You probably have a place where everyone knows your name – and maybe your address and your birthday and your favorite drink. This place could be your favorite restaurant, your office, or your grandma’s house. It doesn’t matter where this place is; when everyone in the room greets you by name, it gives you a warm feeling inside, knowing that this is where you belong. But threat actors use this same type of information and this same sense of comfort to commit synthetic identity theft.
There is one other place that might know your name and many other details as well – the dark web. Cybercriminals collect Personally Identifiable Information (PII) from anywhere they can find it and sell it on the dark web. From there, they can use this information for fraud purposes. Many believe that these thieves need a lot of information about you in order to do harm. Really, all they need is one piece of information, like your name, date of birth, or phone number. Like Dr. Frankenstein, identity thieves take one or two pieces from multiple people to create a new fake person. This is synthetic identity theft, and it is an increasingly popular type of financial fraud.
The rise of synthetic identity theft
“[S]Thetic identity fraud is the fastest growing type of financial crime in the United States, accounting for 10-15% of write-offs in a typical unsecured loan portfolio, “according to McKinsey.
Scammers use this fake character in two ways. First, they could make a one-time use to get a credit card. They apply for the card with a stolen social security number, then use the card for a single big purchase or cash withdrawal, or create a character to get your tax refund.
The second method takes longer but has a higher reward. The fraudster builds a full synthetic identity and uses it to establish a high credit limit. When it peaks, they are fully devoted to the expenses and do not reimburse. This can generate millions of dollars for thieves, who can create thousands of accounts as well. It is difficult for victims to find out if their personal information has been used in this way because it is only one piece of information and not the person as a whole.
Synthetic identity theft hurts businesses and consumers alike. Businesses lose money if they are used for fraudulent purchases. During the pandemic, some small and medium-sized businesses excluded from funding for the paycheck protection program and other emergency loans due to synthetic identity fraud, robbing limited funds where they were really needed. And any PII lost in a data breach and used in this way can both impact a company’s bottom line and damage its reputation.
How they collect information
As mentioned earlier, stolen personal information is bought and sold on the dark web, but attackers must first collect it. Identity thieves use every possible site to get the data they need. They will steal mail from letter boxes and rummage through trash cans and recycling bins. They scour social media sites and corporate ‘meet our team’ web pages to initiate corporate identity theft.
The risk of identity theft is the reason why the Federal Trade Commission (FTC) has warned consumers about putting their vaccination cards online. “For example, just by knowing your date and place of birth, crooks can sometimes guess most of the digits in your Social Security number,” the FTC said.
Or, thieves can create fake vaccine passports that can be sold to people who haven’t received the vaccine.
They also take advantage of user laziness. Autofill boxes on websites are useful for anyone who has had to fill in the same fields over and over, but can also play directly into the hands of attackers. Or you can stay signed in to smartphone apps with personal information or sensitive business information embedded. Attackers dig into these digital ID cards and use them to create new personalities.
Basics of Identity Theft Prevention
Let’s be realistic. Personal and business information is already widely available and probably already at least partially compromised. However, this is no excuse for allowing threat actors and fraudsters to collect even more personal information or to put customer data at risk. Corporate websites are expected to make it more difficult to locate employees, especially high-level personnel who are most at risk of targeted attacks. They need to limit the amount of data that customers can store on their e-commerce sites. Users can strengthen their security against identity theft with the following:
- Disable autofill features on your browser.
- Always click “never” when asked if you want your browser to remember your password.
- Completely sign out of apps and websites after each use.
- Never use public Wi-Fi when filling out forms requiring personal information.
- Think about what you share on social media.
Social security number theft and other forms of identity theft are popular because it is easy to collect personal information and difficult to discover until it is too late. Synthetic identity theft is even more popular because fraudsters can create thousands of personas with a mixture of real and fake information. It is a difficult crime to prevent. Consumers and businesses must take action to stop allowing fraudsters to do their dirty work.