By Ian Gray
As losses directly attributable to synthetic identity theft mount, it’s inevitable that we see it leveraged for business fraud.
For those unfamiliar, synthetic identity theft—also known in some circles as ghost profiles—is the process by which fraudsters create a fictitious identity using real and contrived personal information in order to defraud banks, retailers, government services, or individual consumers.
Unlike traditional identity theft, fraudsters do not assume the identity of an existing individual and run up debt on their behalf. Instead, they leverage gaps in a number of critical financial systems, such as the credit reporting system, or exploit lax Know Your Customer (KYC) customer verification processes that enable the creation of synthetic identities. Such fraud is low and slow, because the fraudster will cultivate these identities by establishing and nurturing credit lines with the aim of eventually cashing out, which is also known as busting out.
The next logical step in this process can lead to business fraud. Specifically, this would involve creating and incorporating shell companies in order to apply for greater business lines of credit, enabling a riskier but more lucrative bust-out in the end. These shell companies would be populated by multiple synthetic employees, each of whom could be eligible for individual lines of credit. These schemes may run longer than a year depending on the threat actor’s skill level in building and maintaining lines of credit before they cash out.
Synthetic Fraud, Significant Losses
This is worrisome, because loss estimates related to this type of fraud can climb from the tens of millions to hundreds of millions of dollars. The threat of losses attributable to synthetic identity fraud is not limited to the private sector; government agencies, for example, that pay out benefits such as Medicare, Medicaid, or nutrition-assistance programs, could be victimized by this threat and stand to lose hundreds of millions of dollars.
A 2017 GAO report entitled “Combatting Synthetic Identity Fraud” also expressed concern over potential national security threats related to the use of synthetic identities. For now, most of the risk centers on fraud. Much of the information required to cobble together synthetic identities is readily available in illicit communities. Names, addresses, dates of birth are staples of the countless data breaches and data dumps, and can be purchased for relatively short money.
Social Security Numbers are also available on the deep and dark web (DDW), but they present a challenge, forcing criminals to try a number of strategies in this respect, such as using stolen SSNs belonging to adolescents, the incarcerated, or elderly people who are less likely to have active credit profiles. It’s unknown how criminals are in possession of, for example, unassigned numbers created by the Social Security Administration. After 2011, the Social Security Administration began randomizing numbers, eliminating cues in the identifiers that hinted at a person’s geographic location, as well as using previously unassigned area numbers for assignment.
Threat actors ideally want personal information from individuals with high credit lines, have no criminal history, and no history of litigation. Geographic location is another indicator for fraudsters; information belonging to residents of rural areas, for example, may provide flexibility in creating an additional piece of identification. Most of this information can be gleaned from online background-check services. These services also can be foundational for creating a credit report and bank accounts using fraudulent identities, which is the last step before converting this activity to business fraud.
High Risk, High Reward
Business fraud is a complex and long-term cash-out scheme with higher risks and higher rewards for fraudsters. What makes it a low-and-slow proposition is the work required to build a synthetic profile for the business, starting with establishing the fraudulent company, applying for business lines of credit, and building a credit history through trade lines (credit activity sent to a reporting agency). Fraudsters may also obtain additional retail credit in order to buy business equipment, such as laptops and smartphones, and create merchant accounts in order to build trust through payment processors.
Similar to synthetic identity fraud, business fraud requires several pieces of information that rely on DDW and surface-web services, including an Employer Identification Number (EIN), which is issued by the Internal Revenue Service (IRS), and is one of the most difficult pieces of information to obtain.
Businesses also need a public face, even synthetic businesses. That means websites, forms of payment, and mail drops must be established before a synthetic business can begin applying for business lines of credit and checking accounts.
The aim is to cash out by stopping all payments on synthetic individual and business accounts, maxing out available, and liquidating available funds.
Assessment
Synthetic identity theft requires multiple pieces of information and maintaining lines of credit, which could possibly lower the likelihood of success. While several threat actors sell guides, and provide guidance on creating synthetic identities, it appears most threat actors would prefer to purchase this information. Flashpoint analysts assess with high confidence synthetic identity theft, and the more complex and long-term scheme business fraud, will likely continue to be carried out by sophisticated threat actors willing to devote the time needed to create and maintain various lines of credit, and understand the measures necessary to avoid fraud detection.