What Is Synthetic Identity Theft?

Everyone’s heard of identity theft – it’s the fraudulent practice of using the name of another person to gain something of value; in most cases, we all hear of identity theft when a data breach of our personal accounts happen. In other cases, we might be informed of identity theft when someone tries to obtain loads or credit while using our name; however, what most people don’t know is that there are multiple types of identity theft – one of them is synthetic identity theft and that’s what we are exploring in this blog.

What is Identity Theft?

Some might call identity theft a fraudulent practice, some might call it a “process” – however, no matter what it’s called, the aim of it is almost always the same – the aim of identity theft is to steal your personal information and use it to the attacker’s advantage. Some attackers go even further and combine identity theft with credential stuffing – a practice in which cybercriminals use credentials obtained from a data breach of one service to cause harm (log in) to another unrelated service.

Synthetic identity theft is a little different, though – it’s a type of attack where a fraudster uses a combination of real and fake information to create a new identity for themselves. Synthetic identity theft – or synthetic identity fraud, whatever we want to call it – is arguably the fastest-growing type of financial crime in the United States because such a crime is:

1. Relatively easy to accomplish.
2. Hard to detect and track.
3. Being used to do a lot of harm to its victims.

Synthetic Identity Theft Explained

Synthetic identity theft is a type of attack where a nefarious party steals information from a person to create a fake ID with some of the information attributable to the victim (e.g. SSNs, names, dates of birth, etc.), and combine the real information with bits and pieces of false information (false addresses, etc.) as well. Attackers using synthetic identity theft may be able to:

1. Defraud financial institutions such as banks by providing them true information (see example above.)
2. Use it for credit card fraud – some attackers are able to open a credit card to purchase things on credit, but they never have an aim to repay the credit. And since their account was created using a combination of real and fake information, the company that issued the credit card cannot take action on the fraudster.
3. Open an account with partly true information and later apply for a loan.

The results of synthetic identity theft can be devastating – no matter who is targeted, such an attack is very hard to detect and investigate due to its nature (see above), and it frequently provides a big financial upside for an attacker. Consider and weigh all of the variables, and you will see the reason why it’s growing so quickly.

As hard as it may be to believe, even large institutions and banks often fall prey to such an attack – and a very good part of that reason is that attackers keep providing a lot of legitimate information to such institutions – thus, they believe the fraudster.

According to research made by Carnegie Mellon University (CMU) in 2011, as far as identity theft attacks are concerned, attackers target children more and more frequently as well – on the 9^th page of their paper, CMU notes that an attack rate on children is 51 times higher than an attack on adults. The paper also digs into other things – for example, whether child IDs are “preferable” for attackers, etc.

Preventing Synthetic Identity Theft

As dangerous as synthetic identity theft and it’s brother identity theft may be, we can easily secure ourselves by following basic cyber security advice. We need to make sure that we:

• Stay alert and aware of phishing at all times – email is still one of the most frequent mediums to conduct phishing attacks, so we need to be aware of that fact.
• Secure our email address – this piece goes hand in hand with the first statement. The more secure our inbox is, the safer we will be.
• Our credit and debit cards are always with us and they are not left in an easily-accessible place.
• We don’t share too much personal information about ourselves online – synthetic identity theft is a combination of real and fake information about us, remember?
• Finally, we should always remember to use a safe and secure password everywhere we go – as our password is key to the success of identity theft or synthetic identity theft, we must keep it in a safe place as well. Also consider two-factor authentication – that way, even if our password becomes known to the attacker, they cannot mount attacks directed at us.

Ways to protect ourselves from synthetic identity theft are heavily interlinked with ways to protect ourselves from identity theft as well – however, at the end of the day, it all comes down to basic security measures. Employ them and you will be safe. However, if you’re running a company, you might want to employ a couple of additional security measures to prevent identity theft attacks both now and in the future – one of them amounts to employing the power of data breach search engines. The BreachDirectory API and data breach search engine serve two distinct purposes – the API provides all of its users (companies, universities, as well as individuals) with the ability to scour the data breach database for accounts or website domains that could have been victims of a data breach and receive a REST response, while the data breach search engine provides all of its users with the ability to evaluate whether their account has appeared in a data breach.