The Real Victim of Synthetic Identity Fraud is All of Us

Most of us have heard of identity theft. A criminal gets your information and uses it to access your accounts, your credit, and your money. It can be devastating to an individual. But because we know about this crime, there are processes in place to deal with it. It’s hard to recover, but not impossible. But with synthetic identity fraud, criminals don’t steal just one person’s identity. Instead, they use bits and pieces of data to create a new, completely fake person to commit their crime. There’s nobody behind that identity, and so nobody to report it. So there isn’t just one victim – the real victim is all of us.
See Fraud is Not Going Away with Steve Lenderman for a complete transcript of the Easy Prey podcast episode.
Steve Lenderman is a certified fraud examiner and the Head of Fraud Solutions for North America at Quantexa, a data-driven anti-fraud company. He has more than twenty-five years experience working on financial fraud and fintech with large payroll and peer-to-peer clients. While he started his career working in the credit card industry, he has been working on fraud, mostly synthetic identity fraud, for the past two decades. Now, he is considered an industry expert on synthetic identities.
Fraud wasn’t Steve’s first career choice. Through college, he wanted to be in law enforcement, specifically a state trooper. But then he realized that for the first few years of that career, he would be stationed far away and work every night and weekend. So he decided to go into banking instead. He stumbled into fraud from there and found it fascinating. Nearly three decades on, it’s been a great career and he wouldn’t change it for the world.
Consider Careers in Fighting Fraud
One of the things that Steve does now is trying to get people involved in anti-fraud career paths. There are plenty of career opportunities in cybersecurity, fraud, financial crimes, anti-money laundering, and more. Law enforcement and fraud investigations need more people in career paths that take them through university and learning about tech so they can fight these tech-based crimes.
I always say there are two things that are never going away: Fraud or funerals.
Steve Lenderman
If this is something you’re interested in, a college diploma isn’t required, but it is highly recommended. Criminal justice or anything mathematical or analytical would be great. Cybersecurity degrees are good too, but that often leads to a slightly different career path.
Like many jobs, the degree often isn’t as important as what you learn outside of school. Most fraud stuff is best learned by being involved and seeing things firsthand. It’s not impossible to do that in a university setting, but it’s hard. Steve got a degree in criminal justice, and while he would absolutely do it again, he’s used very little of his degree in his day-to-day job.
Street knowledge and things like webinars, conferences, and professional associations will take you a long way. ACFE, IAFCI, and ACAMS are all certifications that touch on fraud and will help advance your career. If Steve were to do one career-related thing differently, he would have gotten certifications earlier.
What Is Synthetic Identity Fraud?
If you think of yourself, you have an identity. That identity has a lot of different aspects. There is your physical identity, which includes things like your eye color, hair color, height, weight, shoe size, and all of that. These are physical attributes that can be converted to a data set that identifies you. There are other data sets, too. Your device use data, your social media, your browsing information, your financial data, your medical records, all of these are data sets that identify you.

Most of synthetic identity fraud is built around financial data. COVID-19 accelerated this, but the days of walking into a bank branch to open an account are nearly over. Even with bigger banks, you probably don’t get a new Citibank or Bank of America card by walking into a branch. You probably applied online, maybe talked to someone over the phone, and got your new card in the mail.
Every financial move you make is part of your financial identity. That’s what synthetic identity fraud used to be about. It used to take bits and pieces of financial data from different people and assemble them together. Name, birthday, social security number (which was never supposed to be a financial identifier in the first place), credit score, addresses, device data, age – there are hundreds of different characteristics. Criminals assemble bits of this data from different people to create a financial identity out of nothing.
Synthetic identities manipulate those data sets, and I can create this identity from thin air.
Steve Lenderman
Why Create Synthetic Identities?
This may seem like a lot of work for a criminal to go through just to create a new identity. But once they have that financial identity created, they can use it to commit crimes and get a lot of money. In the past, synthetic identity fraud has mostly revolved around financial services. It’s starting to branch into more areas now, but it still comes down to money.
When a criminal creates a synthetic financial identity, they now have a whole person they can pretend to be who has great credit. Now they can commit fraud by taking out loans they don’t intend to pay back, maxing out a credit card and never paying the bill, and similar things. And because this identity doesn’t actually belong to anyone, there’s technically no victim to the crime.
If someone were to steal Steve’s identity, eventually he’d find out that something was wrong. Then he could report it to the financial institutions and the credit bureaus. They all have processes for identity theft and could deal with it. But a synthetic identity doesn’t belong to anyone. There’s no one to report it. In the end, the one to lose money is the bank because there’s nobody behind that identity to collect from. Most synthetic identity fraud ends up going to collections and then being written off.
