Synthetic Identity Fraud: Detection and Prevention for Enterprises

What Is Synthetic Identity Fraud?

Synthetic identity fraud is a type of financial crime where an attacker combines real and fabricated data to create a new, fictitious identity. The attacker then uses this identity to open fraudulent accounts and make unauthorized purchases.

Synthetic identity fraud differs from traditional identity theft because it involves creating a blended identity rather than impersonating an existing individual. While threat actors harvest authentic identifiers (such as a Social Security Number) from vulnerable populations like minors or the deceased, they combine these legitimate markers with fabricated names and addresses. 

This results in a fake identity with a valid credit-building record, even though it doesn’t belong to an actual person. 

Why Synthetic Identity Fraud Is Growing

Synthetic identity fraud is growing because Generative AI enables the mass production of hyper-realistic personas that exploit the static nature of traditional Know Your Customer (KYC) verification processes.

The proliferation of Personally Identifiable Information (PII) on the dark web, combined with AI-driven automation (specifically bots, Generative AI, and app-cloning tools), enables threat actors to assemble and manage thousands of blended identities simultaneously.

Meanwhile, traditional KYC processes fail because they verify data points in isolation rather than checking whether they belong together. Synthetic identities often pass verification checks because they use genuine identifiers with clean histories.

A Group-IB investigation into deepfake fraud identified a criminal group in Indonesia that bypassed multilayered biometric security. The attackers used app cloning and face-swapping technologies to execute AI-powered synthetic identity fraud during digital onboarding, revealing the limitations of traditional KYC processes.

How Synthetic Identity Fraud Unfolds Over Time

Synthetic identity fraud unfolds in three main phases. First is the identity manufacturing stage, where fake identities are created. Next comes credit building, as criminals build up credit limits over time. Finally, in the bust-out phase, they spend all available funds and then abandon the identity.

The table below provides a quick breakdown of the lifecycle of synthetic identity fraud.

 

Phase 1: Identity manufacturing

In the identity manufacturing phase, the attacker constructs a synthetic identity by blending legitimate identifiers with fabricated personal data.

Threat actors commonly use “clean” SSNs gathered from data breaches, the dark web, or social engineering. Their goal is to establish a believable digital persona before it ever interacts with financial systems.

The fake profile looks legitimate because its core identifiers are real and either unused or barely used, so it can easily pass onboarding checks when entering credit and banking systems for the first time.

Phase 2: Credit building

In the credit-building phase, the attacker introduces the synthetic identity into financial systems and builds trust over time. Their goal is to expand the identity’s access to higher credit limits across multiple institutions.

Threat actors introduce synthetic profiles into financial systems through low-value accounts, such as retail cards, or by piggybacking as authorized users on legitimate accounts. These early interactions create a record of existence within credit bureaus and financial databases.

Over time, the attacker builds credibility by maintaining clean repayment behavior and controlled account activity.

During this phase, the same synthetic identity or its components can be reused across banks, lenders, and payment platforms to maximize yield while preserving the appearance of legitimacy.

Group-IB’s investigations show this pattern in Authorized Push Payment (APP) fraud, where attackers use synthetic identities to open mule Demand Deposit Accounts (DDAs). Attackers receive and rapidly redistribute scam proceeds across institutions, evading detection.

Phase 3: Bust-out

In the bust-out phase, the attacker spends or withdraws all available funds, loans, and credit lines before abandoning the account.

Once credit limits and transactional access reach their peak, attackers exploit the synthetic identity by rapidly withdrawing funds through cash-outs, high-value purchases, or payment fraud. These actions often occur simultaneously across multiple institutions where the identity has been seeded.

After extraction, the fraudster abandons the profile entirely, leaving financial institutions with no real individual to pursue for recovery. It is possible for the identity to resurface elsewhere, repurposed for additional fraud paths or reintroduced through related synthetic profiles.

Signals That Suggest a Synthetic Identity

Synthetic identities are most reliably identified through behavioral and technical inconsistencies, not static personal data. The strongest signals are shared devices across unrelated accounts, robotic interaction patterns, and shared infrastructure. 

1. Device and session patterns that don’t add up

Multiple, unrelated accounts linked to the same device or technical environment signal synthetic activity.

Although the PII in each application seems unique, underlying patterns (device attributes,  network settings, IP behavior, and browser configurations) reveal a shared infrastructure. Shared infrastructures often point to organized criminal groups.

2. Behavior and velocity anomalies across apps

During onboarding, fraudsters often use automated scripts or “copy-paste” functions for sensitive fields like SSNs, bypassing the natural hesitation and keystroke rhythm of a real human. 

