Posted by Brian Monroe - bmonroe@acfcs.org 08/17/2022
FVW Snapshot: In flurry of fraud, synthetic IDs rising, swarming from digital data graveyard
In this picture, a synthetic identity bursts open, revealing its true evil form: a zombie in disguise hungering for monetary sustenance.
The skinny:
- A cornucopia of fraud themes, schemes and scams are exploding across the world – particularly from foreigners targeting countries like the United States – and more often than not, when fraudsters try to get that money, those funds could be originating or flowing through your institution.
- That is just one of key takeaways from ACFCS’ Third Annual Fincrime Virtual Week (FCW), which took place earlier this month, with the overarching themes of exploration, discovery and questing for a better future in fighting all forms of financial crime and bolstering compliance.
- Our sci-fi theme for this year’s FVW event is actually rather appropriate as one of the most insidious frauds is the stuff of nightmares, akin to a scene from the Walking Dead: synthetic identity frauds. Whether these zombie identities are real or not, they are hungry for more than brains: they are working to steal money from banks, individuals, the government and anything else they can get their clammy hands on.
A cornucopia of fraud themes, schemes and scams are exploding across the world – particularly from foreigners targeting countries like the United States – and more often than not, when fraudsters try to get that money, those funds could be originating or flowing through your institution.
That is just one of key takeaways from ACFCS’ Third Annual Fincrime Virtual Week (FCW), which took place earlier this month, with the overarching themes of exploration, discovery and questing for a better future in fighting all forms of financial crime and bolstering compliance.
More than 4,000 fincrime compliance professionals attended the event, including current and former top government and investigative officials from the United States, Europe, Canada and Latin America.
Attendees learned important lessons from speakers at the U.S. Treasury, Internal Revenue Service Criminal Investigations, U.S. Department of Justice and its recently-formed KleptoCapture Task Force, the Department of Homeland Security and the former head of the Paris-based Financial Action Task Force, David Lewis.
Some of the issues highlighted by these speakers included how governments around the globe are working to boost corporate transparency – including the U.S. with its Corporate Transparency Act and pending ENABLERS Act legislation – and close longstanding regulatory gaps, while encouraging innovation in tech and human training.
The panelists also echoed refrains from prior events, such as the need to engage in and expand on public-private partnerships – between banks and each other, banks and virtual exchanges, banks and money services businesses and banks and law enforcement.
So why the topic of fraud, a perennial plague, and why now?
With rampant identity theft and fraudsters adapting to pandemic challenges, it has become even more critical for financial institutions to better detect and stop fraud, to better protect their customers and themselves – and be more in line with recently-released national fincrime compliance priorities.
But first just a quick bit of context.
Fraud has been soaring for many reasons, in part fueled by the fear, loneliness and anxiety of living through two years of a global pandemic.
Criminals in that time have become more adept at using love as a weapon in romance scams. They have played on the financial desperation, or greed and avarice, in the human heart with foreign lottery schemes.
Our sci-fi theme for this year’s FVW event is actually rather appropriate as one of the most insidious frauds is the stuff of nightmares, akin to a scene from the Walking Dead: synthetic identity frauds.
Whether these zombie identities are real or not, they are hungry for more than brains: they are working to steal money from banks, individuals, the government and anything else they can get their clammy hands on.
The goal of synthetic ID fraud: not real, but real enough, to make real money
But you might be asking why?
The goal is to make a you, or more accurately a version of you, that is completely controlled by criminal and fraud syndicates.
With the actual you, bad guys could steal money from your bank account or max out your credit cards, maybe making a few thousand dollars.
And that’s about it.
But with a synthetic version of you, they can use that identity to make loans at multiple banks for houses or cars or open dozens of credit cards, maximizing your illicit finance potential into the hundreds of thousands of dollars – or more.
They can apply for state unemployment or government assistance – in more than one state.
In one anecdotal example, a panelist noted that fraudsters used a synthetic identity more than 5,000 times – a dread duplicant that, like the T-800 model android in the original “Terminator” movie, has one singular purpose: to take out its intended target.
