The Increasing Sophistication of Synthetic Identity Fraud
- Doriel Abrahams, Principal Technologist at Forter
- 23.04.2024 02:00 pm #security #fraud #ecommerce
Synthetic identity fraud is most commonly associated with fraud in banking or against credit unions but is often mistakenly overlooked in digital commerce. With fraudsters becoming more clever about how they use synthetic identities, it’s a tactic that fraud fighters need to watch out for and guard against.
Synthetic Identities are Not New
Synthetic identity fraud is when a fraudster takes a piece of real identifying information belonging to a legitimate individual and combines it with other identifying information that is either fake or real but belongs to someone else.
This is often seen when a fraudster uses a National Insurance number and combines it with fake or other stolen data tied to the NI number. They then start a line of credit and may eventually take out large loans. When they’ve utilised the stolen identity as much as possible, the fraudsters disappear with the money.
Just before fraudsters disappear, they sometimes splurge on expensive items using the spurious line of credit they’re about to abandon, which occasionally causes a knock-on effect within the digital commerce ecosystem. But it’s rarely a problem for merchants as this kind of fraud doesn’t usually result in a chargeback.
What digital commerce fraud teams are used to seeing is fraudsters combining real and fake information, e.g., combining a real credit card and the associated name and billing address, with a fraudulent shipping address, email address, and phone number that the fraudster controls. This is one of the most common kinds of fraud in digital commerce, though it’s not always recognised as a form of synthetic identity fraud.
The Other Kind of Synthetic Identity Fraud Enters Ecommerce
A new trend has brought synthetic identity fraud to the forefront of digital commerce fraud teams. Where fraudsters used to combine real identity information with fake data, now they’re increasingly combining it with real identity information from another real person. This type of trick has increased 35%-45% over the last 18 months, and most industries are affected.
For example, fraudsters take the name and credit card of one John Smith, and match it with the email address of a different John Smith. Even if the second ‘John Smith’ gets a strange email, he won’t think anything of it; even if he checks his account with that retailer, he’ll see nothing is amiss. There’s an extra layer of obfuscation. It’s more effort than coming up with fake information, so why do they do this?
The answer is simple: it looks more legitimate. If retailers look at any of the data points individually, they’ll show a good long history. In combination, they look plausible; you might just think that a retailer’s site has never seen them together. Any order or activity using this synthetic identity is more likely to be approved or fly entirely under the radar. Fraudsters are slightly more likely to use this technique with higher value orders, presumably because slightly more work is required.
GenerativeAI Makes Everything Easier
Whilst experimenting with ChatGPT and similar models, I’ve found that although generative AI has been primed not to automatically collaborate with an obviously fraudulent request, it’s very easy to use it to speed up and streamline a fraud attack with virtually no effort.
For instance, you can request it provide a list of 100 addresses in a specific area. Or if you’re going after fake data, you can ask for a list of 100 email addresses that include ‘johnsmith’. And so on.
Using generative AI tools for fraudulent purposes isn’t new — given enough thought, any tool can be misappropriated for fraud. What is worrying is that fraudsters can do this with absolutely no effort at all. Over the last decade, fraud has become increasingly easy to enact with moderate success, and generative AI is lowering the bar even further. Synthetic identity fraud is an important part of that picture.
Identity is the “Big Picture”
As a result, it’s more important than ever to view identity as a complex, many-layered entity. You can’t look at static data points, no matter how often you’ve checked them in different sources or databases.
Retailers need to analyse an identity based on everything they can see about the user, including their behaviour, whether there are anomalies compared to past sessions or compared to typical sessions for their persona or age range, cyber intelligence, and more — all within the context of everything they can see about other identities on other sites, both historically and in real-time.
For merchants’ fraud teams, it’s vital to deploy probabilistic linking that analyses the connections between multiple identities. This will enable them to determine whether this is the same person they’ve seen before, a person that the network has seen on different retail sites — or a fraudster cheating in some way to look as legitimate as possible.
Fraud teams need to be able to visualise all data connected to an identity, and other identities that may be connected to it, otherwise they are at risk of synthetic identity fraud. The identity might be synthetic, but the risk to merchants’ businesses is all too real.