It started out like any other online loan.
Notre Dame Federal Credit Union reviewed the application. It did the necessary background checks, and authenticated the applicant’s credit score and background. But it wasn’t until a group of borrowers in Missouri abruptly stopped making payments that the South Bend, Indiana-based lender smelled trouble.
“These looked like bona fide real people — but when you pulled all of them together, especially out of the specific geographic area, red flags and alarm bells started going off,” said Brian Vitale, chief risk and compliance officer at Notre Dame Federal Credit Union. “We finally identified that these people didn’t exist. Unfortunately by that time, we were out $200,000.”
What the firm learned in hindsight was that the “people” applying for loans never existed. The credit union was a victim of “synthetic identity fraud.” Instead of stealing another person’s identity, a fraudster invents an entirely new, fake person and applies for anything from auto loans to credit cards.
The Indiana credit union is not the only victim. Boston-based Aite Group estimates this type of fraud costs U.S. lenders between $10,000 to $15,000 per incident. One estimate from Auriemma Insights puts the losses at $6 billion annually. This is the fastest-growing financial crime, according to the Federal Reserve, driven in part by lending moving online.
The rise of “Frankenstein” fraud
To fool lenders, fraudsters pick a random social security number, or buy one on the dark web. They will often look for one that was issued to someone younger than 18 years old — ensuring that person doesn’t have credit history. They then link a fake name, date of birth, and in some cases social media accounts. They start applying for credit and building up a FICO score, which in some cases takes years.
“It’s a really long con and an expensive one,” Naftali Harris, co-founder and CEO of San Francisco-based start-up SentiLink, told CNBC. “But once you have this fake person who has an 800 credit score, you can then use that to get multiple high limit credit cards and unsecured loans from banks.”
Credit bureaus link FICO scores to multiple factors — address, name, date of birth — as well as social security number. Harris said it’s common for a social security number to be linked to multiple names, because of human error or a name change. As a result, banks often ignore the “flag” that goes up.
SentiLink uses data to help customers, including three of the top ten U.S. banks, to determine if a borrower is real or using a fake identity. Harris was a data scientist at Affirm, which was started by PayPal founder Max Levchin. Levchin is now backing the company, along with Andreessen Horowitz. Harris first came across the type of fraud at Affirm and found that synthetic identities show certain patterns that data can identify.
“Synthetic identities and real identities behave very differently,” he said. “Real people show up, in terms of their credit history, roughly when they’re 18 or in their twenties and go about their lives living in a pretty ordinary way. Synthetic identities, though, behave in really erratic ways.”
Harris pointed to red flags like moving around a lot or aggressively growing credit. In many cases, he said they find organized crime rings that produce hundreds of different synthetic identities that behave in the same “unusual” way.
These instances are often under-reported, and categorized as normal credit losses. The Federal Reserve estimates that 80% to 90% of these instances are categorized as a credit losses.
“People don’t know to call it synthetic fraud — they just think someone walked away from a debt they owed,” said Jim Cunha senior vice president of secure payments and fintech at the Federal Reserve Bank of Boston. “It’s significantly underreported because most small and medium banks don’t believe they’re victims of it.”
There is not always a consumer victim, meaning no one individual is banging down the door of a bank to complain that their identity was stolen. But Cunha highlighted the possibility of criminals using younger peoples’ social security numbers since they often don’t apply for credit until they’re 18 and won’t notice a difference in their score.
This type of fraud has “sharply increased” over the past decade, according to Julie Conroy, research director for Aite Group’s fraud and anti-money laundering practice. In a recent survey, most bankers told the firm that synthetic identity fraud problem is bigger than the losses they take as a result of identity theft. One factor making it easier to piece together real identities is information being sold on the dark web after data breaches.
“Criminals take a Social Security number here, and a name there, and bring them together to form a new Frankenstein person,” Conroy said. The recent economic boom is also allowing credit issuers to loosen standards and that makes it “easier for a new synthetic record to get a foothold with the bureaus,” she said.
In 2011, the Social Security Administration decided to start randomizing the issuance of Social Security numbers, which Conroy said has made it easier to pick a random social security number without being flagged. There used to be a logic of a person being born in 1984, and a social security number having digits consistent with that year.
“All of that logic went out the window, making it a lot easier for fraudsters to just pull a nine digit number out of the out of thin air,” she said. “Collectors might track down folks and come across the person that owns the social security number — but none of the other identity information matched because it wasn’t synthetic.”
Some of the knowledge-based verification questions from lenders — including “did you live at that address?” or “what type of car did you drive?” can be easily answered by these criminals if they were the ones who formed the identity in the first place.
“What was most concerning was the fact that these new members to the credit union who applied online, passed the knowledge-based authentication questions with flying colors,” Notre Dame Credit Union’s Vitale said. “This was a highly coordinated attack on us, for a significant amount of money.”