Synthetic identity fraud: creating fake people to scam businesses
Criminals are now upping the ante on identity theft, creating fake job applicants and recruiters to gain access to private data.
Identity theft is one of the oldest scams in the book, but the updated version of this classic fraud tactic may not be as familiar to business owners. In 2020, so-called “synthetic identity fraud” resulted in an estimated $20 billion in losses—an increase of 33% over 2018.1 Concerned security professionals report that cybercriminals may be using synthetic identity fraud to apply for jobs at target companies to steal confidential information.
What is synthetic identity fraud?
The Federal Reserve Board defines synthetic identity fraud as “the use of a combination of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.”
Instead of using a real person’s name, Social Security number and other PII, perpetrators of synthetic identity fraud pair a fake name, address and other personal details with a real, stolen Social Security number to fabricate an identity for a person who does not exist. The stolen Social Security numbers often belong to people who are not frequent credit users, such as children, recent immigrants or low-income individuals – people who are less likely to notice suspicious activity on their credit reports.
Most synthetic identity criminals use these fake identities to apply for fraudulent loans, credit cards and unemployment benefits. But recently, an increasing number of criminals are also using this tactic to apply for jobs and steal sensitive business information. Some are also posing as recruiters for a legitimate business to defraud job applicants.
Fraudulent job applicants and fake job listings
In June 2022, the FBI Internet Crime Complaint Center warned of “an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions.” Criminals use synthetic identity fraud to apply for roles that 1) are fully remote and 2) provide access to a company’s financial data, customer PII and other proprietary information. With the rise of remote interviewing and remote work due to the COVID-19 pandemic, detecting and thwarting fraudulent job applicants can be more challenging than it once was.
The FBI reports complaints of fake job applicants in “information technology and computer programming, database, and software related job functions.” A criminal who successfully uses synthetic identity fraud to secure one of these positions can then exploit their system access to steal confidential information such as employee and customer PII.
In addition to submitting fraudulent applications to legitimate jobs, scammers use synthetic identity fraud to post fake job listings from real companies, pose as recruiters or hiring managers, and offer applicants a position as a tactic to steal their personal information. Fake job scams, while not new, have spiked since the COVID-19 pandemic—and as technology advances, synthetic identity fraud helps criminals profit from these schemes.
How business owners can combat synthetic identity fraud
To protect your business from the costly damages that can result from synthetic identity fraud, make sure anyone on your team who conducts remote job interviews knows how to spot a deepfake. Signs to look out for include:
- A poor-quality video conferencing application
- Out-of-sync visuals and audio (a person audibly coughs or sneezes while talking but the video image of them does not, or their lip movements don’t match their words)
- Unnatural movement of the eyes or eyebrows
When it comes to fraudulent job postings, business owners should publicly disclose their hiring practices to help candidates distinguish between scams and legitimate interactions with the company’s hiring managers. Companies should also double down on transparency, making it abundantly clear where candidates can identify and submit applications for legitimate job opportunities. Finally, set up a process to monitor for fraudulent job postings, if your HR team doesn’t already do so. Encourage anyone who believes they’ve been scammed by a fake job posting to report the incident to the company, as well as the Internet Crime Complaint Center, Federal Trade Commission, Better Business Bureau, and/or Google’s Phishing Report Page.
While identity theft is best known as a crime that affects individual consumers, business owners need to know the threats it can pose to their organizations. To learn more, visit key.com/cybersecurity.