Words by LexisNexis Risk Solutions and James Baldwin, FGS

Troy lives in the city of Oxford, England. He occupies a handsome, Victorian terraced house on a street of nine similar properties. From time to time, he applies for a loan from his bank. He has used his credit to buy a car and a new phone, always paying his bills on time. So, when Troy applies for new credit, what could go wrong? He is the ideal customer.

Once you dig a little deeper, it becomes clear that this is not the case. There is little else that the bank knows about Troy. They have his address and know he has a credit card, but beyond that almost no data exists. On closer investigation of related credit profiles, there are 150 individuals with similar-looking data, each with bank accounts and limited credit histories.

Unfortunately for the bank, ‘Troy’ and the 150 identities behind the other credit profiles are not real people. They are ‘synthetic identities’, being cleverly crafted and abused by fraudsters to apply for increasingly large loans, with no intention of repaying.

The Oxford case uncovered 450 applications for credit being made by these ‘identities’ – all of which shared common personally-identifiable information (PII) data. Only two of these identities showed any evidence of actually existing. Similar rings have been uncovered in Chichester, South Wales, Plymouth and all over the UK.

The scale of synthetic fraud is enormous, with LexisNexis Risk Solutions, part of RELX, estimating a cost to businesses of £4.2bn between 2024 and 2027. Indeed, it is growing at huge rates – up by 527 percent between 2020 and 2023 in the UK alone.

In the US, where synthetic fraud is already a major issue, businesses report an average $15,000 loss to each confirmed synthetic fraud case. Having emerged in North America a number of years ago, synthetic fraud is well established and has been called a “$6bn problem” for the economy byanalysts.

So what is a synthetic ID? And how are they used?

A synthetic identity is fabricated by a fraudster by combining some real and some fake Personally Identifiable Information (PII). The end result is an implied identity not associated with any real, living identity.

A synthetic fraud occurs when fraudsters exploit stolen and faked personal information to pose as real people and spoof credit checks to gain access to loans and lines of credit from banks and other credit providers.

Because of the effort needed to build a viable synthetic ID, fraudsters are often in it for the long run. Curating a fake identity can take months, if not years. First, they build trust with lenders, often near or sub-prime lenders or Buy Now Pay Later. Fraudsters use various methods to incrementally build up a credit score over time, regularly borrowing and paying back credit.

To banks, these synthetic identities often look like the perfect customer, demonstrating the ideal credentials and behaviours to access higher and higher levels of credit and pay it back.

But once their credit potential is maximised, the fraudsters will rake in as much as they can before disappearing into thin air. Only then does the threat become visible to the bank.

The issue is exacerbated as no customer is directly impacted by the fraud. These identities are not stolen – rather they are fabricated, so there’s no customer to flag suspicious activity, or report a fraud on their account – a vital part in helping institutions detect fraud.

This doesn’t mean the customer isn’t indirectly affected. Institutions will spend time and investment attempting to recover their losses or stopping incidents of fraud from re-occurring. Increases in fraud can also lead to increases in friction for good customers as banks add more and more verification layers to their user journey. Indeed, additional checks on legitimate customers are often a direct consequence of efforts to prevent sophisticated synthetic fraud attacks. And, to make matters worse for the customer, they could also be negatively impacted if their address becomes linked to cases of fraud potentially lowering their credit score.

Given Credit and Fraud divisions are unlikely to work together closely in large financial institutions, banks will often fail to decipher the fraud – especially since fraud prevention models are not built to stop this kind of activity. Only when the bottom line is hit do most institutions realise something has gone horribly wrong.

It is easy, then, to see how it is estimated to be a $6bn problem in the US and predicted to cost the UK economy £4.2bn.

Uncovering Synthetic IDs

Once the synthetic identities are established, they have a high chance of making it through banks’ existing and sometimes dated fraud prevention systems, which were not built to combat synthetic frauds. A staggering85 percent of such identities are not flagged by third-party fraud prevention models - which tend to be too linear. A near match is typically enough to approve the loan.

In fact, research from LexisNexis Risk Solutions found that over 50 percent of synthetic identities had a traditional credit score of above 650 - classified as a 'good credit score'.

