What Is Synthetic Identity Theft? (and How To Protect Yourself)

Would You Know If You Were the Victim of Synthetic ID Fraud?

Michael Smith is 31, has a birthday in August, and lives in a single-family home in Houston. He’s also not a real person.

Instead, “Michael” is one of the millions of fake (or “synthetic”) identities that scammers have used to scam businesses, banks, and individuals out of billions of dollars [*]. 

Also known as "Frankenstein fraud," synthetic identity theft occurs when fraudsters combine stolen personal information and fake details to create new identities. Unfortunately, your sensitive information — even your Social Security number (SSN) — is likely already compromised.

In June 2022, the Federal Bureau of Investigation (FBI) shut down an illicit online marketplace that had 24 million stolen SSNs for sale [*].

Synthetic identity theft is difficult for investigators to untangle. Even worse, many victims don't even realize they’ve been targeted until it's too late. 

In this guide, we’ll explain how synthetic identity theft happens, how to tell if you’re a victim, and what to do to protect yourself.

{{show-toc}}

What Is Synthetic Identity Theft? 

Synthetic identity theft is a type of fraud in which criminals create a false identity by combining fake details with valid personally identifiable information (PII) stolen from several real victims. 

Fraudsters tend to use two different methods to create synthetic identities:

1. Manipulated synthetic identities are based on real people. Fraudsters make changes to a stolen SSN and hide any evidence of poor credit history. However, authorities can often detect these scams, as the identities fail in validity checks. 
2. Manufactured synthetic identities combine valid data assembled from multiple identities. Fraudsters piece together elements of PII from several real people to create a "Frankenstein" identity, which is more complicated for investigators to detect. 

In both cases, the end goal is to create a “new” fake identity that can be used to build real credit and run up debts. Criminals use synthetic identity theft to make fraudulent purchases and conduct various cons — including financial fraud, employment fraud, and credit repair scams.

How Do Scammers Create Synthetic Identities?

• First, criminals steal or access your personal information. Fraudsters can find your sensitive information — like your date of birth, full name, and address — through phishing emails, dumpster diving, or hacking your phone number. Identity thieves can even buy your information on the Dark Web after a data breach. 
• Identity thieves use your information to create a “new” identity. In synthetic identity theft, criminals often pair your real SSN with fake information — like a different name, address, and phone number. 
• The scammer uses this new fake identity to apply for a credit card or loan. The fraudster knows that the application will be rejected because there’s no credit history — but this step creates an official credit profile of a person that doesn’t exist. 
• Then, scammers “piggyback” on legitimate credit accounts. With the official authentication, scammers can now steal someone else’s credit card information and add the synthetic identity as an authorized user on that person’s account. 
• Next, the scammers establish a positive credit history. Once authorized on a real account, the fraudster builds a legitimate credit score. Scammers can also secure loans from high-risk lenders who don't run background checks to uncover the bogus identities. As the synthetic identity develops a good credit history, it can get credit card accounts and fraudulent loans with higher limits. 
• Eventually, the fraudsters “bust out” the fake credit limit. The end game of synthetic identity theft is to get a reputation as a trusted borrower to qualify for huge credit limits. At that point, the fraudsters take out all the money at once and vanish. 

Once the scammers max out the credit limits on the fake identity, they might play the victim. By claiming they were defrauded, the thieves can double the stolen funds.

✅ Is your sensitive information available to scammers on the Dark Web? Use Aura’s free Dark Web scanner to see if you’re at risk of synthetic identity theft.

Who Is Most at Risk of Synthetic Identity Theft?

If scammers use your SSN to file fake tax returns or unlawfully gain government benefits, you could be left with debt.

However, there are a few particularly vulnerable targets at greater risk of synthetic identity theft:

• Children: Many parents don’t actively monitor their children’s SSNs or credit. Because a minor has a clean record and pristine credit history, scammers can create synthetic identities with stolen SSNs from children — and remain undetected for years. Often, the perpetrator of child identity theft is a parent or family member. 
• Seniors: Many older Americans don't keep a close watch on their credit reports or bank accounts, especially if they aren't tech-savvy. After a data breach, scammers can use the PII of many wealthy older people to assemble synthetic identities.
• Deceased people: In their schemes for illicit gain, scammers aren’t beyond exploiting grieving family members. When someone dies, the family members may not report the death immediately. In a scam known as ghosting, fraudsters exploit a loophole in the social security system — by using SSNs that have no date of death recorded.
• Banks: In any synthetic identity theft racket, the goal is to max out credit lines, which makes banks, credit unions, and other financial services prime targets. In 2021, 22 people were charged for using fake identities and bogus companies to defraud the government’s Payroll Protection Program out of $11 million [*]. 

