Synthetic identity fraud is the combination of real identity credentials (e.g. a person’s Social Security number) with false identity information (e.g. a fake name and address) to create a new, fabricated identity. Fraudsters can then use this synthetic identity to apply for credit, make purchases, access government services, secure employment, and much more.
Dual impact of data breaches and AI
Synthetic identity fraud now accounts for 6.1% of global digital fraud after experiencing explosive growth of 184.3% between 2019 and 2023, according to TransUnion proprietary data. In the U.S. alone, Deloitte expects synthetic identity to cost the financial services industry $23B in losses by 2030. This growth is being fueled by two forces:
- Easily accessible personally identifiable information (PII) exposed through data breaches
- The development of artificial intelligence (AI)
In just the first four months of 2024, over 35.9 billion global data records were breached, with each of these records potentially containing enough PII to create a synthetic identity. And as the post-quantum (PQ) era dawns, breaking conventional encryption, “Harvest Now, Decrypt Later” attacks promise to expose even more PII. The other accelerant of synthetic identity fraud is AI, which, as one of our previous blog posts points out, simultaneously increases the ability to scale highly targeted attacks with deepfakes and lowers the skill level required.
Different Types of Synthetic Identity Attacks
Bad actors are not all the same. They possess varying degrees of sophistication and capabilities when it comes to plying their trade. Here are some of the tools and identity fraud techniques fraudsters use today:
- Identity manipulation: Authentic PII elements are adjusted slightly to create a new fake identity. Example: altering an attribute such as changing the date of birth or name on a driver’s license.
- Identity compilation: Actual and fabricated PII data elements are compiled together to form a new identity. Example: associating a real Social Security number with a completely fabricated identity document such as a driver’s license.
- Identity fabrication: A new fake identity is created without the use of any genuine PII.
Fighting the Fraudsters
Fundamental to combatting the meteoric rise of synthetic identity fraud is keeping identities secure in the first place, and this is the value of adopting a Zero Trust strategy. With a mantra of “Never Trust, Always Verify,” Zero Trust is essential to help prevent breaches and quarantine compromised systems if/when one does occur. To limit the exposure of “Harvest Now, Decrypt Later” attacks, organizations would also be wise to start their journey to post-quantum cryptography (PQC) sooner rather than later.
AI-powered document and biometric verification can help prevent fraudsters from using synthetic identities at the point of onboarding by verifying that the person presenting the identity credentials is the owner of those credentials. And the use of active liveness checks, such as video or motion capture with biometric verification, is essential to defend against “live capture” identity attacks like:
- Photos from an ID document: where a fraudster presents the photo of the identity document itself in place of biometrics.
- Photos of printouts: where a fraudster acquires fabricated or real IDs and submits a photocopy of those IDs. They can also present photos of printed images of their victims stolen from the internet.
- Video playback: where a fraudster plays a pre-existing video on a phone or other device and holds it in front of the camera on the device being used to verify that person’s identity.
- Photos of screens: where a fraudster submits a picture of an ID or face that was captured from an image on the internet or another digital machine.
- 2D mask: where a fraudster creates a two-dimensional image, often a printout of the person’s face, which they wear when capturing a biometric verification. While these look like a forgery to the human eye, they have been known to trick a computer.
- 3D mask: where a fraudster creates a three-dimensional mask they put on over their head before capturing a biometric verification.
- Deepfakes: where a fraudster submits an image, likely either an ID document or a face that was entirely computer generated, typically using readily available AI technology.
Driven by AI and pervasive data breaches, the challenge of synthetic identity fraud, especially deepfakes, is only expected to intensify. Stay vigilant and prepared by adopting a Zero Trust strategy with AI-powered, identity-centric security.