In the face of this challenge, leaders in the sector are turning to technology. Specifically, they are using models capable of spotting synthetic identities among genuine consumers, using a combination of contextual data and deep industry knowledge.

LexisNexis Risk Solutions has been at the forefront of initiatives to address this problem for over ten years.

Real identities emerge at the speed of life

First is the need to consider if something might be a synthetic identity or not.

  • Does the personal information show signs of manipulation? Are there strong similarities with other related identities?
  • Are there any existence of records from trusted sources, such as the electoral roll?
  • Is there evidence of a ‘life story’ or family connections?

Think of the average human life story. We are born, we get an education, our first phone, first financial product, first car…we go to university, we get married, we move out, we have a child, and so on. Each point in the journey creates a data footprint… if you’re a real person.

anatomy of a fraud scheme

Warning: this is a true story. Names have been changed to protect identities.

In 2016, Ada Vern, a 'successful' fraudster and US citizen from Philadelphia, was arrested for their role in a $200m credit card fraud scam, one of the largest fraud schemes of the time in the United States. The conspiracy took place over approximately ten years, and spanned at least eight countries and 28 states.

19 people were charged with bank fraud, punishable by a maximum potential penalty of 30 years in a prison. Ada was sentenced to three years, and fined $1m.

Approximately 200 bank accounts were used and over 1,800 mailing addresses.

Over 7,000 synthetic identities were created and more than 25,000 credit cards were issued.

The conspirators lived well, according to federal court filings. The fraudsters used proceeds to purchase luxury cars, spa treatments, high end clothing and stockpiled millions of dollars in gold and large sums of cash. They “pumped up” their accounts with credit bureaus using fake records showing they were reliable customers, and then borrowed money against those inflated accounts that they would not pay back.

This is the enemy we are fighting.

The links and associations between the data footprints we leave as we live our lives are invisible to the naked eye. But with advanced analytics we can map them to spot the difference between normal and suspicious.

Here's a social graph of a real living person. Each dot is a data footprint created as they go about their daily lives and create connections with others: partners, children, friends etc.

Here is an equivalent graph for a synthetic identity.

There are none of the expected social links or life events shown in the previous graph. Identities are exploding from central nodes, each creating more synthetic identities. Each line is separate, with no connections to each other.

These graphs illustrate the intricate and interconnected nature of organised fraud networks. The connections between data points are invisible to the naked eye, but using vast contextual data sources and advanced analytics, associations can be surfaced and used by organisations to help detect potentially fraudulent digital identities and prevent them from infiltrating the financial system.

Using technology to combat synthetic fraud

LexisNexis Risk Solutions helps institutions detect the characteristics of a potentially fictitious identity using the power of big data and analytics.

Its proprietary linking technology, LexID draws on a broad spectrum of consumer records to help organisations make sense of which identities are real and which could be linked to synthetic fraud.

Since synthetic identities are typically part of a coordinated fraud attack, there are often tens or hundreds of identities created at once by a small number of real people. Analytics can help here too. Through careful analysis of the links between the data ‘breadcrumbs’ left behind, it’s often possible to trace this activity back to find the bad actors.

The need for institutions to prepare themselves

Our analysis reveals that there are potentially around three million high-risk synthetic identities in the UK alone.

The risk to business is significant and exacerbated by the fact that many are simply unprepared for the threat that synthetic identities pose. Often frauds enacted by synthetic identities are being charged off as bad debts, since there is no clear evidence of fraudulent activity.

Synthetic fraud means organisations need to find new ways of thinking about fraud and staying ahead of the fraudsters. They need to do so by not only assessing each new individual credit application that comes in, but also screening for associations with other known applications, credit profiles and known frauds to determine whether the application looks risky. If an organisation can identify a person’s physical, behavioural and digital profile, and link everything together, then the chances are they are real. A synthetic identity will not have this combination of proof points.

Unless businesses take steps to counter this fast growing fraud, there is a real threat that more and more 'Troys' and 'Adas' – and their hundreds of seemingly trustworthy related identities – will continue to infiltrate the system, subsequently costing our economies billions.

Cookie SettingsTopBuilt with Shorthand