Criminals no longer need to physically rob a bank to steal money; they can do it online where it is quicker, easier, and they are much more likely to get away with it. And even as anti-fraud technology develops in its attempts to counteract online banking fraud, fraudsters are evolving too, creating a never-ending cycle of attacks.
Synthetic Identity Fraud is an important example of how fraudsters focus on weaknesses in online banking security when developing ‘successful’ attack techniques.
Synthetic Identity Fraud is a type of fraud where synthetic identities are created using either a blend of real and fake or wholly fake personally identifiable information (PII), which is then used to open an illegitimate bank account. The fake information, often obtained by criminals through customer data breaches, can easily be bought cheaply from the dark web, or gathered through social engineering techniques. As cybersecurity and counter-fraud tech improves, social engineering is becoming more prevalent in cybercrime, a situation we forecast for 2020.
If someone receives a letter bearing their address, but not their correct name, they may assume the mail is for a previous tenant of the home. However, another possibility is that a fraudster has used their real address along with a made-up name to create a new, synthetic identity in an attempt to bypass a bank’s security without it being traced back to them.
Fraudsters want to use PII relating to people who have little or no credit history, so that financial institutions have no pre-existing credit files on them, meaning their account applications are less likely to be flagged. Therefore, the young are the most at risk of their data being targeted by fraudsters, as they will have no credit history.
Synthetic Identity Fraud is extremely ‘successful’, so much so that it is the fastest growing type of financial crime in the US, according to the Federal Reserve.
Synthetic identities are often used by organized crime rings, which set up hundreds of these accounts in order to circulate money between them, both laundering the proceeds of funds between them rendering it untraceable, using them as mule accounts, and also boosting the credit scores of the accounts through prompt repayments and increasing credit limits before they ‘bust-out’ – withdraw up to an account’s credit limit with no intention of paying it back.
The sheer scale of some of these operations is astounding; as we mentioned in our blog on new account fraud, the biggest operation to be prosecuted by the FBI was found to be running 7,000 synthetic identities.
Criminals can be so confident in this method that on occasion they present themselves as the victim of their own Synthetic Identity Fraud. In this instance, they steal from the accounts they have set up using synthetic identities, before reporting the ‘theft’ to the bank in order to get their credit lines restored. Once the bank refunds the stolen money to the account, the fraudster can steal the money all over again. And even though the bank will now likely suspect the account owner of fraud, they cannot trace the fake PII on the account back to the perpetrator.
To help illustrate the confidence fraudsters feel performing Synthetic Identity Fraud, we can take the example of something that happened in the UK in 2017. Legitimate customer Mark phoned up his bank to find out why his debit card had been blocked. When he gave his name, the bank asked him to which of his two accounts he was referring.
Mark only had one account at the bank, and the other turned out to be an illegitimate account set up by a fraudster, using Mark’s name, but fabricated information about his salary and employment status. Even though the real Mark already held an account at the bank using his real information, a fraudster had still managed to open another in his name with personal details that did not match.
Most risk detection systems fail to flag a synthetic identity because the fake identities look just like real customers applying for an account with a limited credit history.
This, along with the fact there is so often no clearly identifiable victim, means it often goes unnoticed and unreported, right up until the fraudster busts out and fails to make any repayments. This means banks aren’t detecting synthetic identities until it’s too late.
Synthetic identities are used so often to commit banking fraud because they are specifically designed to circumvent security checks, and it seems that the only way in which to detect them is to add more intrusive checks to an onboarding process which is already complex. This inevitably means the very methods used to deter fraudsters will discourage real customers from signing up too.
Synthetic identities are often a symptom of new account fraud, so stopping this fake information from slipping through the net at the onboarding stage is vital. Continuous user profiling, where every user’s behavior is constantly and invisibly analyzed, can sort the legitimate customers from the fraudsters, without clogging up the process and sending people towards the competition.
Additionally, figuring out who the fraudsters themselves are is key. By analyzing the unique way in which a fraudster interacts with the bank, a ‘cyber-profile’ can be constructed for them, meaning that the bank can recognize the fraudster’s behavior in the future and stop them from committing Synthetic Identity Fraud before it has even occurred.