Synthetic Identity Fraud: How It Works and How to Stop It

Synthetic identity fraud doesn’t always look like fraud at first. That’s what makes it so dangerous.

A fraudster may combine a real Social Security number with a fake name, fabricated date of birth, new email address, and clean device history. The identity may pass basic checks, open a credit account, build credit histories over months or even years, and then disappear after a large credit line is approved.

This article focuses on a practical angle: how synthetic identity fraud slips through onboarding, what signals teams should watch for, and how stronger identity verification can help financial institutions, fintech platforms, marketplaces, and other regulated businesses reduce exposure without adding unnecessary friction.

Key Takeaways

• Synthetic identity fraud uses a mix of real, stolen, and fictitious identity elements to create a new identity for financial gain.
• Unlike traditional identity theft, the victim may not be a single obvious real person, which makes investigation and reporting harder.
• Fraudsters often build synthetic identities slowly before using them to open credit cards, bank accounts, loans, or other financial products.
• Basic data checks are not enough. Strong fraud prevention requires identity proofing, document verification, biometric matching, liveness detection, and ongoing risk signals.
• The best programs reduce fraud loss while protecting personally identifiable information and user privacy.

What Is Synthetic Identity Fraud?

The Federal Reserve defines synthetic identity fraud as the use of a combination of personally identifiable information to fabricate a person or entity for dishonest personal or financial gain. Its guidance also notes that inconsistent definitions across the industry have made this type of fraud harder to classify, report, and mitigate through a shared framework for synthetic identity fraud.

In plain English, synthetic identity fraud happens when a fraudster creates a new identity from pieces of real and fake information. The synthetic identity may include:

• A real Social Security number
• A fake name
• A fabricated date of birth
• A real address or rented mailbox
• A new phone number
• A clean email account
• Stolen personal information from a data breach
• AI-generated or altered documents

This differs from traditional identity theft. In traditional identity theft, a criminal usually impersonates a real person’s identity. With synthetic identity theft, the fraudster may create a new identity that doesn’t fully belong to one real person.

That difference matters. A synthetic identity can appear thin but plausible. It may not immediately trigger complaints from a victim. It may also move through credit systems slowly, building trust before the actual fraud occurs.

A simple example: a fraudster uses a child’s real SSN from the dark web, pairs it with a fake name and date of birth, applies for a small credit line, makes payments for several months, then requests higher limits across multiple credit cards. Once enough credit is available, the identity “busts out,” leaving lenders with the loss.

How Synthetic Identities Are Created

Synthetic identities are designed to survive early screening. They often start with small inconsistencies that look like normal onboarding noise: a thin credit file, a recently created email, a new phone number, or limited address history.

A fraudster can create a synthetic identity using three broad categories of identity elements.

Identity element	How it may be used	Why it can pass weak checks
Real PII	SSN, address, phone number, or date of birth tied to a real person	Some systems only check whether the data exists
Fictitious details	Fake name, synthetic date of birth, new email, fabricated employment	Thin-file applicants can look similar to legitimate new users
Manipulated evidence	Altered ID, AI-generated selfie, deepfake video, edited utility bill	Manual review or weak automation may miss subtle tampering

Fraudsters commonly use synthetic identities in stages.

First, they assemble the identity. This may involve stolen personally identifiable information from a data breach, public records, breached credentials, or identity data sold on the dark web.

Next, they test it. They may apply for low-risk products, prepaid accounts, online services, or low-limit credit accounts to see which systems accept the identity.

Then, they build credibility. Some synthetic identities are maintained for months or even years. The fraudster may make small payments, keep activity normal, and create credit histories that look increasingly legitimate.

Finally, they monetize. This can happen through credit cards, personal loans, bank accounts, account takeover attempts, fake merchant accounts, buy now pay later abuse, or coordinated bust-out fraud.

The key point is that synthetic identity fraud isn’t always a single bad application. It can be a lifecycle.

