Insight

Detecting the undetectable

Strategies for identifying synthetic identity fraud

Matthew P. Miller

Matthew P. Miller

Principal, Advisory, Cyber Security Services, KPMG US

+1-571-225-7842

Chadd Carr

Chadd Carr

Director Advisory, Cyber Security Services, KPMG US

+1 571-619-4448

Sophia Chen

Sophia Chen

Associate Advisory, Cyber Security Services, KPMG US

+1 949-885-5511

In the first two installments of this series, we covered what synthetic identity fraud is and how its difficulty to detect has made it such a prevalent and lucrative type of cybercrime. By now, we know that traditional detection mechanisms have limited effect against synthetic identity fraud. In this article, we’ll explore strategies for how we can effectively identify and combat this popular fraud variant.

Defending against synthetic identity fraud starts by addressing how fraudsters get their foot in the door: through the application process. As an Experian report states, “Sometimes, the best offense is a good defense. That’s certainly true when it comes to detecting synthetic identities, which by their very nature become harder to find the longer they’ve been around.”1

Prevention at the application stage is crucial—catching and rejecting fraudulent applications denies fraudsters of any opportunity to exploit. As a crime specifically designed to circumvent existing security checks, one strategy is to employ third-party data to aid in verifying an identity’s legitimacy. Based on the details provided, we could aim to answer if the applicant is real using these common signs of synthetic identities from LexisNexis:2

  • Depth of relationships: Synthetic identities will have no relatives or associates.
  • Identity consistency: Has the personally identifiable information (PII) of the applicant always been used together or has the one Social Security number (SSN) appeared with different names or addresses?
  • Identity history: Synthetic identities will have no history of birth records, DMV records, passports, utility bills, etc.

Chaining information from various third-party sources to ascertain these signs provides powerful insight into whether an applicant should be flagged as fraudulent. At this stage, organizations may choose to have someone further investigate these applications or outright reject them.

Organizations can further bolster their defenses with artificial intelligence and machine learning (AI/ML). ML models are trained with existing, known data and are used to predict future, unknown outcomes. In this case, we would assess historical data with applicants’ information and whether an application was determined to be legitimate or fraudulent. Because there are only two outcomes, this is known as binary classification. Training and adjusting the binary classification model would allow us to determine—to a certain degree of confidence—whether an incoming application should be flagged.

During the application process, the goal would be to detect and reject all fraudulent applications. But what if a clever fraudster manages to slip through? While it’s true that some may immediately take advantage, synthetic identities often persist as fraudsters build legitimacy and receive subsequent credit limit increases before “busting out.”

This presents the opportunity to monitor identities throughout their lifetimes. An AI/ML-directed strategy would analyze user behavior and patterns to identify anomalies, which suggest that an identity may be synthetic. Examples of anomalies include if otherwise unrelated accounts are being accessed by the same devices or IP addresses or if payments are being received from the same accounts.

Although these advanced analytics require an organization’s investment, its cost is far overshadowed by the potential loss that synthetic identity fraud incurs. It’s estimated that the cost of synthetic identity fraud has more than doubled between 2015 and 2020, and its frequency is only growing; Juniper Research predicts that synthetic identity fraud will be responsible for $48 billion of losses by 2023.3

At the KPMG Center for Cyber Analytics Research, we combine our experienced knowledge of cyber security with leading advanced analytics capabilities to deliver a robust, data-driven approach to outsmarting fraudsters. To learn more about how our methodology can facilitate your organization in combating synthetic identity fraud, request a demonstration by contacting Matt Miller and Chadd Carr.


Footnotes

  1. Detecting Synthetic Identities: The Best Offense is a Good Defense, Experian, December 2019.
  2. Synthetic Identities Can Often Appear to Be Legitimate Customers, LexisNexis, August 2020.
  3. Synthetic Identity Fraud: What You Can’t See Can Hurt You, SAS blog, April 2021.