Traditional identity theft is straightforward: someone steals your information and pretends to be you. But synthetic identity fraud is something different — and far more insidious. Instead of stealing a complete identity, criminals take a single real element (usually a Social Security number) and combine it with fabricated names, birth dates, and addresses to build an entirely new person from scratch.
This fabricated person does not exist. They have no real face, no real address history, no real employment. But they can open bank accounts, get credit cards, take out loans, and build years of credit history. When the criminal finally decides to cash out — maxing every credit line simultaneously and vanishing — there is no real victim to send the collection notice to. The SSN owner often has no idea their number was used.
Synthetic identity fraud is now the fastest-growing type of financial crime in the United States, costing lenders an estimated 6 billion dollars annually. Here is how it works, why it is so difficult to stop, and what you can do to protect yourself.
How Synthetic Identities Are Built
Creating a synthetic identity is a multi-step process that can take months or even years before the criminal sees a return. Understanding the process helps you recognize why traditional fraud detection fails against it.
Step 1: Acquire a Real SSN
The foundation of every synthetic identity is a real Social Security number. Criminals obtain these through:
- Data breaches: Billions of SSNs have been exposed in breaches over the past decade. SSNs from breaches that exposed names, DOBs, and SSNs are particularly valuable, but even SSNs alone are useful for synthetic fraud
- Dark web marketplaces: SSNs sell for 1 to 5 dollars on dark web markets. Children's SSNs command higher prices because they have no existing credit history to conflict with
- Targeted theft: Some criminals specifically target populations whose SSNs are least likely to be monitored
The ideal SSN for synthetic fraud belongs to someone who will not be applying for credit anytime soon:
- Children under 18: Their SSNs have no credit file, and fraud can go undetected for over a decade
- Elderly individuals: Especially those in long-term care facilities who are not opening new accounts
- Incarcerated individuals: Cannot monitor their credit while serving sentences
- Recent immigrants: May not understand the US credit system or know they should monitor their SSN
- Deceased individuals: Though the SSA Death Master File catches some of these, there are delays
Step 2: Construct the Fabricated Identity
The criminal pairs the real SSN with entirely made-up personal information:
- A fictitious name that does not match the SSN owner
- A fabricated date of birth (usually making the synthetic identity 25-45 years old, regardless of the real SSN holder's age)
- A real physical address (often a rented mailbox, vacant property, or an address where the criminal can receive mail)
- A burner phone number and dedicated email address
This combination is the key to why synthetic fraud evades detection. When a lender checks the SSN, it does not match any existing credit file exactly — the name and DOB are different from the real SSN holder's profile. The credit bureau creates a new, thin credit file for this apparently new consumer.
Step 3: Build Credit Systematically
The criminal now begins a patient credit-building campaign:
- Apply and get denied: The first credit application is almost always denied because the synthetic identity has no credit history. But the application itself creates a credit inquiry, which establishes the synthetic identity's credit file at the bureau
- Secured cards and authorized user piggybacking: The criminal opens a secured credit card (putting down a small deposit) or buys authorized user tradeline access on someone else's established account
- Small accounts with perfect payment history: Over 6 to 18 months, the criminal makes every payment on time, keeps utilization low, and gradually requests credit line increases
- Cross-bureau establishment: By applying at creditors that report to different bureaus, the criminal builds profiles at Equifax, Experian, and TransUnion
- Escalation: With 12-24 months of clean history, the synthetic identity now qualifies for unsecured credit cards, personal loans, and even auto loans with credit limits that can reach tens of thousands of dollars
Step 4: The Bust-Out
After months or years of building the synthetic identity's credit, the criminal executes the bust-out:
- Request credit line increases on all accounts simultaneously
- Open new accounts at as many lenders as possible in a compressed timeframe
- Max out every credit line — cash advances, purchases, balance transfers
- Convert everything possible to cash or cryptocurrency
- Abandon the identity entirely
A well-cultivated synthetic identity can generate 50,000 to 200,000 dollars or more in a single bust-out. Some organized fraud rings run dozens of synthetic identities simultaneously, each at different stages of the credit-building lifecycle.