Why Consumers Should Care About Synthetic Identity Fraud
With synthetic identity fraud, there’s no individual victim. The entity that loses money is the bank, because they provided loans to a person who doesn’t exist. So as a consumer, why should you care?
The short answer is that banks, like any big company, aren’t just going to sit back and accept those losses. Losses to synthetic identity fraud can run into the hundreds of thousands or even millions. They’re not going to take that loss. Instead, they pass it on to their customers through things like higher fees and higher interest rates.
When the banks take the loss … that loss is passed on to the consumer. They’re never going to eat that as a loss to them.
Steve Lenderman
All fraud is under-reported. But synthetic identity fraud is especially under-reported because there’s no real victim. No one can come forward and say their identity was stolen, so it’s on the banks to identify synthetic identity fraud from their own data. Initial reports suggest that between 10% and 20% of losses from uncollectable debt is probably synthetic identity fraud. That doesn’t even include other types of fraud that are being written off. And for all of those fraud-based write-offs, the consumers are paying through a whole variety of ways. That’s why you should care – synthetic identity fraud is costing you money!
Take these different elements of fraud, add them all up, and then you and I are paying for it.
Steve Lenderman
Banks and Synthetic Identity Fraud
A big challenge for banks and financial organizations when it comes to reporting synthetic identity fraud is that it grows and manifests from a credit perspective. And there are different techniques to do it. Say a synthetic identity applies for and gets a credit card, then maxes it out. Some fraudsters just walk away and leave the bank out a few thousand dollars from that credit card. Others put in more effort. They move money around, age the accounts, and get the limits increased as much as they can. Then when they take the money and run, the banks lose much more.
Most of what we’re seeing in terms of reporting this fraud is from charge-offs against the credit bureau. Synthetic identities have credit scores too, and eventually that score gets so low that the identity is useless to get new credit, so they abandon it. There’s some reporting around that. But the issue comes down to there’s no consumer victim.
Banks had a lot of issues in the early 2000s shutting down synthetic accounts. They knew they were synthetic, but because there was no victim and no fraud claim, they didn’t have a valid reason to shut it down. Banks have regulatory, privacy, and legal controls around what they can do. Taking action against fraud requires it to fit into the fraud typology that limits what they can do. But there’s not a typology for synthetic identity fraud. Opening an account with the intention of stealing money is fraud, but because there’s no one to claim fraud, there are limits to what they can do.
It Isn’t Just Financial
The financial aspects of synthetic identity fraud are the most talked about. This isn’t a new problem – synthetic identities have been around for two decades. But it’s not just a financial concern. Immigration, trafficking, credit, politics, and even more are involved. Synthetic identities are useful for committing fraud across the whole spectrum of fraud.
Synthetic identities tie into all those types of fraud that are out there.
Steve Lenderman
People also don’t know how to deal with it quite yet. When Steve first started working on it in the late 1990s, banks hadn’t even identified it yet. They knew something was weird, but they weren’t sure how to make it make sense. After a few years, they started talking about it and bringing in the credit unions. They formed the Bust Out Synthetic Identity (BOSI) working group, which Steve currently co-chairs and has been working on synthetic identity fraud for twenty years now. But they still don’t quite know what to do with it yet.
And synthetic identities are moving into other industries like insurance or healthcare that don’t know this type of fraud exists. The financial identities can be really good – criminals often put in the work to age them and make them look as legitimate as possible. Now they’re moving into new and unsuspecting industries. It’s like wonderland for the criminals.
Who Creates Synthetic Identities
There’s been a significant change in who is committing synthetic identity fraud over the past twenty years. In the early 2000s, it was typically one or two people managing just a few identities. If someone had fifty synthetic identities, they were considered really good at it. Creating synthetic identities was a lot of work back then.
Then it got a little more gang-related as organized crime started getting into synthetic identities. Especially in the Eastern Bloc, the usual hackers started creating synthetic identities to help with their cimes. People still didn’t have a lot of them. You had to get on the dark web to find the trade secrets and learn how to do it.
In the last few years, though, the threat landscape has changed significantly. People have moved to large-scale synthetic identities. Steve has seen nation-states creating synthetic identities in target environments, even in their own homelands. One particular nation-state created at least 40,000 of them, likely for both financial gain and political influence.

