What Are First Party Fraud, Third Party Fraud, and Synthetic Identity Fraud?

Defeating identify fraud begins with understanding it, and the differences between first, third, and synthetic identity fraud constitute foundational fraud knowledge.

A significant majority of online crime involves some kind of impersonation or false representation. By pretending to be someone other than who they are, or by obfuscating their intentions, fraudsters are able to steal information, resources, and money.

Masking Fraudulent Intentions

Successful obfuscation of fraudulent intentions requires presenting a trustworthy front. While a fraudster’s end goal may be theft, they need to convince their target that their intentions are genuine and legitimate. Often this requires the intentional build-up of a flag-free digital footprint — good credit history, no defaults, regular income, and more.

Malicious Impersonation

Successful impersonation generally requires illicitly obtained personal information — the more information a fraudster has at their disposal, the more likely they are to successfully pull off their deceptions. For example, if a bad actor knows your name and nothing else, it’s not likely they’ll be able to take out a loan in your name. However, if they also know your street address, email address, phone number, place of birth, and social security number, the chances are much higher they’ll succeed.

Methods for Stealing PII Data

Information of this kind (commonly referred to as PII, or Personally Identifiable Information) can be obtained through all sorts of illicit methods, including phishing, malicious web scraping, and via data breaches. Procuring PII data is its own field of crime, and it’s part of a self-sustaining fraud ecosystem in which stolen data is used in fraud attacks, many of which result in more data being stolen, which in turn powers new attacks.

First Party Fraud, Third Party Fraud, and Synthetic Identity Fraud are categories of attack types that share a common goal, but differ in methodology.

First Party Fraud

First Party Fraud is so-named because it involves a bad actor essentially representing themselves AS themselves — in the first-person, as it were. As with the other types of fraud we’re discussing, misrepresentation is still the key to the attack, but in the case of First Party Fraud, the fraudster is not misrepresenting who they are, but rather, they’re being deceptive about their information, and their intentions.

For example, a fraudster might apply for a loan they do not intend to pay back, or get a much more favorable interest rate by lying about their financial situation. Alternatively, they may obtain a new credit card with the intention of maxing it out and never paying it back. Fraud attacks of this nature are sometimes combined and executed simultaneously. This is called Bust-Out Fraud. An example of Bust-Out Fraud might involve a fraudster opening up dozens of new credit card accounts, using them appropriately over time to build up good reputations for the accounts, then suddenly maxing them all out at once and disappearing without paying them off. At the end of 2018, four individuals were arrested in Los Angeles for Bust-Out Fraud:

“The 22-count indictment alleges a bust-out scheme in which the defendants obtained credit cards — sometimes under their real names, but often with synthetic identities created with a combination of real and fictitious information — that were run up to the credit limit. Members of the scheme then allegedly “paid down” by submitting payments from accounts with insufficient funds or through fake accounts to restore the credit line, which allowed them to make additional purchases.”

Third Party Fraud

Third Party Fraud differs from First Party Fraud in that what the fraudster misrepresents is who they are. Third Party Fraud occurs when a malicious actor uses another person’s personal details to open new accounts or take over existing ones, without the knowledge of the individual whose information is being used. This is sometimes referred to as “true identity fraud,” because, while the identity is indeed stolen, it is stolen in complete form; that is to say, the fraudster is directly impersonating a single, real individual.

Third Party Fraud is often used to perpetrate another type of attack known as Application Fraud:

“Application fraud is where a bad actor uses a stolen or synthetic ID to apply for a loan or line of credit with no intention of paying back the lender. The fraudster gradually builds authentic-looking credit and account activity to gain access to more loans and higher lines of credit.”

The increasing rate and scale of data breaches is fueling more Third Party Fraud than ever before, as is the rise of mobile banking, which opens up new vulnerabilities for fraudsters to exploit. Loan Stacking (applying for multiple loans simultaneously with no intention of paying them back) is just one example of a new fraud type that has emerged in the wake of finance continuing to move online:

“The growing availability of instant credit approval from financial institutions has allowed consumers and fraudsters alike numerous opportunities for loan stacking. Financial institutions are losing billions of dollars every year because of loan stacking by fraudsters and legitimate borrowers. Large, organized crime rings often orchestrate loan stacking schemes that aim for huge payouts from banks.”

Synthetic Identity Fraud

Synthetic Identity Fraud (SIF) is a form of identity theft in which a fraudster either creates an identity comprised of personal information from multiple real people, or an identity that uses a combination of real and fake personal information. The key distinction is that the resulting identity is not an actual person — rather, it is a composite, built from numerous sources. Synthetic Identity Fraud is uniquely damaging; a 2018 report by Aite group “found that U.S. credit-card accounts lost $820 million in 2018 to SIF, and losses are projected to climb to $1.25 billion by 2020.”

Fraudsters use a range of techniques to build legitimacy for these fake accounts. One way they do so is to include high-value information such as social security card numbers, which can be purchased illegally on the dark web. These bad actors will often also incubate their accounts over long periods, in order to build up authentic-seeming customer histories. The more legitimate they can make the account seem, the more damage they’ll ultimately be able to cause. Bots have exacerbated the problem of SIF significantly, enabling fraudsters to execute these attacks at massive scale:

“Fraudsters use bots to automatically create hundreds, often thousands, of credit applications all at once through digital channels. Fraudsters also use bots to emulate the behavior of legitimate borrowers which makes the fraudulent credit accounts hard to detect.”

One of many problems associated with Synthetic Identity Fraud is that of misclassification. Alex Niu, Director of Solution Engineering at DataVisor, detailed this issue in an article titled Synthetic Identity Theft: When Credit Risk is Not Credit Risk:

“Lenders and financial organizations lose billions of dollars every year to synthetic identity theft (also known as synthetic identity fraud), and most are unaware of it. That’s because many of these organizations don’t have the tools necessary to detect and prevent synthetic identity theft. Instead, synthetic identity fraud is often misclassified as credit risk.”

A July 2019 report from the Federal Reserve noted that synthetic identity fraud cost U.S. lenders $6 billion in 2016 alone.

Conclusion

All types of identity fraud are difficult to detect, particularly when accounts and users are viewed in isolation. Modern fraudsters have become increasingly adept at disguising their intentions, obfuscating their actions, and impersonating legitimacy. It is often virtually impossible to determine the authenticity of a given account without context. Fortunately, we have the technology today to successfully detect and prevent first, third, and synthetic identity fraud. We can take a holistic approach to data analysis in order to surface coordinated groups of malicious applicants, and by assessing diverse arrays of signals — behavior patterns, cross-account linkages, and digital fingerprint components such as IP subnets, device IDs, user agents, and more — we can expose these fraudulent activities early, at the application stage. In so doing, we can prevent downstream damage.