To begin with, synthetic identity fraud is a relatively recent ‘label’ for a phenomenon that dates back to the first payment frauds.
It’s the ability to make it more easily identifiable that has given it its ‘letters of nobility’.
The definition on which everyone agrees is as follows: a synthetic identity is an assembled identity, the characteristics of which are to mix real and false information.
What remains to be agreed is what is ‘false’ information and what is ‘true’.
It all depends on the context and the vertical being “attacked”.
On the vertical side, in the context of banking onboarding, what is generally true are the supporting documents that are in fact usurped (identity document, proof of address, etc.). What is ‘false’ (or rather ‘created for the occasion’) are the contact details (e-mail address and telephone number).
In the field of e-commerce, what is true is the delivery address (inevitably… the product must arrive safely) and the means of payment (usurped most of the time). What’s not true is the same as for banking onboarding. And this has always been the case. Hence our preamble.
As far as the context is concerned, everything will depend on the level of control in place regarding contact data. For example, if onboarding does not include a check that the Internet user has access to the declared e-mail address, for example by sending a welcome message with a link to click for confirmation/creation of the account, the professional runs the risk of the fraudster using a usurped e-mail address (that of the usurped identity or an address with a homonym in the username).
How do you fall for it (without the right equipment)?
Without data lookup, it’s easy to confuse a synthetic identity with a well-crafted digital identity.
For the record, a data lookup is the ability to access ‘history markers’. A newly created e-mail address and a recently activated telephone number do not have the attributes of those who have ‘had a life’.
What’s more, the fraudster will generally have taken care to create an e-mail address with a username that reflects the identity declared or assumed. For example, they will avoid using numbers randomly suggested by the webmail selected, such as dupont.jean12349@……. Instead, if a username without numbers is not suggested, they will opt for numbers that reflect the identity they have assumed, such as the department, the postcode of the delivery address, the year or even the date of birth.
As for the telephone number, the well-informed fraudster will have realised that it’s best to avoid using MVNOs (Mobile Virtual Network Operators) specialising in prepaid or ‘disposable number’ services, which are easy to spot. They will be more likely to opt for prepaid offers… but from an MNO (Mobile Network Operator).
How can we protect ourselves?
It’s hard to do without ‘customer knowledge’. Either by having access to Consortium Data (a pooled database), or by benefiting from a data lookup that can pinpoint risk indicators.
And here… you can’t see it, but we’re ‘pointing the finger’ at ourselves with our best smile…
To find out more about our solutions, click here!
Español 
English (UK) 
Français 
Italiano 
Nederlands 
Português 
Română 