The rise in identity fraud has set new records in 2022. This was put in motion by fraudulent SBA loan applications totaling nearly $80 billion being approved, and the rapid rise of synthetic identity fraud. Almost 50% of Americans became victims of identity fraud between 2020 and 2022. The National Council on Identity Theft Protection found that, on average, there is an identity theft case every 14 seconds. Last year alone, businesses lost $20 billion to synthetic identity fraud, $697B from bots and invalid traffic, and more than $8 billion from international revenue share fraud (IRSF).
Cyberattackers use a combination of real and fake personal information, including Social Security numbers, birthdates, addresses, employment histories and more, to create fake or synthetic identities.
Once created, they're used to apply for new accounts that fraud detection models interpret as a legitimate new identity and grant credit to the attackers. It's the fastest growing form of identity fraud today because it's undetectable by many organizations' existing fraud prevention techniques, models, and security stacks.
Synthetic identity fraud is the most difficult to identify, as combining real and fictitious identity data can easily trick existing fraud detection models, gaining account and credit privileges for attackers. Source: Federal Reserve, Mitigating Synthetic Identity Fraud in the U.S. Payment System.
Existing fraud models fall short
Fraud prevention analysts are overwhelmed with work as the variety of the evolving nature of bot-based and synthetic identity fraud proliferates globally. Their jobs are so challenging because the models they're using aren't designed to deal with synthetic identities or how fast fraud's unstructured and changing nature is.
Approaches using structured machine learning algorithms are effective to a point. However, they're unable to scale and capture the nuanced type of attacks synthetic identities are creating today. Machine learning (ML) and artificial intelligence (AI) techniques to capture the nuanced nature of attacks aren't as effective as needed to strop attackers, either.
LexisNexis Risk Solutions found that existing fraud discovery models are ineffective at detecting between 85% to 95% of likely synthetic identities. Many existing modeling techniques for fraud detection lack real-time insights and support for a broad base of telemetry data over years of transaction activity. The lack of real-time visibility and limited transaction data sets translate into inaccurate model results.
Given their limitations, existing fraud prevention model techniques aren't treating identities as a new security perimeter, which is core to sustaining a zero-trust framework while putting an entire organization at risk. CISOs have told VentureBeat they need enhanced fraud prevention modeling apps and tools that are more intuitive than the current generation, as they're onboarding more fraud prevention analysts today in response to growing threats.
How AI Is Helping To Stop Identity Fraud
Reducing false positives that alienate real customers while identifying and stopping synthetic identities from defrauding a business is a challenge. Each identity-based artificial intelligence (AI) provider is taking a different approach to the problem, yet all share the common attributes of relying on decades of data to train models and assigning trust scores by a transaction. Leading vendors include Experian, Ikata, Kount, LexisNexis Risk Solutions, Telesign, and others.
For example, Telesign relies on over 2,200 digital attributes and creates insights based on approximately 5 billion unique phone numbers, over 15 years of historical data patterns, and supporting analytics. In addition, their risk assessment model combines structured and unstructured machine learning to provide a risk assessment score in milliseconds, verifying whether a new account is legitimate or not.
Providing fraud prevention analysts with more informed insights and more effective tools for creating constraint-based rules for identifying potential identity fraud risks needs to happen. Enabling more real-time data across a global basis of transactions will also help.
The goal is to better train supervised machine learning algorithms to identify anomalies not visible with existing fraud detection techniques while supplementing them with unsupervised machine learning exploring data for new patterns. Combining supervised and unsupervised machine learning in the same AI platform differentiates the most advanced vendors in this market. The following are five ways AI is helping to detect and prevent growing identity fraud:
Core zero trust concepts are the table stakes of any effective fraud prevention strategy, starting with multifactor authentication, selectively applying AI and machine learning to the most complex challenges, and digital identity verification. Source: Telesign, 2022 State of fraud and prevention strategies.
Telesign’s approach is differentiated in its reliance on the combination of phone number velocity, traffic patterns, fraud database consortiums, and phone data attributes. Its scoring methodology also evaluates identity signals, looking for any potential anomalies that could indicate a synthetic identity. The system automatically “learns” based on data patterns discovered using predictive analytics and supervised and unsupervised machine learning algorithms. The following graphic explains the workflow:
Telesign relies on a unique methodology to identify potential fraud attempts by various variables that indicate abnormal behavior and usage patterns of telephone numbers and the devices they are being used on, along with over 2,200 variables. Source: Telesign.
Real-time telemetry data is key
Synthetic identities are just the beginning to show how ingenious attackers will get trying to steal identities and defraud businesses and governments for billions of dollars yearly. Too much implicit trust in fraud prevention systems is like a door left open to a bank vault with all the contents freely available. Removing implicit trust using data can only go so far. Enterprises need to tighten up their tech stacks and eradicate any implicit trust at all, and that step alone, along with getting a few high-profile zero trust wins starting with MFA and identity access management, along with privileged access management.