There’s a new kid in town
Identity fraud is one of the oldest and most pervasive crimes, and criminals must understand legitimate identity profiles to craft believable fakes. Just about everyone who rubs elbows with someone working in the identity verification industry or Fintech has heard of synthetic fraud but not so much about its younger and more destructive sibling, serial fraud.
In many ways, synthetic fraud paved the way for serial fraud to enter even the most fortified security stack undetected through professionally coordinated attacks. The coordinated attack is serial fraud’s modus operandi, the mechanism of entry, the Trojan Horse.
The backstory
Synthetic identity theft is the epitome of a clever identity scam. Fraudsters employ cunning skills to concoct fictitious personas, blending natural elements with their imaginative twists. It’s like creating a masterpiece from stolen puzzle pieces in the world of identity theft. Synthetic IDs are ninjas in the night. Since they mix real and fake information, they can pass basic verification checks with flying colors.
How exactly are they fabricated? Criminals acquire pilfered Social Security numbers, names, and addresses, adroitly infusing them with fake information to form entirely new identities. Digital alter egos possess an uncanny ability to traverse the boundaries of detection. Once they effortlessly pass initial verification checks with a blend of authentic and fake information, they skillfully cultivate these digital alter egos over time, meticulously engaging in activities that mimic the behavior of legitimate individuals. Their gradual cultivation of credit histories and simulated financial transactions adds layers of authenticity, rendering them almost indistinguishable from genuine consumers.
Because of their near-perfect resemblance to the real thing, synthetic IDs are potent tools for fraudsters to perpetrate their schemes in credit fraud, account takeover, and money laundering. Criminals meticulously build credit and financial transaction histories, establishing credibility over time. To compound the conundrum, fraudsters manipulate social security numbers, utilizing partial or fictitious ones that have yet to be issued. This manipulation further muddies the waters, confounding many traditional verification technologies. Moreover, synthetic ID fraud often goes undetected due to the lack of victim complaints. Since most victims remain unaware that their personal identification information was used to forge an alter ego, reporting identity theft of this sort is as rare as a unicorn sighting. The fraudsters are in for the long game. Undetectable activity that enables the alter ego to establish legitimacy sets the stage for a coordinated attack.
The Trojan Horse
Once synthetic identities have sufficiently built up creditworthiness, fraudsters can orchestrate the ultimate symphony of deceit and the hallmark of serial fraud – a coordinated attack. The genius of this scheme lies in its complexity and scale. Picture multiple synthetic identities simultaneously applying for credit cards or loans. The fraudsters know that their operation’s sheer volume and intricacy make detecting patterns or connections incredibly challenging. They exploit the time gaps between credit checks and fraud detection systems, counting on the fact that financial institutions often operate in silos and lack access to a holistic view of credit activity across multiple organizations.
To make matters worse, these fraudsters are not your average con artists – they are often part of a larger organized crime syndicate with the resources to spend on research and development so their methods and technologies can constantly evolve, staying one step ahead of detection systems. They tweak their techniques, adapt their approach, and embrace the latest technologies. It’s like trying to catch a slippery eel in a pool of virtual quicksand.
And let’s remember time discrepancies. When fraud detection systems catch wind of their activities, these culprits have already moved on to the following plot and abandoned their synthetic identities entirely. They’re the Houdinis of the fraud world, vanishing before anyone knows what hit them.
What adds to the challenge is that these synthetic identities have an air of legitimacy. They’ve dabbled in non-fraudulent activities, opening utility accounts, renting properties, or securing a legitimate job. It’s no wonder detection systems struggle to separate the wheat from the chaff, as the data associated with these synthetic identities seems as real as a perfectly staged Instagram post.
To summarize, here’s a breakdown of how and why serial fraud is such a challenge to spot:
1. Complexity and scale: Coordinated fraud attacks involve many synthetic identities operating simultaneously across various financial institutions and geographic regions.
2. Evolving techniques: Fraudsters continuously change their approach, modify their patterns, and employ new technology to stay ahead of detection systems.
3. Lack of data sharing: Financial institutions operate independently, so their fraud detection systems do not communicate or share information—the need for centralized data to improve the ability to identify connections or detect patterns across multiple organizations.
4. Time discrepancies: Coordinated fraud attacks exploit time discrepancies between credit checks and fraud detection systems. By the time fraudulent activity is detected, the fraudsters may have already moved on to another stage of their attack or abandoned the synthetic identities altogether.
5. Synthetic identity legitimacy: The synthetic identities used in these attacks are developed to appear legitimate, with a history of non-fraudulent activities.
Detecting invisible fraud
Overall, the mixture of these elements makes serial fraud attacks seem “invisible” and even undetectable. Collaboration, information sharing, advanced data analytics, and continuous monitoring for suspicious “traffic” are necessary to combat this fraud.
Why can’t a typical verification solution (even one that is AI/ML) catch serial fraud?
As part of the identity verification process, most customers capture a picture of their ID document and take a selfie from their device, which is submitted for processing. This is what we will call fraud detection at the case level because the technology is trained to examine documents on a case-by-case basis, one document at a time. When attempted at the case level, fraud detection relies on illogical or non-matching data items, suspicious device flags, or a manipulation attempt that is observable on or in the image file. If everything looks legitimate, the identity is verified, and the fraud goes undetected. The case-level examination and detection happen in a closed ecosystem.
But coordinated attacks executed by organized crime rings are made with perfect fakes that do not demonstrate observable manipulation. No data checks will likely detect these, nor will any irregularity be seen at the case level. The only way these can be detected is by their activity at the traffic level behavior characteristic of professional crime attacks. A serious fraudster, let alone an organized crime cell, doesn’t need to sneak in; they enter through the front door. Totally undetected.
Like ending on a cliffhanger? More will be revealed, including how we came up with the term ‘serial fraud’, and closure is imminent. Read more in the second part of our story.
Can’t stand to wait to hear how this ends? Talk to us. We’ll show you how we can stop the threat of serial fraud attacks so you can sleep better at night.