It doesn’t eat. It doesn’t sleep. It has no conscience. It feels no empathy or sympathy for stealing from a bank – or any other entity.
The target in this case: not Sarah Connor, but her money or data.
Massive hacks against companies and governments around the world have made it easier than ever for criminals to dig up this digital identity graveyard and create monsters they command.
To help the fincrime compliance community better understand the rising scourge of synthetic ID fraud, we have compiled information from panels at this year’s FVW in a question-and-answer format to quickly detail some of the key challenges and offer practical tips and tricks to uncover them during the anti-money laundering process.
Question: What is a synthetic identity? How do criminals create them and why?
Answer: Why do bad guys do this? To make a version of you that will do what they want, making them rich while, in too many instances, leaving you, the innocent victim, paying the price.
Synthetic ID Fraud is a fraud that involves the creation of a fictitious identity or entities using real and fake information.
Some have called it Zombie fraud or Frankenstein fraud.
Fraudsters in some cases target or make use of IDs using Social Security Numbers that are not actively used, like senior citizens, children, foreign nationals new to the country, those in prison and the deceased.
Simply put, these scammers target individuals with a blank slate when it comes to credit, or who haven’t requested loans or government funds for some time.
Or they create a fully fictitious identity using some of these details to open accounts.
They then use these individuals’ information – Social Security, pictures, home addresses – to apply for as many loans and public and private funding sources as possible.
In some cases, the scammers let the accounts “simmer” and engage in relatively normal transactional account behavior before they “bust out” the scam and max out available credit cards and lending limits.
Often, these schemes only come to light when investigators start querying innocent victims – thinking they were the masterminds.
In other instances, the “victim” doesn’t exist and was an illusory creation of the fraudster.
Q: Is there any kind of regulatory or legal definition of a “synthetic identity” I can refer to, to help spread the word about this kind of crime to my AML, fraud and cyber teams – maybe even my frontlne?
A: The Federal Trade Commission defined it in 2021 as “the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain,” a definition used by many local and federal law enforcement agencies when investigating and prosecuting such crimes.
Q: There are so many flavors of fraud for banks, regulators and investigators to worry about, whether it is healthcare fraud, securities fraud, romance scams, elder abuse and more. How big a deal is “synthetic ID fraud?”
A: According to media reports, government statements and our own analyses and conversations with our vendor and banking partners, synthetic identity fraud schemes have soared in recent years.
One published estimate went so far as to say it has become the largest form of identity theft in the nation, putting losses at an estimated $20 billion in 2020, more than three times the estimate of $6 billion released by the Federal Reserve just five years ago.
Q: Does this rise in scammers using synthetic IDs have anything to do with the coronavirus pandemic?
A: Yes, definitely.
Scammers created fake IDs, fake companies and even created fake companies stocked with dozens or hundreds of fake employees in a bid to take advantage of the Paycheck Protection Program.
Some, though, were not so bright.
Putting the company’s address as their home address – and then stating they were employing a hundred people in manufacturing. The home had three bedrooms.
The program was meant to help companies that saw a drop in business due to COVID-19 keep from having to lay off some or all of their employees.
But banks were under such intense pressure to approve these loans, many didn’t get adequate fraud, AML or credit risk assessments.
In addition to the Paycheck Protection Program rip-offs, fraudsters have used synthetic identities in many unemployment benefit scams.
The result: states have been left scrambling to try to recoup the improper payments.
Q: As a bank fraud or AML officer, how would I even know that one of my customers is being used as part of a synthetic ID scheme?
A: One example, such as when it comes to unemployment scam benefits, would see a shift in government payments away from some customers and funneling to other customers – which would be the accounts controlled by scammers.
One red flag is that a customer, all of a sudden, starts getting unemployment payments from more than one state.
But when you try to inquire about any of these supposed job histories, they don’t exist.
Q: What about now? I know that many states have slowed or even stopped unemployment benefits tied to the pandemic. What else can my compliance team do to better uncover if a customer is being victimized or an account is tied to a fraudster group using synthetic IDs?
A: One thing you can do is look for transactions to change, such as a considerable jump in payments into and out of the account – such as for someone who is supposedly young, like a college student or a retired pensioner – and see if the number of transactions or overall figures make sense.
