Synthetic Identities: A Financial Crisis in the Making

Financial firms, especially those that service loans in the automotive industry, are facing increasing fraud based on synthetic identities, researchers are warning. Cybercriminals are increasingly constructing better profiles using their access to detailed data culled from numerous breaches.

The total financial risk for financial lenders in the United States rose to $3.3 billion in 2024, up from $1.9 billion in 2020, driven by a concentration of fraud leveled against lenders in the automotive sector, according to an analysis published by credit bureau TransUnion this week. Overall, synthetic identities are being used for upto 1% of transactions, depending on the type of financial product — credit cards or auto loans, for example, the company said.

Credit agencies serving lenders are in a race to make use of the best data to foil fraudsters’ schemes, says Brad Daughdrill, TransUnion’s vice president of data science and head of global fraud analytics.

“It is an arms race,” he says. “Better data and more data are not bad things, but — on the surface — it’s not going to be entirely sufficient. It’s how you use that data, both from an information service provider as well as ultimately the lenders in any of the industries, that allows you to stay ahead of them.”

Related:Chinese Hackers Allegedly Pose as US Lawmaker

The financial industry is the most-targeted for synthetic identity fraud, with cryptocurrency fraud accounting for nearly 10% of it, the lending industry taking the No. 2 spot at about 5%, followed by traditional banks, also near 5%, according to cybersecurity firm Entrust’s “2025 Identity Fraud Report.” More broadly though, synthetic identities are a growing threat for every industry sector. Software makers and the technology industry have had to contend with North Korean operatives posing as international IT workers, for instance, and deepfakes and synthetic identities often form the foundation of the schemes.

The estimate impact of synthetic identity fraud on lenders has grown since the pandemic to $3.3 billion. Source: TransUnion

And fraudsters are not just stealing and creating individual identities, but also taking on the identities of businesses, says Jackie Wylie, spokeswoman for Middesk, a business identity platform.

“As more banking, payments, and credit processes move online, fraudsters have shifted towards more sophisticated, longer-play schemes,” she says. “Synthetic business identity fraud often means combining real or fabricated business details to form a business entity that doesn’t exist or is controlled by fraudsters … [or] ‘piggybacking’ on real but dormant companies.”

Cybercriminals Turn to the Long Con

Fraudsters are also gaining experience in how to extract the most value from the synthetic identities. Now, a common tactic involves fraudsters “nurturing” their synthetic accounts by making legitimate payments for a period of time to build a positive credit history, says TransUnion’s Daughdrill.

Related:SentinelOne Announces Plans to Acquire Observo AI

When institutions extend credit to customers with a credit history light on details, they are going to start small, he says.

“They might get access to $500 or something like that, and then the fraudsters have a decision make: ‘Do I want to weaponize on $500 or do I want to make minimum payments, get my credit score up and maybe get access over a period of time to tens of thousands of dollars?'” he says.

To detect these long cons, credit bureaus have to dive deeper into available data to determine those identities that pose the most risk. The details can make a big difference: 39% of synthetic identities are linked to no relatives, which is about 5.2 times higher than the real population, according to TransUnion.

These relationships can be the best signals to determine what is real and what is not, Daughdrill says. Seeing that an applicant has a car and a speeding ticket, for example, can be a good sign that they are a real person, he says.

“It doesn’t benefit the fraudster to go purchase a car and then go drive dangerously down the freeway,” he says. “But the fact that [the applicant] has done that in his day-to-day actually makes us a lot more confident that their identity is legit.”

Related:Embracing the Next Generation of Cybersecurity Talent

Identity in the Age of AI

It should be said that accessing more data for vetting applicants is not a surefire solution, because cybercriminals are collecting more data as well, making their synthetic profiles more difficult to detect. The credit agencies and other identity-security firms have to race to build better systems to detect the fraudsters, says TransUnion’s Daughdrill.

“They are using the same tools that we are using to create a better mouse trap to catch these fraudsters — they can go to the cloud, and they can go use an AI model, and then they have access to the same tooling that we do from a key-capability standpoint,” he says.

While it’ a an arms race, synthetic identities are usually flawed reflections of reality. Detecting those flaws is an attainable goal, says Middesk’s Wylie.

“Attackers are skilled, but adaptive risk models, ongoing monitoring, and richer data sources are dramatically raising the bar,” she says. “Continuous innovation is essential. In short: it’s never ‘solved,’ but the right investments tilt the balance in favor of defenders.”