Why Traditional Fraud Detection Fails
Synthetic identity fraud exploits several fundamental gaps in the financial system:
- Credit bureau file creation: When a credit application arrives with an SSN that matches no existing file, the bureaus create a new file rather than flagging the mismatch. This is by design — new consumers need to start credit files. But it also means synthetic identities get files created automatically
- No real-time SSN-name verification: Until recently, lenders had no way to verify that an SSN actually belongs to the name on the application in real time. The SSA's eCBSV system now offers this, but adoption is not universal
- No victim to complain: In traditional identity theft, the real person notices unauthorized accounts and raises an alarm. With synthetic fraud, the fabricated person does not exist, so no one complains until the creditor takes a loss
- Good payment behavior: During the credit-building phase, the synthetic identity behaves like a model consumer — on-time payments, low utilization, gradual growth. This is the opposite of what fraud detection systems look for
- Classification as credit loss: When a synthetic identity defaults, lenders often classify it as a regular charge-off rather than fraud. The Federal Reserve estimates that up to 20 percent of charge-off losses at some institutions may actually be synthetic identity fraud that was never identified as such
How This Affects Real People
Even though the synthetic identity uses a different name, the real SSN owner can still suffer consequences:
- Mixed credit files: Credit bureau data sometimes merges information from the synthetic identity into the real person's credit file, causing unexplained addresses, accounts, or inquiries to appear on your credit report
- SSA earnings confusion: If the synthetic identity is used for employment, the earnings get reported to the IRS under the real SSN, potentially triggering tax issues or affecting Social Security benefits calculations
- Application denials: When the real SSN owner applies for credit, the existing synthetic file (especially post-bust-out debts) can create confusion or outright denial
- Law enforcement complications: In rare cases, criminal activity conducted under the synthetic identity can create records associated with the real SSN
Children are especially vulnerable. A child whose SSN was used in a synthetic identity at age 3 may not discover the problem until they apply for their first student loan at 18 — by which time 15 years of fraudulent activity may be attached to their number.
The CPN Scam: Building Synthetic Identities in Plain Sight
Credit Privacy Numbers (CPNs) are marketed online as legitimate alternatives to your SSN for credit applications. In reality, CPNs are one of the primary tools used to facilitate synthetic identity fraud:
- CPNs are typically stolen SSNs (often from children, elderly, or deceased individuals) repackaged and sold as "legal" credit numbers
- Using a CPN on a credit application is federal fraud — you are misrepresenting your identity to a financial institution
- Companies selling CPNs often include "credit building" packages that are essentially synthetic identity fraud playbooks
- Some CPNs are actually ITINs (Individual Taxpayer Identification Numbers) that have been repurposed, which adds immigration fraud to the list of crimes
There is no legal alternative to your SSN for credit applications. Anyone selling CPNs is selling stolen numbers and coaching you through a federal crime. The FTC and Department of Justice have prosecuted both CPN sellers and buyers.
Protecting Yourself from Becoming an Unwitting Ingredient
Since synthetic fraud uses your SSN under a different name, your traditional defenses (credit monitoring, fraud alerts, credit freezes) are only partially effective. Here is what actually helps:
Monitor Your SSN Directly
- Check your SSA Statement annually: Go to ssa.gov/myaccount and review your earnings record. If employers you have never worked for appear, your SSN is being used for employment under a different name
- Use SSN-level monitoring: Some identity theft protection services monitor your SSN across multiple name-DOB combinations, not just your name. This is the most direct way to detect synthetic fraud. Aura, LifeLock, and Identity Guard all offer some form of this
- IRS Identity Protection PIN: Even though synthetic identities typically do not file taxes under your name, getting an IP PIN prevents any surprises
Protect Children's SSNs
- Freeze children's credit: All three bureaus allow you to freeze a minor's credit file. If no file exists, the freeze creates a protected file that prevents new accounts
- Check annually: Each year, check whether your child has a credit file at the three bureaus. Children should not have credit files unless something is wrong
- Guard the SSN card: Schools, sports leagues, and after-school programs do not need your child's SSN. Provide it only to medical providers, government agencies, and financial institutions
Respond to Mixed File Indicators
If you see any of these on your credit report, your SSN may be involved in a synthetic identity:
- Addresses where you have never lived
- Name variations you do not recognize (not just misspellings)
- Employer names you have never worked for
- Hard credit inquiries you did not initiate
- Accounts you do not recognize (even if they show as "closed" or "paid")
File a dispute with the credit bureau for any information that does not belong to you. Include a note requesting that the bureau verify the SSN-name-DOB combination for each disputed item.
How the Industry Is Fighting Back
The financial industry and government agencies are developing new tools to combat synthetic identity fraud:
- eCBSV (electronic Consent-Based SSN Verification): Launched by the SSA, this system allows lenders to verify that an SSN, name, and date of birth all match the SSA's records in real time. This directly targets the core vulnerability synthetic fraud exploits. However, adoption requires consumer consent and lender integration, both of which are still scaling
- AI and machine learning models: Some lenders are deploying models that analyze credit-building patterns for synthetic identity indicators — rapid credit-building from a thin file, specific application patterns, address clustering across seemingly unrelated identities
- Cross-institutional data sharing: Consortiums of lenders are sharing synthetic identity indicators to catch fraud rings operating across multiple institutions. The Early Warning Services network and similar initiatives flag suspicious patterns that individual lenders cannot see in isolation
- SSN randomization: Since 2011, the SSA has issued SSNs randomly rather than based on geography and group numbers. This makes it harder (but not impossible) for criminals to guess valid SSN ranges for specific demographics
The Bottom Line
Synthetic identity fraud is a fundamentally different threat than traditional identity theft, and it requires different defenses. You cannot protect yourself by monitoring only your own credit report under your own name — you need to monitor whether your SSN is being used under any name. Freeze your children's credit proactively, check your SSA earnings statement for phantom employers, and consider an identity theft protection service that specifically monitors for SSN-name mismatches. The industry is building better defenses, but until SSN verification becomes universal, your vigilance is your primary protection.
