Understanding synthetic ID fraud and how to combat it

If you find the following content interesting, please subscribe to Verified with Persona on our blog for more juicy tidbits on all things identity.

?? Hi, I’m Jeff, and I’m excited to write my first Verified with Persona . You may have seen my face or name at industry conferences or online events. Sidenote: I'll be at the Marketplace Risk Conference this month in San Francisco, if you are too please come find me! Before Persona, I was in fraud and compliance operations at Square, Facebook, and Google. Needless to say, I’m passionate about the space and honored to share what I’ve learned over the years.

As mentioned earlier, we recently hosted a roundtable about synthetic fraud, who it affects, and how organizations can defend themselves against it. I’ll share some thoughts and takeaways below, but first, let’s define?synthetic fraud?to ensure we’re all on the same page. Our?marketplace?partner SentiLink defines SIF as “an identity where the combination of name, date of birth, and SSN do not correspond to a single real person.”

Synthetic fraud is especially dangerous because real people can become initially responsible for debt and actions they did not take. In fact, one of the first things I did when I received my daughter’s SSN was freeze her credit. I hated that I even had to consider doing this, but I worried someone would use her information to facilitate crime and we wouldn’t find out for years.

SIF doesn’t just impact individuals.?Ignoring synthetics and other emergent fraud trends can erode trust in your platform and cause financial and reputational harm to your business. Case in point: it’s estimated that SIF cost U.S. banks and financial institutions $20 billion in 2020 alone.

While many people associate SIF with the financial space, it’s actually prevalent across all industries that rely on trust.

Marketplaces?are a prime example. Say an underage kid wants to bypass the need to get parental consent before signing up for a gaming account. If the company doesn’t verify the provided date of birth, the kid may be able to mix and match information (e.g. their email address + their parent’s name or their name + their parent’s age and address) to skirt the issue.

Or, consider?dating apps. When these services don’t invest in identity verification, daters can easily pretend to be whoever they want to be. For example, they can claim to be a different age, use a different picture and name (i.e. catfish), and more.

And that’s just two examples. I could get into others — from?apartment rentals?to?auto dealers?— but no one wants to read a 5,000-word newsletter (...or do you? If so, reply and let me know!).3 strategies to protect your business against synthetic fraudThe Federal Reserve estimates that?85-95% of applicants?identified as potential synthetic identities are not flagged by traditional fraud models. So how can you identify and guard against SIF?

While there will never be a single silver bullet you can use against fraud, there are a few strategies you can take:

01 Understanding SIF is just the starting point — partner with experts to devise your strategy.

Work with internal and external partners who specialize in identity verification and can help you stay on top of emerging synthetic fraud strategies and quickly respond to/prevent attacks so you can focus on your business. Also, keep in mind that you don’t have to rely solely on traditional methods to mitigate fraud — there are other technologies, solutions, and verification types you can explore.

For example, instead of only verifying photos of physical driver’s licenses, you can consider accepting mobile driver’s licenses (if the user’s state and device allow it), which can give you higher assurance against fraudulent license submissions.

02 Unlock and evaluate as much data as you can to make better decisions.

The more signals you have, the better chance you’ll be able to identify synthetics. Don’t worry — this doesn’t mean you have to ask for a ton from users. Instead, consider supplementing collected information with passive signals (e.g. IP address, device fingerprint), official databases (e.g. SSN validation against Social Security Administration records), consortium models from third-party vendors, and more.

03 Act like synthetic fraud is already a problem for you.

Ignoring SIF doesn’t mean it doesn’t exist. Now that you know what it is, label your data for modeling and typology purposes, continually adjust your strategy, and empower your tools and team to do the same.

Bottom line

Today, a lot of fraud programs are reactive, which is problematic because fraudsters are always looking for new ways to circumvent fraud mitigation strategies. If you want to truly fight SIF and protect your business and customers, it’s important to take a security-by-design approach — and continue to iterate on your strategy.

Want to learn how? Check out this roundtable discussion I recently had with Brian Killeen from Guidehouse and Ahmed Siddiqui from Branch .