Steve has created many of his own synthetic identities. In the past, it took weeks or months to create one. Last month, he used an AI tool to create a synthetic identity in seven minutes. These days, any idiot can create one. Anyone you see on social media selling you credit repair is really selling you a synthetic identity, and it’s fraud. But because they can do it, they’re now calling these fake identities things like “Consumer Protection Numbers” and offering them as a service. Consumers beware!
Every one of those people selling you credit repair is selling you a synthetic identity … and it is fraud.
Steve Lenderman
Big Banks Are At Lower Risk
It’s challenging to identify synthetic identity fraud. Synthetics are all built around data, and the tech has gotten good in the last few years. Big banks are built around data. They have the data itself as well as data scientists and data architecture teams. They have the people and data to identify this type of fraud.
What concerns Steve is that when you put your finger in one hole in the levee, it finds another way out. The path of least resistance for criminals isn’t the bigger or midsize banks, because they’re well-protected. It’s the smaller and regional banks that are in trouble. A small credit union doesn’t have the resources, and when they start to expand outside their geographic area, they and their customers are exposed. Fintech companies and online-only banks have the same problems.
Bad guys have also figured out how to use synthetic identity fraud in other industries. Insurance fraud has been around as long as insurance has. But in the past, it was always people faking accidents, doing damage on purpose, or exaggerating injuries or damages. With synthetic identities, you can commit insurance fraud by submitting fake claims. Or you can get life insurance on a synthetic identity and then have the synthetic identity die. There’s also much less friction with other industries because they haven’t been working on synthetic identity fraud as long as banks. It’s often much easier to do fraud with synthetics than with real people.
It’s so much easier to do [fraud] with synthetics than it is with real people. That’s the shift that really scares me.
Steve Lenderman
The Future of Synthetic Identity Fraud
Technology has really helped make it easier for criminals to create synthetic identities. But it will also help companies look at the data. Before, examining debt defaults was a manual process. Now you can throw all that data at an AI and it can find discrepancies faster and easier.
The ease of use and scalability of synthetic identities is a big concern for Steve. Most synthetic identities don’t have voices, faces, or physical attributes right now. But the next trend is going to be deep fakes. If criminals can create voices and faces for their synthetic identities, they can actually get on camera and “prove” they are who they say they are. This can get these fake identities past the “liveliness checks” a lot of banks do to try to avoid fraud.
Synthetic identity fraud and the checks against it will continue to evolve. The next phase of things could be something as interesting as avatar banking, where you do your banking in a virtual bank with a virtual teller. If a criminal creates an avatar for a synthetic identity, they could bank in the virtual world with nothing there physically. It could get interesting very quickly.
An Expert’s Advice on Synthetic Identity Fraud
Steve’s top advice to consumers is to freeze everyone’s credit. A lot of synthetic identities are created from existing identities, especially children, the elderly, and deceased people. If you’re a parent of a child under eighteen, freeze their credit. It’s a no-brainer. If you have aging parents, chances are good they don’t need credit anymore. Freeze their credit too – they often have good scores that criminals would love to use.
If you are a small business owner, you’re at more risk. Consumer fraud protections don’t apply to you. You have to eat any losses, and many small businesses can’t survive that. Slow down, do your homework, and be very careful about what you’re dealing with. What are the chances that this random customer will want 10,000 widgets on net 30 payment terms? The first question you should ask yourself is, is this thing even real? After that, work on determining if they are who they say they are.
For banks, most big and mid-level banks are pretty well protected. It’s the credit unions, fintech companies, and similar smaller or newer organizations that are exposed. One or two synthetic losses could legitimately put them out of business.
The biggest piece of advice that Steve gives, to everyone, is that it’s coming. Synthetic identity fraud isn’t a matter of “if” – it’s a matter of “when.”
It’s not a matter of “if,” it’s really “when.”
Steve Lenderman
Connect with Steve Lenderman on LinkedIn. If you are interested in joining the BOSI working group, reach out – it’s free and they share a lot of great information.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
- Uncategorized
Education and Communication are Key to Business Cybersecurity
The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…
[Read More]Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?
Money-lender Dave does the one thing that all scammers do: It lied to its target through its...
[Read More]Passkey Security is the Future of Account Access
Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…
[Read More]A Cybersecurity Framework for Protecting What Matters
The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever…
[Read More]There’s No Such Thing as a Safe Account
You get a call from your bank’s fraud department. There’s been fraud on your account – a…
[Read More]What to Do if a Loved One Lost Money to a Scammer
Scams and scammers are everywhere. Even if you haven’t personally been caught in a scam, you probably…
[Read More]