I was in Wilmington, Delaware at an industry conference speaking about credit card rewards. There were several interesting speakers and some of it is worth sharing beyond inside baseball card issuer audiences.
One of those things was a talk by Steve Lenderman, Fraud Operations Lead for Paypal, who talked about how people commit fraud against financial institutions. It matters even for people who aren’t committing fraud because behaviors undertaken by bad actors look suspicious when they’re legitimately undertaken by the rest of us.
Fraudsters create synthetic identities and it’s easier to do it than most people would imagine.
They’re creating a person financially or digitally that doesn’t exist, new identifies using a combination of real data and fabricated information.
- Social security numbers are easy for people who know what they’re doing. Prior to 2008 social security numbers weren’t randomized, and there’s still an algorithm used to create these numbers.
- Social security numbers that get targeted most are ones infrequently used — those of children and the elderly — he recommends freezing the credit file of your children.
- Everyone’s data is out there. Using social security numbers, dates of birth, and mother’s middle name for validation has become worthless, after the Equifax breach but even before.
Here’s how a phantom borrower is born. The scammer creates their fake identity, gets a fake ID and decides what social security number to use. They go into a store, say Target, and they’re offered a credit card at checkout. The clerk at the store isn’t looking for fraud, they’re incentivized for getting the application.
- Applying creates a credit file.
- They’re probably turned down for credit.
- They go back 2 or 3 times to different issuers and do that again. Now there’s more data in the file.
- Eventually a bank will approve with a small limit. That bank has a limited risk (because of the small limit) but the ‘person’ now exists.
There are super easy cards to get with $500 limits. Then that person gets marketed to for more cards.
The identity itself is worth more than the credit lines, so they don’t go spend the $500. Their credit lines increase as bills get paid.
The ‘person’ is able to apply for credit, open deposit accounts, purchase insurance policies, enroll in medical benefits, and obtain drivers licenses and passports.
- The process gets sped up through authorized users. They’ll pay to be added to an existing real account as an authorized user. They use credit repair services which are viewed as ‘legalized brokers’.
- When these new authorized user accounts report to credit bureau, they can improve the FICO score. It’s not uncommon to see accounts with 70 or more authorized users because people are selling their authorized user additions.
- Every 10-21 days (depending on the speed of reporting) FICO scores will jump 30-60 points. So they sit on it for six months and they’ve got a 750 score. Then the authorized users start to become primary cardholders. Someone that’s an authorized user on 70-80 accounts is a future credit risk, having 10 or more authorized users on your own cards is a fraud flag.
Large banks are bigger targets than small credit unions, it’s easier to hide within millions of customers. 85% of identity theft is tied to synthetics. There’s $355 million in outstanding credit card balances owed by people that don’t exist (and this is up eight-fold over the last 5 years).
There are 6 million new credit files each year with little or no data/history. There are 20 million valid identities with overlapping social security numbers. There is no person victim to report the fraud, no real person to inquire of for collections. Most of this is treated as a credit loss and charged off.
These synthetic identities apply to rewards accounts, too. They stick it to the bank for the transactions and earn rewards doing it.
Customers do payment kiting between accounts. They take their $10,000 card, buy $10,000 worth of stuff at Macy’s, and send in a $20k payment from a checking account with $50 in it. Now they have more credit to spend at the store the next day, before the $20,000 payment bounces. This is one reason banks may flag mid-cycle payments.
There are also merchant rings that ‘cut out the middle man’ of Macy’s or Best Buy. The merchant runs a $10,000 charge and writes a check back to the cardholder for the net (mins merchant fees). Or they use fictitious merchants — it’s easy to become a small merchant with credit card processing.
Credit repair services can be used to preserve synthetic identities taking advantage of the ability to dispute inaccuracies on a credit bureau. Some institutions can’t manage to complete their investigation and respond within 30 days and so negative items come off a report. People will dispute the same items over and over until the institution fails to respond in time.
Ultimately credit reports that look like reports which have been used for fraud in the past get flagged.