LIBF_logo.svg
close.svg
Share page
Share on LinkedinShare on TwitterShare on Facebook
LIBF logo
open.svg
back_to_top_arrow.svgright_arrow.svgleft_arrow.svg
Access the FW archive here
Follow us
Data protection
© The London Institute of Banking & Finance 2023 - All rights reserved
I-Say
Technology column
Imaginary people, real fraud
Birch_online_identity_fraud_new.jpg
David Birch examines the growing scourge of synthetic identity fraud and shows how technology such as digital wallets can help firms foil these ‘Frankenfraudsters’
Fraud is the number one reported crime in the UK. It is out of control. According to the National Crime Agency, there were 3.7m incidents of fraud in England and Wales in the year ending December 2022. But it’s estimated that this is just 14% of the iceberg thanks to underreporting.
While there are many different kinds of fraud, synthetic identity fraud (or ‘Frankenstein fraud’ as the more excitable members of the identity services community label it) is of particular interest. What is Frankenstein fraud? The US Government Accountability Office (GAO) definition is straightforward: “Synthetic identity fraud (SIF) is a crime in which perpetrators combine real and/or fictitious information…to create identities with which they may defraud financial institutions, government agencies or individuals.”
This Frankenfraud has overtaken credit card fraud and identity theft as the fastest-growing form of fraud – and you can see why. It’s easy, it’s cheap, the chances of getting caught are very low and it’s a worldwide problem. Management consultants McKinsey reckon that Frankenfraud is the fastest growing financial crime in the US and is already responsible for 15% of charge-offs in typical unsecured lending portfolios.
We are at the point where the Financial Conduct Authority (FCA) is now warning that scammers pretending to be the FCA are on the rise, with nearly 8,000 cases of people pretending to be the FCA being reported so far this year.
Before you assume that this is down to a few boiler-rooms using automated calling, you should know that a GBG survey earlier this year found that almost 9m people in the UK had used someone else’s identity, used a fraudulently obtained identity or used an entirely fake identity. A third of people in the 16-24 age group had committed identity fraud to gain access to goods, services or credit. Interestingly, it’s the well-off who are the worst offenders. A quarter of the £45,000-plus per annum group report using fraudulent IDs compared with only a sixth of people who earn less than £15,000.
But people using their brother’s passport to buy alcohol for themselves online is one thing, synthetic identity fraud is another. That has criminal intent and it is fraud at scale. Organised crime gangs create thousands of identities and use them to exploit tens of thousands of ‘opportunities’ not only in banking but insurance, telecommunications, travel and elsewhere. These Frankenfraudsters are good at it, too. They create identities optimised to evade detection with the result that fewer than one in 20 of their persona will trigger alerts – and so the looting goes on.
Take insurance, for example. The recent Lexis-Nexis research report, ‘Surge in Synthetic ID and Al Fraud Threatens UK Insurance’, tells a sorry tale. The reason for the surge is that online applications make it easier for fraudsters to create and exploit synthetic identities. In fact, insurers report a ‘considerable’ risk that, as fraudsters join the artificial intelligence revolution in financial services, and use bots to generate large numbers of synthetic identities, they will flood the insurance market with fake accounts. The result will be staggering losses across all sectors.
The reason for the surge is that online applications make it easier for fraudsters to create synthetic identities

Take care

So what can be done? You already know what the answer is, and so do I, and so does the industry and so does the government. We need digital identity. We need population-scale digital identity and we need it now.
Across the water, the EU has four large-scale EU Digital Identity Wallet pilot projects running and intends to provide 450m citizens with a live wallet next year, giving them the ability to store digital identity credentials, including their national ID, driving licence, qualifications and bank details in a smartphone app or in the cloud.
I would think one interesting use of such a Euro Wallet would be to establish whether or not it was a real person applying for a loan, never mind who they actually were.
Meanwhile in the UK, not doing anything about digital identity is now the responsibility of the Department for Science, Innovation and Technology. It is neither making digital identities nor making them mandatory. Instead, it is developing standards within a digital identity and attributes trust framework’ that will “enable innovative private-sector solutions to protect privacy, boost security and enable greater accessibility, all while growing the economy by saving people and businesses time and money”.
Incidentally, establishing the right to work in the UK is one of the first-use cases to be enabled by the government, but when I recently had to prove my right to work in the UK to an institution, it was unable to accept digital credentials. I had to send a scan of my passport, which is now presumably in the extensive files of some scammer gang somewhere.
Automation is the key and, if implemented properly, it can make the login quick, simple and easy

What to do?

Until such time as we have a Euro Wallet or a UK Identity Framework, businesses would be well-advised to implement a two-stage onboarding process for online accounts – that is a scale solution to a scale problem.
Stage 1: Is the identity being presented authentic? That is, is the passport or driving licence presented real or fake? Is there corroborating data to support this identity in public records or private databases (eg the bank’s own customer records). As GBG, a fraud prevention company, points out, it is not just the presence of accounts containing that identity that is important but their nature. It notes, for instance, that an identity that only has connections to utility and mail order accounts is more likely to be a synthetic identity with a fraudster behind it.
Stage 2: Is this person presenting the identity the person identified in Stage 1? Here’s where we have seen advances in recent years. Who hasn’t been asked to scan their driving licence and then hold their face in front of their webcam to open an ISA or whatever?
As Mike Engle, Chief Security Officer at 1Kosmos, an identity verification company, pointed out on Forbes, while the processes required to defeat synthetic identity fraud can seem complicated, they can be automated to be quicker than traditional onboarding. What’s more, when they are implemented properly, these processes can make the login simple and easy. Remember that while many see biometrics as a security technology, to consumers they are a convenience.
It is automation that is key, therefore. To give one example, Thomson Reuters partners with Israeli identity verification company Au10tix (full disclosure: I am an adviser to Au10tix), which makes use of biometrics to link physical and digital identities. Exploring the latest technology, it takes less than 10 seconds to check a government identity document and a user-initiated selfie for authenticity – with ‘liveness testing’ to make sure it’s a person and not at a portrait in front of the webcam – using hundreds of different data points and forgery tests.
Artificial people are no longer the preserve of science-fiction. Fortunately, the technologies to detect whether they are real are evolving rapidly.
David Birch
David G W Birch is an author, adviser and commentator on digital financial services. An internationally recognised thought leader in digital money and digital identity, his most recent book was The Currency Cold War, an exploration of digital currencies.