Identity Theft & Synthetic Identity Fraud: The Blurring the Boundary Between Real and Fake

Identity theft has long been one of the most prevalent forms of financial fraud. But today’s threat goes beyond stolen names and Social Security numbers. Increasingly, attackers are fabricating identities from scratch—blending real and fake information to create entirely new personas. This evolution, known as synthetic identity fraud, is one of the fastest-growing and hardest-to-detect forms of financial crime.

For banks, credit unions and fintechs, the implications are clear: your next high-risk applicant might not be a criminal using someone else’s identity—but someone who doesn’t exist at all.

The Two Faces of Identity-Based Fraud

Traditional identity theft involves the unauthorized use of another person’s personal information—Social Security numbers, account credentials or government-issued IDs. This is typically used to open new accounts, access existing funds or commit account takeover fraud.

Synthetic identity fraud is more nuanced. Fraudsters stitch together information—sometimes a real SSN belonging to a child or deceased person, combined with a fake name, date of birth or address—to build an entirely new credit profile. These synthetic identities are often nurtured over time, applying for small credit lines or banking products to appear trustworthy, before “busting out” with high-value transactions and disappearing.

Because synthetic identities don’t map to real victims, the fraud often goes undetected until it’s too late, and rarely results in customer complaints or fraud alerts.

Why Detection Remains Difficult

Detecting synthetic identity fraud is challenging because the fabricated identities can pass standard onboarding checks. Many credit bureaus, if they see consistent data over time, will generate credit files for synthetic identities, which then appear legitimate to lenders and banks.

Likewise, identity theft schemes increasingly use high-quality counterfeit documents that match stolen personal data. Fraudsters may present a driver’s license or passport card bearing their own image but the victim’s name and credentials. With enough supporting information, they may also pass knowledge-based authentication checks.

Account takeovers, another major form of identity-based fraud, often begin with compromised credentials obtained through phishing or data breaches. Fraudsters bypass passwords and security questions, and even intercept one-time passcodes via SIM swap attacks or social engineering. From the institution’s perspective, it may look like the legitimate customer is logging in and transacting.

Key Red Flags for Financial Institutions

Detecting identity fraud requires combining data from multiple sources and looking for inconsistencies that signal risk. For example:

• Mismatched data: An applicant’s phone number or address doesn’t align with known public records.
• New or “thin” credit files: A profile appears with minimal history, yet the applicant requests high limits or credit.
• Rapid behavior shifts: A dormant or low-use account suddenly sees high transaction volume, contact information changes or login attempts from unfamiliar devices or geographies.
• Failed authentication patterns: Repeated failed attempts to answer security questions or pass multifactor authentication occurs, followed by a successful login and attempted withdrawal.

Behavioral red flags observed in person can also provide valuable insights. Customers who avoid eye contact, get defensive when asked for ID or fail to answer basic account questions may be attempting impersonation.

The Regulatory Landscape and Industry Response

Regulators have long recognized the threat posed by identity theft and synthetic identities. Under the Fair Credit Reporting Act, the “Red Flags Rule” requires financial institutions to maintain an Identity Theft Prevention Program, including processes for detecting and responding to suspicious patterns.

More recently, regulators have emphasized strengthening digital identity verification. The FFIEC’s updated guidance on authentication in digital banking warns against overreliance on SMS-based MFA and urges adoption of more secure controls, including biometrics, device profiling and out-of-band verification.

In April 2024, FinCEN issued a notice highlighting the use of counterfeit passport cards in identity theft schemes, including 17 specific red flags to help institutions detect impersonation at the branch level.

Meanwhile, collaboration across sectors is increasing. Banks, credit bureaus and fintechs are leveraging shared data models to identify synthetic identities, including real-time SSN validation through the SSA’s Consent Based SSN Verification service. In parallel, the telecom industry has implemented STIR/SHAKEN protocols to reduce spoofed calls and SIM swap fraud.

NICE Actimize: Detecting Identity Risk from Day One

NICE Actimize provides a layered, risk-based approach to identity fraud detection—from account onboarding through post-login activity. Our solutions analyze behavioral patterns, device signals and cross-channel data to flag identity inconsistencies in real time.

We help institutions detect synthetic identities early, identify account takeover attempts before transactions occur and comply with regulatory expectations through integrated red flag monitoring and SAR generation.