That’s why identity verification should not depend on one question: “Does this data match a record?” A better question is: “Does this identity exist, does the evidence look genuine, and is the person presenting it actually connected to that identity?”

NIST’s digital identity guidance frames identity proofing as a process where an applicant provides evidence that allows a credential service provider to identify them at a useful assurance level, which is especially relevant for high-risk onboarding where identity proofing and enrollment need more than a basic data match.

Why Synthetic Identity Fraud Is Harder to Detect

Synthetic identity fraud is complex because it sits between identity theft, credit abuse, document fraud, and application fraud.

A stolen credit card transaction may be flagged quickly. A takeover attempt may show unusual login behavior. But a synthetic identity can act like a normal new customer for a long time. It may not have a prior fraud record. It may not have a real victim calling customer support. It may even pay on time at first.

The identity may be partly real

A synthetic identity often includes at least one real identifier. That creates confusion for fraud detection systems. If a Social Security number exists, an address is deliverable, and a phone number can receive one-time passwords, a basic onboarding flow may treat the application as low risk.

But existence is not the same as authenticity.

A real SSN with a mismatched name and date of birth can still be part of a synthetic identity. A real address can be used by many unrelated identities. A real phone number can be newly created, rented, or recycled.

The fraud signal appears late

Many fraud models are trained to detect immediate risk. Synthetic fraud may not behave that way.

The first application might be declined. The second might be accepted with a low limit. The third might build a thin credit file. The major loss may happen after the synthetic identity has accumulated enough trust to gain access to higher limits.

For financial institutions, this delay complicates attribution. By the time the fraud loss appears, the original onboarding signals may be months old.

AI has lowered the cost of fake evidence

Fraudsters can now create more convincing documents, profile photos, and video artifacts. FinCEN warned financial institutions that schemes involving deepfake media can use GenAI-created identity documents, photographs, and videos to bypass customer identification and verification controls, which makes deepfake fraud schemes a growing concern for remote onboarding.

That doesn’t mean every synthetic identity uses deepfakes. Many still rely on old-fashioned mismatched data and weak checks. But it does mean businesses need layered controls that can evaluate both data consistency and human presence.

This is where liveness detection becomes important. A selfie alone is not enough if a system can’t distinguish a real person from a printed image, replayed video, mask, or synthetic media.

A Practical Workflow to Mitigate Synthetic Identity Fraud

Mitigating synthetic identity fraud requires more than adding one more database check. A stronger workflow treats onboarding as a chain of evidence.

Here’s a practical model many risk teams can adapt.

1. Resolve the identity before approving access

Start by checking whether the identity elements belong together. That includes name, date of birth, address, phone, email, device, and any government-issued document data.

Look for mismatches that are individually explainable but collectively suspicious:

• SSN issued in one pattern, but the date of birth doesn’t make sense
• Address tied to many unrelated applicants
• Phone number recently activated
• Email created shortly before application
• Multiple applications from the same device using different names
• Identity has thin or newly formed credit histories
• Applicant changes small details across attempts

A single mismatch shouldn’t automatically mean fraud. People move. Phone numbers change. Young adults and new immigrants may have thin files. The goal is risk scoring, not blanket rejection.

2. Validate identity evidence

Document verification helps confirm whether the submitted ID appears genuine, unaltered, and consistent with the user’s claimed identity. This matters because synthetic identities often rely on plausible but manipulated documents.

A strong process should check:

• Document format and template consistency
• OCR-extracted fields against user-submitted fields
• Expiration date and document type
• Signs of tampering, cropping, glare, blur, or editing
• Photo-to-selfie match
• Whether document data aligns with authoritative or third-party data sources

For workflows that require remote onboarding, document verification can support this step by helping teams evaluate identity evidence before granting access to higher-risk products.

3. Confirm the person is present

Synthetic identity fraud often overlaps with impersonation. Even if the submitted document looks legitimate, the business still needs to know whether the applicant is the person presenting the evidence.

