Synthetic fraud is the most stealthy, and dangerous, payment crime
We tend to talk about fraud as if it’s a singular, monolithic problem. It’s much like a photomosaic; the closer you look, the more clearly you see how fraud consists of many specific behaviors and practices.
Friendly fraud, account takeover and counterfeit cards are just a few common threats that fall within the purview of fraud. One of the fastest growing and most dangerous of these threat sources is synthetic fraud.
Synthetic fraud is a form of identity theft. It’s like other identity theft tactics such as account takeover, where it leverages information stolen from actual cardholders. With this tactic, fraudsters use partial consumer data to forge a fictitious identity from whole cloth rather than impersonate an existing cardholder. The identity in question is literally “synthetic.”
A fraudster may have access to pieces of data from multiple consumers, which he could use to build a profile for a fake user. For instance, he can combine bits of data from different individuals to create a fake persona and obtain lines of credit in that individual’s name.
Social Security numbers are generally the primary targets for synthetic fraudsters. They’re the hardest to come by, but are the most useful to their ends.
This is partly why synthetic fraudsters target children even more than adults. One contributing factor was introduction of Social Security number randomization in 2011, but the primary reason is children don’t have any credit history. If a fraudster can steal a child’s Social Security number before that individual ever gets the chance to use it, all the easier to perpetrate fraud. In all, more than 1 million children fell victim to synthetic fraud in 2017 alone and roughly 10% of all children have someone using their numbers for lines of credit.
With that much identity theft going on, it stands to reason the total financial impact will be huge. Not surprisingly, synthetic fraud is one of the fastest growing and most sophisticated forms of fraud in the U.S. today. It’s quickly developed into the primary method of attack for criminals due to just how hard it is to detect.
According to the State of Card Fraud 2018 report, synthetic fraud is estimated to account for 85% of all identity fraud in the U.S. We can trace a shocking 80% of total criminal fraud losses on credit cards to synthetic attacks. While merchants pay a heavy price for all these fraud attacks, they’re not the only party feeling the impact. For financial institutions, synthetic fraud causes nearly 20% of total credit card charge-offs or bad debts that are unlikely to be collected.
Overall, synthetic fraud is believed to have cost U.S. businesses roughly $6 billion a year in 2016. The actual total is likely much higher; the $6 billion figure only accounts for identified cases and can’t factor in ancillary costs related to individual cases.
Businesses find themselves in a precarious position regarding synthetic fraud and other risk sources. They’re under pressure to minimize consumer friction and don’t want to create unnecessary barriers to consumers. The result: More synthetic fraud attacks get through each day.
How do we fight back? Is there an effective way to deal with this problem?
One fairly reliable approach is in-depth data analysis. It’s true not every user is online every moment of the day. Yet, even individuals who rarely do business digitally still leave trails behind. Financial information, past loans and a social media presence are all signs of a real person attached to an identity.
Verifying users based on available data could be a solid response to concerns about synthetic fraud. The problem is this data is not always accessible. With the General Data Protection Regulation (GDPR) and the soon-to-be-implemented California Consumer Privacy Act (CCPA), access to consumer data is unreliable at best. It’s possible to conduct the level of data analysis necessary to reliably identify synthetic fraud attacks, but it requires a combination of machine learning and multilayer authentication techniques.
The key word here is “redundancy.” Using multiple layers of authentication to validate consumers’ identities provides a more detailed profile with greater insight. Online retailers can utilize a variety of anti-fraud tools to detect synthetic actors like geolocation and address verification. Thanks to mobile payments tools like Apple Pay, even biometrics are now an option.
Retailers can’t do this alone. Institutions should apply advanced screening processes to consumers before issuing cards or lines of credit. Relying primarily on a customer’s Social Security number to validate identity is not helpful when millions of Americans’ numbers are probably compromised. Banks should also take it upon themselves to make consumer education about best practices a much larger part of their operations.
Even with these practices in place, there’s no guarantee against successful synthetic fraud attacks. However, a proactive and coordinated response will help protect businesses and consumers from the worst of it.