1. Sales & Marketing
  2. Finances
  3. Your Team
  4. Technology
  5. Social Media
  6. Security
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Grow Your Business Security

What Is Synthetic Identity Fraud?

What is synthetic identity fraud?
Credit: JohnKwan/Shutterstock

Identity theft is a term that most are familiar with – it occurs when someone else uses your name or other personally identifiable markers, such as birthdate, Social Security number or email address, without permission, to commit fraud.

Identity theft can happen to an individual, but it can also happen to a small business owner. It is a crime that is easy for fraudsters to commit and difficult for victims to rectify. Because thieves are increasingly acquiring stolen information through data breaches and other security incidents, business owners must be vigilant about protecting customer information.

Because fraudsters are smart and don't want to get caught, they are changing their tactics. One way they are doing this is through synthetic identity fraud.

"Synthetic identity fraud is when a criminal combines real but often stolen information, like a child's Social Security number with a falsified name to perpetrate fraud," explained Ron Schlecht, managing partner at BTB Security, an information and IT security company. "Unlike typical identity theft, the pieces of fake information make the fraud harder to trace and the identity difficult to verify."

Fraudsters go after a child's Social Security number in synthetic identity fraud for a simple reason: A child doesn't have a credit history. They then combine that number with identifiers from someone else and apply for a loan or a credit card and get denied because there is no credit report available.

"Keep in mind, most creditors do not verify full information when people apply for credit and only check for a credit record," said Schlecht. "The denied request for credit then becomes part of the synthetic identity's record, and on the next attempt for credit, the identity shows a record of applying even if it still has no credit history."

The fraudster continues to use this synthetic identity until they hit pay dirt and a creditor accepts them. Once that happens, it is very difficult to trace the fraud, because the number doesn't match any of the other identifiers used. The fraud can't be pinned to a real person. The child and parents may have no idea the fraud occurred until they go to apply for a driver's license or student loan.

How do they find a child's Social Security number? They can use a source like SSN Validator to find legitimate Social Security numbers based on the number formatting, according to Frank McKenna, chief fraud strategist at PointPredictive, a leading provider of fraud solutions to banks, lenders and finance companies.

Once they have that number in hand, fraudsters then often open up a new phone number through a service like Google Voice or to a burner phone, so they can be called but no one can trace them to a specific phone account. They also set up a post office box in their new identity name, if they prefer not to use someone else's physical address. Once completed, the fraudster is ready to start applying for credit cards and loans through online vendors. They can also easily vanish once the money or credit is in hand, never having to pay back a cent. Instead, they move on to the next identity.

Synthetic identity fraudsters can bypass all kinds of filters and checkpoints businesses set up for identity fraud and cybersecurity. They often target small businesses and entrepreneurs who deal in the financial industry because it is easier to slip through their systems.

"Small businesses offering some type of credit for customers are taking on more risk than their enterprise counterparts because their fraud monitoring and filters are likely not as sophisticated," warned Schlecht.

But all small businesses and entrepreneurs are at risk in another way – their identifiers can also be used for fraudulent activities. "Small businesses and entrepreneurs should be particularly careful in the granting of credit but should also be wary of their own employer ID (EIN) being stolen and used as a part of a synthetic identity theft," explained Steven J.J. Weisman, Esq., an Amherst, Mass.-based lawyer who specializes in identity theft issues.

The identity thieves also use the stolen EIN to make a counterfeit W-2s, setting up tax return fraud to get a large refund. "This can make a problem for the company because now IRS records indicate the employment records of non-existent employees and while this will be straightened out, it can be a time-consuming process for the company or entrepreneur," Weisman added.

Another fraud tactic is to use the EIN of a company, along with the company name, as a guarantor of a loan which creates further problems for the victimized company.

Weisman offered the following steps to protect your EIN from potential theft and fraudulent use:

1.  Monitor your state filings to ensure that they have not been tampered with.

2.  File all state business reports in a timely fashion. Scammers can easily go online and identify companies that are not diligent in filing necessary forms promptly as these companies may also be less diligent about monitoring use of their EIN and company information.

3.  Limit the access to the company's EIN as much as possible. The more people that have access to it, the greater your risk is of synthetic identity theft.

Synthetic identity fraud is currently the most common type of identity fraud, and it is very difficult to detect or prevent until it is too late for the victim. "The only way to prevent this is increased reliance on information and technology to verify real identities," said Schlecht. "Unfortunately, this is harder in practice than it should be."

Sue Marquette Poremba

Sue Marquette Poremba is a freelance writer based in State College, Pennsylvania. She primarily covers cybersecurity and emerging technology, with a particular emphasis on how emerging technology and cybersecurity overlap.