An increasingly popular type of identity fraud is exceptionally difficult for banks to prosecute: Why? Because the people stiffing the banks don't actually exist.
That's right: It's called "synthetic identity fraud" and it's become a tool for scammers to siphon off hundreds of thousands of dollars without living with the guilt of ruining the credit scores of all those little old ladies.
The Wall Street Journal explained how it works in a recent story: Scammers apply for loans at dozens of banks using made-up information (names, social security numbers etc.) Because these people have no credit history, the loans are typically rejected - at first. But just by applying for a loan, the credit bureaus - Equifax, TransUnion and Experian - save an individual's information, and after a person applies again and again, eventually, these attempts become enough to seemingly will a credit history into existence.
Essentially, the scam exploits one vulnerability of the credit-check system: It's difficult for banks to tell the difference between a person with no credit history and a person whose identity has been made up.
Synthetic identity fraud was first discovered by law enforcement in 2012, when lenders and law enforcement started reporting unusual instances where confirming an individuals identity proved to be impossible. They quickly realized that many of them weren't real people.
TransUnion says it began hearing from lenders and law enforcement about unusual fraud cases between 2012 and 2014. It began investigating, searching for driver’s licenses, voter registrations and other records to confirm identities. When nothing turned up, TransUnion investigators realized the cases could be tied to fabricated identities.
The company blocked thousands of credit reports from future use, figuring any real people would get in touch, says Lee Cookman, a director in its identity-solutions department. None did.
TransUnion and Experian say it is tough to distinguish between a fake person and a real person applying for credit for the first time with legitimate identifying information that isn’t on file. Equifax didn’t respond to requests for comment.
Since then, it has blossomed into one of the biggest threats to credit-card lenders. Synthetic frauds are already costing banks countless hours - and billions of dollars.
One man in South Carolina was arrested after creating 750 "synthetic identities" and applying for loans through them.
Already, credit bureaus estimate that at least $350 million in outstanding credit-card debt are owed by people who don't exist.
TransUnion says a record $355 million in outstanding credit-card balances was owed by people who it suspects didn’t exist in 2017, up more than eightfold from 2012. It estimates lenders have issued credit cards or loans to millions of synthetic identities in the US.
In January, Accenture PLC listed synthetic-identity fraud as one of the biggest threats facing banks in 2018, saying it would be “costing banks billions of dollars and countless hours as they chase down people who don’t even exist.”
In Rock Hill, S.C., a 50-year-old man was arrested last year after applying under synthetic identities for more than 750 credit cards; he pleaded guilty. Earlier, a Southern California man pleaded guilty to conspiracy to commit bank fraud using synthetic identities, agreeing to forfeit properties in Los Angeles, West Hollywood and Santa Monica bought with the proceeds.
Scammers turned to synthetic identities as fraud detection software used by banks became increasingly skilled at foiling conventional cybercrime.
One scammer who created 300 synthetic cards and was eventually sentenced to several years in a federal prison
Criminals have taken up this new ruse in part because lenders and borrowers have gotten better at protecting against more traditional fraud, which often involves using stolen data about real consumers, says Chris Pinion, who specializes in fraud strategy at LexisNexis Risk Solutions, a unit of RELX Group.
Bypassing actual consumers, scammers such as Mr. Lyles trip fewer alarms. An Alabama native, he had worked at a debt-collection firm and as a U.S. Navy service member trained in electronic warfare, according to court records. He was once chief financial officer at Chosen Destiny Foundation Inc., a nonprofit serving Atlanta’s homeless.
Over two decades, he was convicted of crimes such as motor-vehicle theft and marijuana possession, court records show.
“He’s a good son, a loving father, and he took care of his family to the best of his ability,” says Betty Hollinger, his mother. “Whatever else happened, I just don’t know.”
Mr. Lyles, in federal prison for the fraudulent credit-card scheme, didn’t respond to interview requests. His lawyer, Careton Matthews, declined to arrange an interview with his client. “Mr. Lyles accepted responsibility early on,” he says. “He is remorseful for having committed the acts that caused him to be sentenced.”
Ironically, an innovation by the Social Security Administration meant to prevent fraud helped give rise to the "synthetic identity fraud" phenomenon.
Using CPNs on loan applications is illegal, says Stephen Stigall, partner at law firm Ballard Spahr LLP, and can subject their users to charges of making false statements to banks, bank fraud or conspiracy to commit bank fraud.
Lenders lack methods of instantly distinguishing credit-profile numbers from Social Security numbers—in part an unintended consequence of a Social Security Administration move meant to reduce identity fraud.
The agency used to generate numbers in predictable patterns. The first few digits corresponded to a person’s ZIP Code when the number was issued, letting lenders cross-check the number with other application entries. In 2011, the agency began generating numbers randomly. That made it tougher for lenders to spot fakes.
An agency spokesman, Darren Lutz, says “randomization represents an important step forward in preventing the compromise of SSNs and preventing identity theft” including by making it harder for scammers to reconstruct numbers using public information.
But whether this mistake will be fixed - ie, whether the SSA will go back to using patterns when assigning SSNs - remains to be seen. To be sure, that method also had its vulnerabilities.
But given the ease with which one scammer can marshall dozens of "fake" (but usable) identities - well, at least people who've had their sensitive information stolen in a major corporate hack can at least sleep a little easier: You're no longer the target criminals covet.