On a warm day in May, agents from the FBI and the U.S. Postal Inspection Service descended on a leafy neighborhood in South Carolina and raided the home of a DJ suspected of using fake identities to obtain 558 credit cards from Capital One Financial Corp.
Outside the house in Rock Hill sat a small fleet of luxury sedans that the man, Charles Whitlock Jr., had bragged about on Facebook, writing, “My Car Detail Bill is getting up there, lol.” Inside, investigators found a pair of handwritten ledgers listing names alongside purported Social Security numbers, birth dates, and addresses—tracking some of the identities he allegedly had cultivated since the end of 2013. Prosecutors estimate Whitlock tapped at least $340,000 using the credit cards. He says he’s innocent.
Such scenes are part of a newly defined front in the war against credit card fraud. Known as synthetic identity theft, the scam relies on creating identities rather than stealing existing ones. The headaches for lenders may soon get worse: The credit reporting agency Equifax Inc. announced on Sept. 7 that hackers may have stolen from it the names, SSNs, and other personal information of about 143 million U.S. consumers. That could be a big help to traditional identity thieves, and, if they’re able to blend the stolen information into new identities to open credit lines, to synthetic thieves, too.
Barely on the radar a half decade ago, the technique may already account for as much as 20 percent of credit card loans that go bad, according to Auriemma Consulting Group. Synthetic identity theft probably cost banks at least $6 billion in 2016, the payments consulting firm estimated last month, based on an analysis of major lenders’ data on soured loans.
The crimes are increasing just as banks have won a long-sought victory against fraud. The financial industry spent years arm-twisting retailers to upgrade their credit card terminals so they could accept computer chips. This is supposed to prevent criminals from stealing numbers, printing their own plastic, and going on shopping sprees that leave banks on the hook. Synthetic theft, meanwhile, has been in the wings, making headlines after the arrest of pioneering con artists or crime rings—including one that allegedly made off with $200 million. But perhaps because synthetic identity theft requires a lot of time, the incidents never seemed to add up to a crime wave. That’s starting to change.
Synthetic fraudsters buy stolen SSNs or try to guess numbers not in use, then combine them with a sham identity. Using other people’s real addresses, they begin applying for cards. Banks usually reject the first requests after seeing that the applicant has no credit profile. Still, the banks’ inquiries generate placeholder profiles with a credit bureau. Thieves keep applying for cards until a lender eventually opens an account. Then the long con starts. Fraudsters can spend years faithfully paying the monthly bills for the cards—which they may have forwarded to P.O. boxes or their own homes—while watching credit limits tick higher. After an identity is established, they sign up for more cards. They may add authorized users to the accounts, establishing additional identities that can later seek their own credit. When the scheme is ripe, the fraudsters charge everything to the hilt, a phase commonly known as “busting out.” Payoffs can stretch into the tens of thousands of dollars. The identities are then discarded.
When a synthetic account goes bad, lenders often assume a good customer fell on hard times. Their collections departments may waste months trying to reach the borrower before realizing it was all a fiction. “In the last two months, I’ve talked to three large credit card issuers, two large telecommunication firms, a large retailer, a large auto lender, and a large fraud consulting company—and every one has had huge synthetic fraud concerns,” says Paul Bjerke, vice president for fraud and identity at LexisNexis Risk Solutions Inc., which helps banks and retailers manage risk in credit portfolios. Representatives from Bank of America, Citigroup, JPMorgan Chase, and Capital One, the four largest U.S. credit card issuers, declined to comment. Equifax didn’t respond to multiple requests for comment.
The most prized data for synthetic fraud are the SSNs of people who don’t use credit, including infants and children, because they give the thief a blank slate to work from. For decades, banks easily deflected attempts to use a child’s SSN because the owner’s birth year was baked into their digits. But in 2011, the Social Security Administration began randomizing numbers from start to finish. Despite this risk, synthetic credit card fraud is primarily a problem for banks, which are forced to eat the losses when a fraudster busts out and disappears. The true holder of a stolen SSN may have some difficulty applying for credit but isn’t responsible for any unlawful activity.
The SSA does operate a database that lenders can use to confirm an applicant’s name, birth date, and SSN. Banks pay a one-time $5,000 enrollment charge plus a fee every time they look up someone, which requires handwritten consent from the customer. Banks, which try to control costs by serving customers online or by phone, have pushed for the agency to “allow a more modern form of digital consent,” says Jason Kratovil, vice president for government affairs for payments at the Financial Services Roundtable. “We’re making efforts to educate the Hill as well.” The SSA said in an emailed statement that roughly 86 companies have enrolled in its verification service. “Safeguarding the public’s information is a top priority,” it said. The agency “does not accept electronic signatures on the consent form.”
Synthetic fraud is starting to pop up in data across the industry. The unemployment rate and credit card write-offs typically move in lockstep. But as the unemployment rate continued its steady decline this year, the five largest U.S. card issuers saw combined write-offs surge. That disconnect is at least partly attributable to synthetic fraud, Auriemma Consulting found. Banks started becoming particularly concerned after noticing write-offs were climbing among borrowers with higher credit scores, LexisNexis’s Bjerke says. “We’re seeing many more delinquencies and write-offs in these high credit scores that are out of whack,” he says.
Card issuers try to prevent synthetic fraud by noting which computers and tablets customers use to file credit applications. But Whitlock, the DJ arrested in South Carolina, filed 90 percent of his 750 applications by phone, using hundreds of mailing addresses, according to an affidavit filed by prosecutors.
Capital One eventually detected his activity with fraud analytics software. According to prosecutors, the bank realized that a variety of cardholders happened to be making transactions with the same cluster of merchants and PayPal accounts. Prosecutors say they obtained surveillance videos of the man using a variety of cards and that he also marketed himself on social media as a credit-repair specialist. He allegedly promised on Facebook that he could deliver three new lines of credit, a $20,000 car loan, and a FICO score of at least 720 within 48 hours.
Whitlock pleaded not guilty to charges of mail fraud, wire fraud, and bank fraud. He denies the prosecutors’ allegations, says his attorney, Kevin Tate, declining to comment further.
Cracking down on synthetic fraud risks making it harder for younger people and recent immigrants to get their first loans, says Ken Meiser, vice president for identity solutions at ID Analytics LLC, a provider of risk solutions. For banks, “this is a market that they very much want to say yes in,” Meiser says. But “these wolves are hiding in among the sheep.”