This is where biometric comparison and liveness checks can add assurance. The workflow should confirm:

• The person is physically present
• The face matches the ID photo or enrolled profile
• The capture is not a replay, mask, printed image, or deepfake
• A high-risk attempt can trigger step-up verification

For lower-risk journeys, passive checks may be enough. For higher-risk moments, such as opening a new account, changing payout details, increasing a credit line, or recovering an account, stronger step-up verification may be justified.

4. Deduplicate across the user base

Synthetic identities often reuse devices, faces, addresses, documents, phone numbers, or behavioral patterns. Deduplication helps identify whether one person is creating multiple accounts under different identity details.

A privacy-preserving facial recognition software workflow can help with duplicate enrollment prevention when implemented carefully. The important design question is not only whether a system can find duplicates, but whether it can do so without creating unnecessary biometric privacy risk.

This is one reason on-device processing and privacy-preserving biometric architecture matter. A fraud prevention program should not create a new data breach problem while trying to solve fraud.

5. Monitor after onboarding

A synthetic identity may look safe on day one and become risky later. Monitoring should continue after approval, especially for financial services and platforms with stored value, credit, payouts, or account recovery risk.

Useful post-onboarding signals include:

• Sudden credit line requests
• Rapid addition of payment methods
• Multiple failed account recovery attempts
• Unusual device changes
• New shipping addresses after approval
• Behavior that differs from the user’s established pattern
• Shared infrastructure across many accounts
• Dormant account followed by high-value activity

A practical fraud detection system should combine onboarding risk with ongoing behavior. Synthetic identity fraud requires a timeline view.

What Businesses Often Get Wrong

Many businesses underestimate synthetic fraud because they think identity verification and fraud detection are the same thing. They overlap, but they’re not identical.

Identity verification asks whether the applicant is who they claim to be. Fraud detection asks whether the activity is suspicious. Synthetic identity fraud requires both.

Mistake 1: Trusting data matches without checking identity linkage

A data match can create false confidence. A name, address, phone number, or SSN may appear valid in isolation, but the real question is whether those identity elements belong to the same person.

A better approach is to score the consistency of the entire identity graph. For example, an SSN with a fake name should not be treated the same as an SSN, name, date of birth, and document that all align with the applicant and their biometric presentation.

Mistake 2: Treating thin files as either safe or fraudulent

Thin credit histories are tricky. Some legitimate users have limited records. That includes young adults, recent immigrants, people who avoid credit, and customers entering a new market.

Rejecting every thin-file applicant can harm conversion and fairness. Approving every thin-file applicant can invite fraud loss.

The better approach is graduated assurance. Allow lower-risk access when appropriate, but require stronger evidence for higher-risk actions.

Mistake 3: Using friction at the wrong point

Fraud teams often add friction too early or too late.

If verification is too heavy at sign-up, legitimate users abandon the process. If verification is too light before a high-risk action, fraudsters gain access before controls appear.

A useful rule: match friction to risk. A newsletter signup doesn’t need the same scrutiny as a bank account opening. A credit line increase doesn’t need the same controls as a password reset. Different moments deserve different checks.

Mistake 4: Ignoring privacy in fraud prevention

Fraud prevention systems process sensitive personal information. Some also process biometric data. That creates responsibility.

Storing more data than necessary may make investigations easier in the short term, but it can increase breach impact, regulatory exposure, and user trust issues. Privacy-preserving identity verification is not just a compliance preference. It can be a fraud mitigation advantage because it reduces the amount of exploitable personal information held in central systems.

The Strongest Defense Is Identity Confidence

Synthetic identity fraud works because weak systems confuse “plausible” with “verified.”

A name can be fake. A Social Security number can be real but misused. A credit history can be manufactured. A document can be altered. A selfie can be spoofed.

The strongest defense is layered identity confidence: validate the identity, verify the evidence, confirm the person, deduplicate intelligently, and keep watching for risk after onboarding.

No single control will prevent synthetic identity fraud completely. But a layered, privacy-aware workflow makes it much harder for synthetic identities to pass as real customers long enough to cause damage.

FAQs