Synthetic identity fraud, in which an identity is created instead of stolen, has been around in some form for a long time. Estimates are that it produced over $6 billion in losses in 2016 alone. But as the security community has been able to successfully address other forms of cybercrime and fraud, synthetic identity fraud has become much more popular.

Synthetic identity fraud is uncommon in that it requires both a long-term view and long-term expenditures—often for years—before the identity can be exploited. But the crime is also very difficult to detect. In fact, it is impossible to know how many “busted out” identities still exist, inactive and tagged with an abysmal credit rating. 

The crime begins with a social security number. It is often a child’s, but criminals can also simply make up a number. The rest of the identity will consist of a mix of stolen and made-up PII (personally identifiable information) and a “home” address controlled by the criminal. 

The SSN should have no credit history attached to it. The criminal sets about building one. The simplest way to do this is to apply for—and get rejected by—credit cards. This will establish a credit history. Eventually they will get a card with a very low limit. Then they diligently work to improve the credit rating and increase card limits. Some pay credit repair agencies and for-profit “credit piggybackers” to hasten that process. 

Eventually, perhaps after years, the criminal will “bust out” the identity, running all the cards up to their limit and walking away from the identity. 

A developed synthetic identity can also be assumed by a real person, for instance an undocumented immigrant or even someone who wants a better credit score. 

Any company that doesn’t employ in-person verification at some point is vulnerable to this type of fraud. It is difficult to detect because there is no way (yet) for companies to verify SSNs with the government. Another is that SSNs have been randomized since 2011 and are no longer correlated to date or place of birth. Security programs lost those critical verification factors. 

For consumers, once the issue shows up on your credit report it is too late. But you may want to freeze your children’s credit score (if that is allowed in your state). Companies have the larger challenge, but a sophisticated verification system that looks at depth and consistency of PII will help.