As synthetic accounts mature, they exhibit sudden spikes in activity, such as multiple credit limit increase requests or simultaneous actions across multiple banking apps.  

3. Link analysis clues 

Link analysis clues reveal when components of synthetic identities are reused to scale attacks.

Shared devices and repeated attributes offer strong clues. Repeated email naming conventions, reused addresses, shared VoIP phone numbers, and common device fingerprints connect seemingly distinct profiles. 

Detecting these repeated attributes allows security teams to disrupt entire fraud rings at once, rather than chasing individual accounts.

Where To Place Controls Across the Customer Journey

Effective risk mitigation relies on strategically deploying behavioral and technical controls at onboarding, credit application, and account maintenance touchpoints. This multi-layered approach allows security teams to identify subtle inconsistencies in a blended identity during its incubation period, rather than waiting for a reactive alert during a bust-out.

Below, we examine the distinct behavioral and technical indicators that surface at each stage of the customer journey.

1. Onboarding and credit application

Synthetic identities often pass initial data verification but reveal anomalies during application. 

Entry-point controls should evaluate device reputation, environmental signals, and document authenticity. Monitoring for “robotic” interaction patterns during credit applications, such as rapid submissions, can catch accounts that look legitimate on paper but behave suspiciously in practice.

2. Account servicing, limit increases, and profile updates

Changes to account details are high-signal indicators of synthetic identity fraud. 

Sudden updates to addresses, phone numbers, or email addresses, especially when followed by a credit limit increase request, can indicate an impending bust-out. Monitoring these actions allows controls to intervene before the fraud escalates.

3. Payments, refunds, and dispute activity

Transactional anomalies can expose synthetic identities post-onboarding. 

Patterns such as sudden bursts of activity after dormancy, high refund-to-purchase ratios, frequent high-value refunds, and rapid-fire disputes often signal extraction attempts or account abuse. Spotting them provides a final opportunity to mitigate losses.

Detection tactics that work in production

Effective synthetic identity fraud detection in production relies on tools and processes that separate legitimate thin-file users from synthetic constructs without blocking real customers. These tactics are deployed in live systems, ensuring real-time protection across the customer journey.

1. Device intelligence and risk scoring

Device intelligence collects and analyzes data from user devices to detect suspicious behavior.

Techniques such as device fingerprinting and interaction analytics provide security teams with a persistent view of how applicants interact with digital services. 

Risk scoring uses collected device and behavioral data to quantify the likelihood of fraud. This process guides security teams on whether to approve, flag, or require more verification for the application.

2. Document and face checks with liveness and replay protection

Static documents and photo checks are no longer enough because Generative AI enables deepfake attacks.

Liveness detection requires users to perform random actions, helping security teams ensure the person interacting with the system is real and that the input is not pre-recorded or a deepfake. 

3. Consortium and shared-risk signals without exposing identifiers

Synthetic identities are often used simultaneously across multiple organizations. 

Consortium and shared-risk signals allow security teams to identify coordinated patterns across environments without sharing raw customer data. This strengthens ecosystem-level defense, preventing synthetic identity fraud from spreading while maintaining regulatory compliance.

How To Exchange Fraud Signals While Protecting Customer Privacy

Security teams detect coordinated synthetic identity rings by sharing fraud signals across institutions without exposing raw customer data. Achieving this requires the following privacy-preserving workflows that connect the right intelligence to the right controls.

1. Tokenize and minimize identifiers

Security teams should implement one-way hashing to convert sensitive identifiers into unique, irreversible tokens before they leave the organization’s perimeter. 

Here’s how to ensure that raw data stays protected while still allowing match-on-token analysis across different platforms:

• Identify sensitive identifiers (e.g., SSN, phone number) linked to blended identities.
• Apply a cryptographic hash with a shared salt to generate anonymized tokens.
• Share only the tokens to a shared fraud intelligence hub or consortium.

2. Match patterns across participants to spot coordinated activity

Once identifiers are tokenized, security teams should compare patterns across multiple participants. Shared devices, repeated behavioral traits, and synchronized activity timelines reveal synthetic identity rings that would otherwise remain invisible.

Here’s how this works in practice:

• Aggregate tokenized signals from participating organizations.
• Analyze for repeated behaviors or device reuse across accounts.
• Flag clusters for further investigation or automated controls.

3. Governance for consent, retention, and audit

Maintaining privacy while exchanging signals requires governance embedded in every workflow. Security teams should enforce a privacy-by-design framework with:

• Dynamic consent management to ensure users authorize data use.
• Automated retention policies that purge tokens once their investigative purpose is fulfilled.
• Immutable audit logs that track every data transaction for compliance and accountability.