For instance, these age groups most likely wouldn’t be getting massive loans for homes or luxury cars.
As well, look to what happens to these loan payments when they get into the account.
If the scheme is tied to a foreign fraudster group, then the money might go quickly to scam capitals of the world, like India, the Philippines, Thailand or Mexico.
If the fraud group is domestic, you might see payments move quickly into cryptocurrency or, if the scammers are impatient, big payments for expensive homes, luxury cars or exotic rentals in exotic international vacation destinations.
Something that someone in prison might be hard-pressed to do, though they would love it!
Q: Isn’t there anything I can do now to better tune my systems and train my teams to be on guard against the growing menace of synthetic ID frauds?
A: Yes, and we are already seeing some institutions do this.
One thing a fincrime compliance team can do is update and invert some of the protocols and algorithms for AML and fraud alerts generated by the transaction monitoring system.
For instance, even though a young person or college student would historically be considered low risk for financial crime, consider tweaking systems to generate alerts more tightly if transactions change from paying for books and Starbucks to buying crypto and thousands of dollars in gift cards.
The fraudsters are counting on a bank to look at their fake college student – they picked the age themselves – as a low-risk entity that will not get much scrutiny until multiple credit and fraud alerts have hit the account.
Similarly, your compliance team could consider updating the scrutiny and monitoring of transactions tied to customers older than 60 or 65, particularly if the account is rarely used and typically has few monthly transactions or an overall lower monthly account balance.
As a point of context, some criminal groups – whether the hackers stealing the information or the criminal and fraud groups buying stolen data on the dark web – are actively sifting through data and targeting more vulnerable seniors.
Why?
They are more likely to pick up a phone call, click on a link in an unexpected email and accidentally give up the personal details needed to create a synthetic, zombie version of themselves.
Q: What about the information sources themselves? Does it make it easier or harder for scammers to create synthetic identities with banks allowing the use of documentary and non-documentary sources to engage in AML customer identification and know-your-customer programs (CIP) and (KYC).
A: That is a great question. One trend we saw during the pandemic is the shift to the adoption of digital identities.
This is where a bank will open an account and offer loans and other services to someone fully online, without ever having a human walk into a branch.
This is something allowed and touched on in the FFIEC AML exam manual, noting that:
“Banks are not required to use nondocumentary methods to verify a customer’s identity. However, a bank using nondocumentary methods to verify a customer’s identity must have procedures that set forth the methods the bank uses.
“Nondocumentary methods may include contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.”
In short, this is kind of a mixed bag for fincrime teams when it comes to the fight against financial crime and particularly synthetic identities.
One the front end, onboarding customers digitally means many of the rote and time-consuming tasks of CIP, CDD and customer risk ranking can happen automatically.
The intended goal: that those unused compliance resources could be reallocated to the transaction monitoring, investigations or suspicious activity reporting teams.
The potential pitfall, however, is that the advanced analytics and artificial intelligence reviewing those digital customers is also used by criminal groups to create very lifelike, but completely fake, images.
Q: What about newer technologies that can make a scammer look and even sound like the customer? How can a compliance professional combat that?
This is true.
I am sure you have heard of “deepfakes” and other software that can make a fraudster look and sound like anyone they want – almost exactly.
There are even full sites like this-person-does-not-exist.com that shows the ease at which artificial intelligence and related tools can be used to generate completely fake, and very lifelike, images of faces – images that can be the face of a synthetic identity.
So while in some respects technology and digital identity adoption and lifecycle management can be an answer, it can also be no substitute for properly trained analysts and investigators who don’t take their digital faces at face value.
One trick fincrime fighters have recently found to better reveal someone using deepfake software: ask the person to turn their head.
Why?
The software is quite good at moving your mouth and eyes in real time when looking straight on, but turning your head to the side, that is an angle that typically doesn’t have as much coverage for the AI algorithms.
When a person turns to the side, typically the picture will get blurry or the nose will expand and elongate to something akin to the story of Pinocchio.
Q: What about the human side of the synthetic identity challenge? What can I do to better train my AML, fraud and cyber teams about this? As well, how can I help customers not get taken advantage of in the first place?
