What is Synthetic Identity Theft and How to Protect Yourself

In today’s digital age, cybercriminals have no shortage of methods to steal people's identities and sensitive data. One such method is synthetic identity theft, which is becoming one of the most dangerous and common forms.

In fact, according to a figures published by Federal Reserve Bank of Boston in August of 2022, the losses from synthetic identity theft in the U.S. were estimated to be around $20 billion in 2020, rising from $5 billion five years ago

But what is synthetic identity theft? And how can you protect yourself from it? Keep on reading till the end to find out.

Here is a quick visual spoiler of how synthetic identity theft works:

In this post, we’ll discuss everything a coder/software engineer/developer needs to know about this form of identity theft, such as:

• What is synthetic ID theft?
• How does synthetic identity theft work?
• Real life examples of synthetic identity theft cases
• Who does it usually target?
• How a developer can recognize and prevent synthetic identity theft
• Technologies you should use to combat synthetic identity theft
• Warning signs of ID theft & how to stop yourself from becoming a victim

Feel free to click the sections above to jump to any one of them or just scroll to read through each one in order.

Ready? Let's roll...

What is Synthetic ID Theft?

Synthetic identity theft is a type of fraud in which a hacker creates an artificial identity by combining real and fake information.

This includes stealing legitimate identifying documents such as Social Security numbers (SSNs) and then using them to apply for credit cards, loans, or other services that need personal identification.

The thief can then use this new “synthetic” account to buy goods or services. It is called "synthetic" because the identity created is not entirely real or false, but rather a combination of both.

Unlike other forms of fraud, such as credit card fraud and traditional forms of identity theft that involve stealing and using existing pre-existing accounts, synthetic fraudsters use stolen data to make entirely new accounts.

And what makes it so dangerous is that it’s challenging to detect and prevent, as it often involves many compromised accounts and false identities.

How Does Synthetic Identity Theft Work?

Most cases of synthetic identity theft start with the criminal stealing a real SSN. This can be done in various ways, such as buying stolen SSNs from the dark web or using publicly available information.

Once they have an SSN, criminals will create fabricated details to go along with it, such as names, addresses, and dates of birth. They can also use stolen personal details from other victims of fraud to create “Frankenstein” identities.

The thief can then use this information to apply for credit cards or loans, and buy assets while ultimately leaving the bills unpaid.

Not only does this damage the victim’s credit score, but it also allows the criminal to remain hidden as the accounts are made using another victim’s SSN.

This also makes it difficult for victims to prove that they are innocent and that their stolen data was used to commit fraud and default on payments.

Two Examples of Synthetic ID Theft in the News

There have been many in the news recently that have highlighted the growing prevalence of synthetic identity theft. Below are just two notable examples:

• In 2020, a 43-year-old male named Adam Arena, and 12 other alleged accomplices, were charged in New York on suspicion of attempting to defraud banks of more than $1 million using synthetic identities they created by merging legitimate SSNs with fake or mismatched names to construct new identities.
• In 2013, one of the biggest international credit card fraud schemes took place in the U.S., involving more than 7,000 synthetic identities. The crime ring consisting of 18 individuals was estimated to have stolen north of $200 million before being caught.

Who Does 'Synthetic' ID Theft Target Typically?

Cybercriminals typically target those who have a lower risk of being detected. Often, these are people who aren’t keeping track of their credit reports or using identity theft protection services.

Some of the most commonly affected targets of synthetic identity theft include:

• Children
• Seniors
• New immigrants
• Inmates
• College students
• Military personnel deployed abroad

How Common is the 'Synthetic' Type of ID Theft?

Synthetic identity theft is evolving and becoming more common, with the FTC noting that it’s one of the fastest-growing forms of fraud.

In fact, "true-name" identity theft in which hackers pretend to be you now only makes up roughly 10-15% of all ID theft cases.

The harsh reality is that in 2021 alone, this form of fraud cost Americans about $5.8 billion and this trend is only expected to continue.

Why is this Type of ID Theft Becoming More Common?

Synthetic identity theft has become more common for a few key reasons.

• This type of fraud can be challenging to detect because it’s often spread out over many accounts and victims. This makes it hard to trace back to one person or group. This makes it easier for criminals to remain unknown and continue working for longer.
• Criminals are becoming increasingly aware of the power and amount of data available. Due to data breaches, cybercriminals can easily steal or buy leaked data like your SSN from the dark web for as little as $2. This allows them to create compelling identities without much effort.
• Finally, new technology has also made it easier for criminals to commit this type of fraud in bulk. They can now use bots to apply for different accounts at once or generate fake data, making the process faster and more efficient.

How Do I Recognize and Prevent Synthetic Identity Theft?

The best way to spot and protect yourself from this type of fraud is to be vigilant and watch your personal information online. If you do find something you do not want to be public, there are several ways to remove personal information.

