Synthetic identity fraud has been called one of the fastest-growing financial crimes in the U.S., costing financial institutions (FIs) north of $6 billion a year. By way of background, synthetic identities are most commonly created by combining real information, such as a legitimate Social Security number, and fictitious information, which can include a false name, address or date of birth — or they can be entirely fictitious. It has become a larger problem throughout the pandemic, particularly at the point of onboarding.
And the damage has been significant, as account takeovers (ATOs) were especially prevalent in 2020, with 60 percent of businesses reporting losses from those attacks. In an interview with PYMNTS, Jose Caldera, chief product officer at Acuant, said a “layered” approach to fighting fraud is the best defense — but it’s never a static one.
Caldera noted that every business interaction requires at least the assumption that a firm is dealing with the “right” person on the other end of the transaction — that they are, in other words, who they say they are. But for the fraudsters themselves, there’s a financial incentive to getting away with presenting a different identity, whether it’s getting paid by an organized crime group or engaging in illegal purchases on their own. At the same time, said Caldera, most of the fraud detection methodologies used by FIs and corporates haven’t necessarily gone beyond looking at pieces of (identity) data. To be more effective, FIs must create more complete, holistic views of users’ information to ascertain their identity.
Fraudsters, Lying In Wait
“There are many synthetic identities that have been cobbled together over three or four years, or more,” noted Caldera. Synthetic fraudsters have been silently collecting and building “history’” for these synthetic identities, so they can fool risk and compliance teams. They can (and do) choose at any point in time to use these slowly-built fake identities to execute their fraudulent schemes (call it a way of playing the “long game” in fraud). Detecting these synthetic identities is very difficult, because to the most pragmatic application of detection technologies, they appear to be authentic. The only option to uncover them is to take what Caldera calls a layered approach that embraces document verification, biometrics and monitoring, among other tactics.
That layered approach includes applying the right technology when a customer is being onboarded, and then using that technology to continuously monitor activities going forward.
Caldera’s comments dovetailed with a Federal Reserve report last year, which found that a “multi-layered” strategy that makes use of manual and digital information analysis provides the best odds of discovering and alleviating fraud caused by synthetics. And in forming that layered approach, he said, “how you invest in detection has to do with what you’re trying to protect. You need to think about layers of defense, about different types of technologies. And there are different types of value in relation to the value of what you are trying to protect.”
The goal of document verification is to establish whether a document is real or not, said Caldera — but robust technology that requires selfies, or “liveness” detection, makes fraud all the more expensive for criminals. After all, it takes time and money to draw up fake documents and try to outwit systems. Cross-checking those documents against secure database use attributes gleaned across clients and a history of transactions helps to narrow down the “likelihood” that identities are compromised.
“All of those technologies are basically trying to look for clues in the history and the behaviors of those attributes in different types of systems, such that you can validate that those attributes are being used together — that a Social Security number doesn’t belong to a deceased person or a 10-year-old kid,” explained Caldera.
But there’s no silver bullet, he cautioned — as technologies evolve, so will fraudsters. The businesses that succeed the most will be those that understand changes in the threat landscape. Those efforts would be onerous for a company to tackle on its own, so partnership models and platforms are critical, said Caldera, which means giving access to multiple vendors and technologies.
“It will be too costly for these clients to manage five or 10 vendors,” said Caldera. “Whereas if they work with a vendor that has an orchestration layer, they can take advantage of all these pieces seamlessly put together. There is a natural progression in the market that is moving toward solutions like ours.”