The online shopper going by “Michael Smith,” who lives in Houston, may not be a living, breathing consumer, according to new research from Socure, a digital identity verification provider. This consumer, with seemingly valid credentials, may be a synthetic identity meant to defraud merchants. So-called synthetic fraud, already accounting for an estimated $2.48 billion in losses in 2022, could see those losses reach nearly $5 billion by 2024, Socure says in a new report.
Released Thursday, “The State of Synthetic Fraud: Evolution, Trends, and How We Will Eradicate it by 2026” report examines how fraudsters create synthetic identities and documents recent patterns, such as increased attacks on demand deposit accounts. “Battling this kind of fraud poses many challenges and some can be traced to modern credit reporting practices and how fraudsters exploit them,” Johnny Ayers, Socure founder and chief executive, said in a statement.
Is there a typical synthetic identity? Yes, it turns out, at least with the characteristics criminals use. Incline Village, Nev.-based Socure personnel reviewed years of tagged synthetic fraud data to identify patterns by name, demographics, habits, location, and other behaviors. In particular, Socure looked at the most popular birth names from 1922 through 2021 from the Social Security Administration and the U.S. Census Bureau’s most popular surnames from the 2010 Census.
“Fraudsters have always been shrewd and crafty, and the data confirms it. It turns out that by analyzing the patterns for first names and surnames, we see very common choices, which leads us to believe that bad actors are strategically creating fabricated synthetic identities to blend in with the population,” the report says.
The most common name associated with synthetic identities is Michael Smith, followed by James Williams, John Johnson, Robert Jones, and Christopher Brown. With the goal of blending in, these synthetic identities also use fabricated traits and crafty tactics, such as using August as the birth month (it’s the top birth month), declaring the identity is 31 years of age (it’s in the largest U.S. generation), and submitting applications on Sunday, when an organization’s staffing tends to be at its lowest.
“Being aware that bad actors are using automated technology to supercharge their fraudulent activity, it’s not a stretch to presume that their software has been programmed with these popular elements to mix and match traits to create synthetic identities,” Socure says.
Socure’s $4.88-billion estimate included $2.4 billion in credit card synthetic fraud losses, based on a report from advisory firm Aite-Novarica, combined with an estimated $2.48 billion in losses for demand-deposit accounts from synthetic fraud.