Synthetic identity fraud is a big problem for the financial services industry, but the recent Equifax breach will make synthetic identity fraud into an even bigger problem in the years to come, experts warned. But they also said credit unions can take steps to prepare for the anticipated massive onslaught of application fraud via online, call center and mobile channels, and account takeover and card fraud that can lead to substantial losses.

In September, Equifax publicly disclosed a data breach compromised personal information of 145.5 million Americans, including their names, Social Security numbers, dates of birth, addresses, driver's licenses and credit card numbers.

Just a month before the Equifax breach was revealed, a New York-based firm, Auriemma Consulting Group, released new research that synthetic fraud, a sophisticated form of ID fraud, was artificially inflating consumer loan delinquencies and costing lenders billions of dollars annually. Moreover, Yahoo announced that every single account — three billion in total — was affected by a 2013 data breach, which could compound the insidious problem of synthetic identify fraud.

According to Auriemma, which specializes in payments and lending, synthetic identity fraud is responsible for 5% of charged-off accounts and up to 20% of credit losses — $6 billion last year alone. Moreover, the total loss is actually higher when retail credit cards and auto loans are taken into account.

Recent trends indicate that application fraud is an easier target because of the proliferation of identity data that's available for purchase on the dark web. Auto finance is a prime target because the barriers and layers of control and the sophistication level of control are less than what is seen in some other organizations, according to Elizabeth Lasher, director of fraud, cybersecurity and compliance solutions at the San Jose, Calif.-based FICO.

While the industry has begrudgingly become accustomed to card breaches, credit cards have expiration dates, and the breached data often has a short useful lifetime of two years, noted Frank McKenna, a chief fraud strategist for PointPredictive in San Diego.

But this Equifax breach is different and much worse than other breaches.

“This is personal credit bureau data. This data doesn't expire,” McKenna explained. “It lasts a consumer's entire lifetime. This data could be bought and sold many times and be used to defraud banks and consumers for 10, 20, 30 years or more. That is why this breach is so, so bad. Over nine billion records have been breached since 2013, and Equifax's [145.5 million] records make up only 2% of that total. But it's a very bad 2%.”

He advises lenders to budget and plan for higher loss rates because application fraud cases could increase by as much as 10% to 15% in 2018.

Corey Skadburg, director of credit and risk for TMG Financial Services in Clive, Iowa, said credit unions may not see a huge spike in synthetic identity fraud cases right off the bat, but in the years to come, the Equifax breach is going to be very fruitful for the fraudsters as they start to build their new fake identities.

Synthetic identity fraud is created in one of three ways. Skadburg explained fraudsters will pair a real Social Security number with a fake name, use an inactive Social Security number with a real name that typically belongs to a child or someone who is deceased, or they may fabricate both the Social Security number and the name.

The identity is developed even more when the criminal applies for a line of credit typically less than $500. Although he or she will very likely be declined on that first try, he said, applying for credit triggers a credit history because the credit bureaus post a new credit file. Once that happens, the synthetic person is born under the control of a fraudster.

When the fake identity is established, the fraudster will open other accounts and pay them off on time every month to create a credit score that is favored by financial institutions, opening the opportunity to apply for loans that are never repaid.

Because developing these synthetic fraud IDs takes time, they have become the purview of sophisticated fraud rings that are patient and have the resources to generate thousands of false IDs and build their credit histories. However, a quicker way to build credit pursued by some criminals is through the authorized user process. Though adding an authorized user is legitimate, fraudsters exploit it by recruiting cardholders with good credit who may play a willing or unwilling role in the scheme.

But what makes financial institutions even more vulnerable to synthetic identity fraud is online lending. More consumers than ever are applying for loans online and expect them to be approved in minutes or less.

“That's the mindset that has caused lenders to become more aggressive and let their guard down in some of these areas,” he said. “If you want to be in the game and lend to those consumers that expect quick loans, you've got to have good processes set up to monitor for this synthetic fraud. Down the road, you could have an asset that has grown fast, but if there is a lot of junk in there that's going to bleed through into charge-offs eventually. Then you're going to be looking back to find out what happened, but by then it's too late.”

While most credit unions rely heavily on their member identification programs, nowadays those programs have to be layered with other processes and/or technology solutions that can help stem some of this fraud, particularly for online and mobile lenders.

There are different databases available through some of the credit bureaus credit unions, which can red flag fraudulent applications. And there are also a variety of software tools generally known as identity technology solutions.

“So the (identity technology solution) that we use — and many of them are like this — will determine the geolocation of the device. So the IP address may look like it's coming from Des Moines, Iowa, but the device is actually sitting over in Nigeria,” Skadburg said. “So it will kick out that information for an analyst to take another look at it.”

Armed with more synthetic IDs from the Equifax breach, Jack Lynch, chief risk officer at the St. Petersburg, Fla.-based PSCU and Gene Fredricksen, vice president, chief security strategist at PSCU, are getting ready to launch a new layer of an identity technology solution on top of what the CUSO already has in place to combat call center fraud. PSCU operates call center services for more than 800 credit unions across the nation.

“What we've been seeing is a continuing increase in account takeover and the synthetic fraud piece of it,” Lynch said. “From our perspective, we're getting prepared for the pieces of the puzzle that [fraudsters] will be able to get from the Equifax breach that will enable them to create those synthetic fraud identities.”

Fredricksen noted the amount of information fraudsters will be able to glean from the Equifax breach will help them with their social engineering efforts to get answers to challenge questions for member authentication. Some of that challenge information can be accessed from social media sites and other public records.

Pindrop, Atlanta-based voice security/authentication firm, reported a big objective of scammers is account takeover. This can involve fraudsters calling in multiple times to touch an account with nonmonetary transactions. They might include information such as updates to their phone number, password or PIN. Fraudsters also get into email accounts to change the login and password. All of this seemingly innocuous activity is actually setting the stage for a complete takeover of member accounts.

Pindrop's annual Call Center Fraud Report revealed a significant increase in the fraud rate, a jump of 113% year over year. Fraud rates in 2016 were one in 937 calls across the board, compared to one in 2,000 calls in 2015, according to Pindrop's 2016 report. For financial institutions, the rates were one in every 895 calls.

PSCU said it plans to implement a new technology solution layer this fall that will monitor hundreds of factors for each call, including the original geolocation of the call. Every call will be given a risk score, and if it is high enough, a call center representative will be prompted to contact members to verify that they in fact made the call to the credit union's call center.

Lynch expects this new identity management solution, coupled with the CUSO's other anti-fraud tools, will enable PSCU to cut down on fraudulent calls and account takeover attempts.