Remember to always:

• Avoid using SSNs if possible. Some websites and services may ask for your SSN as part of the registration process. Never provide this information unless you trust the website or it's necessary, as it can be used to generate a synthetic identity.
• Check your credit report regularly. Look for any suspicious activity, such as unauthorized accounts or suspicious inquiries. Also, make sure you review all bank records, especially if there are any surprise transactions or new loans that don’t match your spending habits. Use a credit monitoring service to help you monitor your credit proactively.
• Freeze your credit to help avoid identity theft. Freezing your credit can help to prevent new accounts from being opened in your name, making it more difficult for criminals to commit fraud. So, if you think your information has been stolen, it’s always a good idea to freeze your credit with the major bureaus.
• Use identity theft protection software. Identity theft monitoring services like Experian or Lifelock can help track your credit report, alert you of suspicious activity, and help to restore your credit if it’s been compromised.
• Check the mail for any suspicious enrollment letters or payment letters. If you receive any enrollment letters or payment notifications that don’t seem to make sense, it may be a warning sign of synthetic identity theft. So be sure to check these regularly and contact the sender if necessary.

How Can a Developer Protect Themselves against Synthetic ID Theft?

Developers should also take steps to protect themselves and their companies from synthetic identity theft. Some of the measures they can take include:

• Hashing important data. Hashing is an approach used to mask sensitive information, by changing it into an unintelligible string of characters. This makes the data harder for criminals to access or use for synthetic identity theft. A popular formula for data hashing is MD5, which always produces hashes that are 32 characters long. You can try hashing different texts with MD5 here.
• Requiring user authentication on each URL page. A common mistake by website developers is not requiring user authentication on each website page. This may allow copied URLs with personal data, like confirmation pages, to be opened in another session without logging in. This is why requiring authentication on each page of your website or app can help you protect against automated attacks by bots and malicious actors. Using an identity and user management API service such as okta Developer makes adding authentication to web pages a much easier process.  
• Avoid placing secret backdoors. Backdoors are small pieces of code that can be used to gain access to a system and its data. While backdoors may seem like an easy way for developers to troubleshoot and test the application, it’s important not to leave them in place, as criminals can exploit them for synthetic identity theft.

How Can a Company Protect Employees' IDs against Synthetic ID Theft?

DevOps and Security departments at companies need to take a proactive approach to protect their employee's and customer’s identity from hackers. Some of the actions they can take include:

Implementing data security policies. Organizations should develop and enforce a comprehensive set of Data security policies that fall into two categories – people and technology.

People elements include:

• Establishing an acceptable use policy, which outlines how your company expects users to interact with company resources.
• Enforcing a password policy using a password manager tool such as IdentityForce or Lifelock which generate and encrypt complex passwords.
• Defining how employees are to use email services while at work
• Educating and reminding employees to use a VPN whenever they connect to a public WiFi network at an airport, cafe, restaurant or a public location.

Technology elements include:

• Backing up and restoring server configurations using various cloud services.
• Segregate corporate mobile devices to networks with limited access to company intranets.
• Encrypting data, so it is unreadable to any third party who gains access to it. Using a procedure such as the Zero-Trust security protocol can help identify data that should be protected.
• Running background and criminal checks on potential new employees. Background checks provide a way to confirm the details provided by applicants and look for any discrepancies. They’re a great way to ensure that new hires have not been involved in any type of identity theft or fraud.
• Restricting access to vital information to only those employees with a business need-to-know. Companies should ensure that vital data is only accessed by those who need it for business uses. This helps to protect business data from being accessed by malicious actors and used for fraudulent purposes.
• Closely managing temporary workers’ activities. Temporary workers – such as interns or contractors – should also be closely managed to prevent them from accessing or sharing sensitive information without authorization after they part ways with your firm.
• Avoid using SSNs to identify employees in the computer systems. Instead of using SSNs to identify employees in databases, firms should create and use random employee numbers. This makes it more difficult for criminals to access their personal data and use it for synthetic identity fraud.
• Train staff with access to personal information about keeping that information secure. All staff with access to personal data should be trained on how to handle it and keep it secure properly. This includes explaining the importance of keeping confidential information protected and taking steps such as encrypting documents, not sharing passwords or personal data with anyone, and teaching them how to recognize phishing attempts or data breaches.
• Keep personal information in locked file cabinets and password protected. It’s important to store vital information in a secure place, such as locked file cabinets or password-protected databases. This helps to reduce the risk of an unauthorized person accessing or leaking it.

Final Words

Synthetic identity theft is on the rise, but with vigilance and the right measures, you can protect yourself from this type of fraud.

To protect yourself against synthetic identity theft as a consumer, it's important to:

• Regularly track and check your credit report.
• Be aware of the type of information you're sharing online, and never input personal information like your SSN into shady websites.
• Use identity theft protection software and services.
• Regularly check your inbox for suspicious enrollment or payment emails.
• Freeze your credit if you feel like your personal data has been stolen.

At an organizational level, companies should take a proactive approach to stop synthetic identity fraud by:

• Implementing data security policies.
• Running background checks on potential new employees.
• Restricting access to vital information to only need-to-know employees.
• Avoid using SSNs to ID employees in computer databases.
• Training staff about how to protect personal information.
• Storing sensitive data in secure locations like locked cabinets and passcode-protected databases.

With these tips in mind, you can help ensure that your information remains safe and secure.

Remember, prevention is always better than cure. So make sure to take the right steps beforehand to help reduce the risk of you becoming a victim of synthetic identity theft down the line.