purchase disparate medical equipment within a short period. That probably means the goal is to use fraudulent identities to purchase and resell the equipment on the black market.
2. Incorporate AI and Machine Learning
Sure, AI has done its part to enable fraudsters, but it can also help detect fraud. Organizations can use machine learning models to study historical data on real fraud cases and suspicious credit files.
The more the model analyzes the data at scale over and over, it learns to detect patterns that indicate anomalies with a high level of accuracy that surpasses human analysts.
3. Continuous Adaptation to Emerging Threats
Similar to other cyber threats, synthetic identity theft keeps evolving, and hackers keep adopting new tactics. Organizations must keep adapting to emerging threats by:
- Gathering a range of resources (reports, papers, authoritative blogs) that have the latest information on cybercrime to help respond quickly to new threats.
- Joining a cybersecurity community and following government agencies like the Cybersecurity and Infrastructure Security Agency (CISA). These agencies always release new tips, tricks, and reports.
- Conducting regular training and awareness programs for employees.
- Engaging with Managed Security Services, as it’s their job—all day, every day—to keep up.
How to Protect Your Organization
Because of the difficult-to-detect nature of SIF, protecting your organization effectively must be a multi-pronged affair.
Use Adaptive Multifactor Authentication (Adaptive MFA)
Adaptive multi-factor authentication responds to the context of each login attempt and adapts dynamically to require authentication that corresponds to detected risk factors.
Say Sarah, who works at a bank, typically logs in to an account from New York on her company-issued laptop between 8:00 AM and 5:00 PM. For three consecutive days, the login pattern is normal, then on day four, she logs in from Brazil at 1:00 AM on an unknown device.
Adaptive MFA automatically asks Sarah to prove her identity in multiple ways, like fingerprint, real-time face ID, voice authentication, and password.
If Adaptive MFA still deems the login high risk, it might block access until Sarah is back in New York or she takes steps to reduce the risk, such as accessing the account with the company-issued laptop.
It differs from traditional MFA, which demands the same factors for each access, no matter how high or low the risk.
Exercise Vigilance
Home and professional lives have become so intertwined that company CEOs and CTOs can’t afford to assume the company is safe as long as the work devices are protected.
The overlap between personal and work devices opens up a loophole that identity thieves can leverage: Why go after a corporate asset with multiple layers of security when they can target a personal device that is less protected and ride the application and private tunnels back to the enterprise?
Vigilance requires that an organization always teach its staff about cybersecurity and watch for data breaches from other companies.
Engage a Managed Security Services Provider (MSSP)
In 2024, the FBI recorded $16.6 billion worth of losses from cybercrime, with the global cost predicted to hit $9.5 trillion by the end of last year. Enterprises, big and small, absorb these costs because it can be difficult for any company to keep up with the ever-evolving nature of cybersecurity.
Partnering with an MSSP gives you an opportunity to tap into experienced and specialized experts whose sole job is to keep pace and pre-empt attacks that might impact an organization’s growth, competitiveness, and profit.
An MSSP is in the middle of all things cybersecurity and advanced technologies. They do this every day, so they have more resources, protection plans, and the ability to detect suspicious activities.
Protect Against Advancing Fraud
For businesses, there’s a steep cost that comes with neglecting cybersecurity.
Synthetic identity fraud can sound daunting, but it is beatable with an effective strategy and a suitable collaborator. All Covered partners with clients for holistic tailored managed security solutions to guard your data against modern threats. Reach out today to get started.