A: Look for overlapping physical or email addresses or P.O. boxes, hinting that one account could be tied to or manipulating other business or personal accounts.
Look for accounts with little activity or nearly dormant having a surge of transactions in multiple areas at once, maxed credit cards, big loans, creating and cashing of checks, big ATM withdrawals and big wires to fraud hot spots.
Seek due diligence in enhanced credit — Taking a page from anti-money laundering efforts, it’s important to know your customer, according to Thomson Reuters.
Consider custom-segmented workflows for new customers that allow organizations to create personalized application processes based on risk assessment and to perform step-up authentication as necessary to minimize customer interaction while preventing fraudulent activity.
Even so, that might not always work. If you are not familiar with the term “step-up authentication,” it can solve many problems, but could alienate customers.
One example would be, as some crypto exchanges and crypto ATMs do now, making a customer go to a branch, or widely know landmark, write their name down on a piece of paper, and then take a selfie of themselves with the paper at the landmark to prove they are real and live or work in the region around the bank.
A scammer in India would likely find such a request a bridge too far to cross.
As well, train your AML teams to realize the interconnection between certain fraud schemes and, later, money laundering schemes.
What is an example of this?
In far too many romance, lottery or other related scams, once the person has their bank account emptied, the fraudsters then further victimize the person by turning them into a money mule.
In this case, yes, this is a real person with a real identity that could be laundering money for the synthetic identities controlled by the scammer.
Banks and law enforcement in some instances do reach out to these individuals and warn them they could be prosecuted for money laundering.
Some listen — others don’t.
And they have gone to prison as a result of being scammed in the first place, the ultimate conquest of the heartless, undead scammer.
Q: Should I ever go outside my institution and use other data sources to verify an identity or, more to the point, proof of life?
A: Absolutely. For instance, you could use open-source analysis to go outside your institution.
If you want to know if the person behind a new account is real, see if they have a social media footprint.
Are they on LinkedIn? Do they have a Facebook account? Do they have months or years of posts and dozens, hundreds or thousands of social media connections?
If so, the person is likely real as you can’t fake years of online behavior.
In that same vein, look for when these supposed records came into being for the customer.
Most people start having formal work, loan or bank account records starting in their late teens or early 20s. If a person comes in and all of their records seem to start when they were 30 or 40 – yes even synthetic IDs have ages – it could be a fake.
Q: Is there any way to stop a synthetic ID or scammer using a fake identity from getting in the door of my bank in the first place?
A: It’s not easy, but you should consider extending deeper training to your frontline tellers and branch managers to ask questions about things like prior banking relationships and work histories, along with names and phone numbers to confirm these details.
If the customer balks, it may mean they were not who they said they were.
Even consider creating and sending fraud trends and updates – on synthetic IDs and others – to your customers in weekly newsletters or have a dedicated area on your bank website.
By arming your customers, you could prevent fraudsters from taking money from your clients because the customer won’t click on the link and get their data stolen to start this illicit chain and scam lifecycle, preventing a scam team from getting a foot in the door in your institution in the first place.
Sources and acknowledgements:
https://www.thomsonreuters.com/en-us/posts/investigation-fraud-and-risk/synthetic-identity-fraud/
Tom Mangine, Vice President of AML Governance and Chief of Special Investigations for Capital Markets at Bank of Montreal or BMO and also its Director of AML & Risk Resilience.
Tom has more than 20 years of experience in understanding, teaching and training on financial crime and compliance, including in the military and intelligence arenas and nearly a decade in top compliance and investigations positions at BMO.
Amanda Dupont, a Public Records Product Expert, at Thomson Reuters
Amanda has more than 22 years of experience in the legal sector and is a highly experienced investigative researcher. She is a licensed attorney and practiced law in Minneapolis for more than eight years.
Bre Hamilton, Product Specialist, Public Records, Thomson Reuters
Bre has been in banking and financial crime compliance roles for more than a decade, most recently as the Product Owner of Program Governance for the BSA/AML/OFAC/Fraud operations of a mid-size bank with tens of billions of dollars in assets.