Combining these workflows within a Fraud Protection platform can help organizations detect synthetic identity fraud at scale and keep customer data secure and compliant.

Catching Sophisticated Synthetic Fraud

Detecting sophisticated synthetic identities requires a layered defense strategy that goes beyond basic KYC checks. Organizations must combine behavioral analytics, device intelligence, and AI-driven pattern recognition to identify accounts that appear legitimate on the surface but exhibit inconsistent behavior. 

Below are the key areas where your security team can apply these defenses to catch synthetic identity fraud early.

When an identity passes KYC but fails the behavior

Behavioral anomalies signal synthetic fraud. Even with valid stolen documents, fraudsters cannot easily mimic natural “digital body language,” such as mouse movements, typing rhythms, or app navigation patterns.

Here’s how security teams should respond when verified accounts show suspicious behavior:

• Collect and analyze behavioral telemetry. Track session activity, keystrokes, navigation patterns, and device signals.
• Flag high-risk accounts. Identify accounts that deviate from typical human behavior or exhibit rapid, suspicious activity.
• Cross-check with device and session risk scores. Combine behavioral anomalies with device fingerprints, IPs, and network patterns to prioritize investigations.
• Classify risk type. Determine if anomalies suggest first-party manipulation or third-party synthetic fraud.
• Take targeted action. Monitor low-risk but anomalous accounts. Suspend high-risk synthetic accounts.
• Maintain ongoing monitoring. Watch accounts that pass initial review for any new suspicious activity.

Separating first-party abuse from synthetic fraud patterns

Distinguishing between first-party abuse and third-party synthetic fraud ensures that SOC teams apply the right controls while preserving a legitimate user experience. First-party abuse involves a real user manipulating their own account, while third-party synthetic fraud comes from organized actors using fabricated identities. 

First-party abuse signals include unusual edits or inconsistencies on a single account, activity from a consistent device, or minor manipulations in self-reported information. Third-party synthetic fraud signals include coordinated activity across multiple accounts, reused devices or IPs, and repeated behavioral patterns across unrelated accounts.

Using behavioral, technical, and cross-channel signals, security teams can accurately classify the fraud type and respond appropriately.

Here’s how teams can tell the difference:

• Collect behavioral and technical signals: Device fingerprints, IP addresses, account edits, cross-channel connections.
• Compare patterns across accounts: Single-account anomalies are likely first-party abuse. Multi-account coordination is likely third-party synthetic fraud.
• Apply targeted response based on classification: Manual review, limit adjustments, or direct user outreach for first-party abuse. Account suspension, network-wide alerts, and partner notifications for third-party fraud.

Reducing manual review while protecting acceptance rates

Continuous risk scoring is essential, particularly as Group-IB’s recent report, Weaponized AI, highlights how threat actors can bypass initial onboarding checks by mimicking human behavior. 

Automated risk scoring allows security teams to stop synthetic identity fraud without blocking real customers. AI and machine learning models can instantly approve low-risk users and escalate accounts with synthetic identity signals. 

To operationalize automation, security teams should:

• Integrate automated risk scoring across touchpoints: Apply scoring during onboarding, account changes, and transaction activity.
• Define clear action thresholds: Set rules for automatic approval, step-up verification, manual review, or real-time intervention.
• Continuously update detection models: Retrain models using newly observed synthetic fraud behaviors and cross-channel intelligence.

How Group-IB Fights Synthetic Identity Fraud

Understanding synthetic identity fraud allows enterprises to disrupt the long con of fake personas before they can scale into coordinated bust-out attacks. When security teams shift from static data validation to defenses centered on behavioral telemetry, they can break the economics of fraud early, during the critical incubation phase.

Group-IB stops synthetic identity fraud by looking beyond static identifiers to analyze how users interact with your digital platform. Through the Fraud Protection Platform, your team can:

• Detect synthetic patterns in real-time during onboarding by cross-referencing device intelligence, behavioral biometrics, and session risk. This surfaces anomalies like automated data entry or non-human navigation that traditional KYC checks miss.
• Prioritize investigation with high-fidelity signals, such as repeat device fingerprints and velocity anomalies. This eases the manual review workload and reduces dependence on inconclusive PII verification.
• Collaborate via privacy-safe signal exchange. The Cyber Fraud Intelligence Platform enables industry-wide collaboration through patented tokenization. Members can identify coordinated fraud across institutions without exposing raw PII, thereby maintaining compliance with GDPR and global privacy regulations.

Get in touch with Group-IB experts to start identifying the behavioral signals that expose blended identities. We can show you how our Fraud Protection platform helps you reduce risk and strengthen your onboarding against coordinated fraud.