Combine the government’s method of issuing Social Security numbers, recent massive data breaches like the one at Equifax, and new credit card technology, and it’s a recipe for a fast-growing form of identity fraud — and you’ve probably never heard of it.
Synthetic identity fraud occurs when cybercriminals use either a combination of real and fake information — such as child’s Social Security number, along with a false name, address and date of birth — or entirely false information to create a new “individual.”
The bad guys then will open up new credit cards or auto loans under the fake person’s name, and ultimately run up big piles of debt, which they don’t pay off.
If they’ve used your Social Security number or that of a loved one, you could spend months trying to untangle the mess.
You’re “going to be dealing with the consequences for a very long time,” says Kevin King, director of product marketing for ID Analytics, which provides credit and fraud risk solutions.
With a hacked Social Security number, it’s off to the dark web
A big part of the problem, King says, is that in 2011, the Social Security Administration changed the way it issues Social Security numbers.
In the past, Social Security numbers were assigned systematically, with the first five numbers linked to the geographic area where you were born. But since June 2011, the numbers have been assigned randomly, making it impossible to detect if a Social Security number is legitimate or not.
Once synthetic identity thieves get an adult’s Social Security number and use that to apply for credit, creditors would find “a wealth of history around it,” King says.
If the fraudsters get their hands on a child’s Social Security number, the stakes are much higher — with a theft payoff potentially much richer.
Kids are fantastic targets for synthetic identity fraudsters, says Ian Breeze, a product manager with the fraud protection company Easy Solutions. “There are no inherent checks or balances.”
The synthetic identity might not be discovered until years down the road, when the child is old enough to apply for credit on their own. “Then the unraveling takes place,” Breeze says.
Synthetic identity fraud’s cost: $6 billion in 2016
Credit application fraud using synthetic identities is responsible for 5 percent of charged-off accounts and up to 20 percent of credit losses — a total loss of $6 billion last year — according to Auriemma Consulting Group.
That total is higher when store credit cards are considered, along with other products such as auto loans.
“It’s clear that a significant portion of accounts in collections exhibit synthetic characteristics,” Ira Goldman, director of ACG’s Synthetic Identity Fraud Working Group and Credit Operations Roundtable, said in a news release.
A recent study for Equifax found 9 percent of credit card application fraud can be blamed on synthetic identities, says Daniel Jean, associate vice president of U.S. identity and fraud at the credit bureau Equifax. (News of the Equifax data breach broke after much of this story was reported.)
A study for ID Analytics in late 2015 found that 7 million people reported their Social Security numbers had been breached in the previous 12 months. That was 63 percent more than the previous year. Of the 7 million stolen numbers, 1.2 million belonged to children.
Many of the numbers stolen from children probably came from data breaches at the health insurer Anthem, as well as from breaches at the Georgia Department of Community Health and the Arizona Department of Child Safety, the report said. In June 2017, Anthem, the largest U.S. health insurer, agreed to pay $115 million to settle lawsuits stemming from the 2015 data breach compromising the personal information of 79 million people.
“There are no shortage of dark web marketplaces to monetize breached records,” says Keir Breitenfeld, senior business consultant for the credit bureau Experian.
Even if fraudsters make up a Social Security number, it could by chance match that of a child or a recent immigrant, King says.
EMV chip cards spur a rise in other frauds
Another factor thought to be fueling the rise in synthetic identity fraud is the introduction of EMV technology.
EMV chip cards “stemmed the fraud perpetrated by counterfeiting. That fraud had to go somewhere,” Breitenfeld says.
Fraudsters might use a fake identity to apply online for a credit card with a low balance, which banks might be likely to approve, Breitenfeld says.
The fraudsters will pay off the card on time, and continue to apply for cards with larger balances, and make payments promptly in order to build a good credit history.
In many cases, “synthetic identity fraud is a well-organized activity of fraud rings that may look for ways to create and then nurture these fake identities over a long period of time,” says Jean.
A shorter route to synthetic identity fraud is credit piggybacking. In these cases, an individual with a good credit score is paid to let someone else become an authorized user on their credit card account. The person who is added doesn’t have access to the credit card, but just being on the account boosts their credit score.
“It can quickly allow a fake identity to (have) a 720 FICO score,” King says.
Eventually, the fraudsters will run up huge credit card charges, which they don’t pay.
Synthetic identity fraudsters are driving off with cars
The fraudsters also are bilking auto lenders, who report a 150 percent increase in synthetic identity fraud over the past two years, Jean says.
“Some scams end with $1 million or more in inventory off a dealer lot in just a single weekend,” he says.
A Bloomberg story on synthetic identity fraud spotlights a South Carolina man suspected of using fake identities to obtain 558 credit cards from Capital One, before the card issuer’s fraud analytics software put the pieces together.
Outside Charles Whitlock Jr.’s home sat “a small fleet of luxury sedans,” the Bloomberg story says. On Facebook, he bragged, “My car detail bill is getting up there, lol.”
Whitlock says he’s innocent. Prosecutors say investigators found ledgers with Social Security numbers, addresses and birth dates. They estimate he used the credit cards to access funds worth at least $340,000.
The fraudsters who target auto lenders typically recruit people with no credit or bad credit, or who are young, to perpetrate the fraud, says Frank McKenna, a founder of PointPredictive, which works to help clients reduce fraud. After a year or two of using those recruits to build up a good credit profile, “they look like an ideal customer to an auto lender.”
They might buy up BMWs for $80,000 and ship them to Asia, where they sell for $240,000, McKenna says. The “purchaser” also may claim the car is stolen, so they can get a payoff from their auto insurer.
What you can do to protect your identity
While Breeze says there is no foolproof way to prevent your personal information from being breached and sold on the black market, there are steps you can take to protect yourself.
He advocates freezing your credit report, unless you’re applying for a mortgage, credit card, auto loan or other type of financing. A credit freeze prevents a credit bureau from releasing your credit report without your consent. You may have to pay a small fee for the freeze. The cost is determined by state law.
However, Breeze says it can be more complicated if you want to place a freeze on a child’s credit report.
While all 50 states have credit freeze laws, not all states require credit bureaus to place a freeze on a child’s credit report. Only Equifax will put a freeze on a child’s credit report, regardless of where you live, but you must send a letter explaining why you think your child’s information was used to obtain credit.
Jean also suggests checking your credit report regularly. You can get a free copy annually from each of the three main credit bureaus at AnnualCreditReport.com, or you can get your TransUnion credit report and free credit monitoring at CreditCards.com.
Protecting your information, including your Social Security number, and checking your credit reports helps, but data breaches happen.
“Once your information is out there, it’s out there,” says Michael Bruemmer, vice president of consumer protection at credit bureau Experian. “You can remediate against it, but you can’t claw it back.”
Editor’s note: This story, “Fraudsters creating synthetic identities from personal info on web” originally was posted on CreditCards.com.