The bottom line: Anyone can become a victim of synthetic identity theft. Through hacking, phishing, or other social engineering attacks, criminals can seize your sensitive information and exploit you, your family, and financial institutions. Once scammers have personal information, like your full name, address, and SSN, there’s a real risk you could fall victim to identity theft.

Synthetic Identity Theft vs. “True Name” Identity Theft

In traditional identity theft, also known as “true name” identity theft, the scammer maxes out the credit line quickly, alerting the victim to the fraud. By comparison, synthetic identity theft is more of a long-term play. 

Here are some key differences:

The Notre Dame Federal Credit Union lost around $200,000 in unpaid loans to this scheme. The chief risk and compliance officer, Brian Vitale, explained that by the time they figured out the borrowers weren't real people, it was already too late. 

The Federal Reserve claims synthetic identity fraud is the fastest-growing financial crime and costs online lenders $6 billion annually [*]. 

How To Protect Yourself Against Synthetic Identity Theft

1. Freeze your credit
2. Keep the SSNs of everyone in your family private
3. Regularly review your Social Security Statement
4. Lock your SSN using the DHS’s Self Lock
5. Don’t ignore mail about new accounts
6. Scan the Dark Web to see what personal information has been leaked
7. Secure your devices against hackers
8. Learn to spot the signs of a phishing attack
9. Use Safe Browsing tools
10. Consider signing up for identity theft protection

Here are 10 actionable steps to proactively protect yourself against synthetic identity theft:

1. Freeze your credit with all three credit bureaus 

Ultimately, all identity theft is about financial gain. If you detect any warning signs of financial fraud, acting fast can stop scammers before they open new accounts or get loans in your name. The best way to protect yourself is to freeze your credit with the three major credit reporting agencies — Experian, Equifax, and TransUnion. 

How to freeze your credit:

Contact each of the three major credit bureaus individually. You’ll need to provide proof of your identity to initiate the freeze. Next, the bureau will give you a PIN to use when you want to freeze and unfreeze your accounts. 

Here’s how to contact each of the three major credit bureaus: 

2. Keep the SSNs of everyone in your family private

Protecting your personally identifiable information (PPI) is the key to avoiding synthetic identity theft — and there’s nothing more valuable than your SSN. Many child victims of identity theft know the perpetrator, as the thief is often an older family member or guardian. Make sure you keep all SSNs secret.

Here’s what to do:

• Store your Social Security card in a safe place, like a locked safe. 
• Shred or black out any documents that include your SSN, and make sure you don’t leave mail lying around the house for anyone to find. 
• Guard your SSN. Some authorities, such as employers and healthcare institutions, have legitimate needs to know your SSN. But you should be cautious about sharing this information with others unless they have a good reason for requesting it.

💡 Related: How To Protect Your Child From Identity Theft →

3. Regularly review your Social Security Statement

If a scammer uses a synthetic identity to get a job, their income might appear on your Social Security Statement. With a proactive approach to reviewing this information regularly, you can quickly spot any red flags. 

Here’s what to do:

• File a "Request For Social Security Statement" to get your Social Security Statement by mail. This request is Form SSA-7004, which you must print and complete. 
• Mail your request to the address on the form. You should receive your paper Social Security Statement in the mail in four to six weeks. If you want to access the statement quickly, you can view it online by creating an account at www.ssa.gov/myaccount.
• Study your statement to make sure the income aligns with your expectations. If there are any discrepancies, contact the Social Security Administration at 1 (800) 772-1213.

4. Lock your SSN using the DHS’s Self Lock

If someone is unlawfully using your SSN for employment, you can use the Self Lock feature to place a block on your SSN for one year (or until you choose to unlock it again). The Department of Homeland Security (DHS) created this feature to help people tackle employment-related fraud. 

Here’s what to do:

• Visit the myE-Verify website and follow the prompts to create an account. You will get an email from myE-Verify to start the application. 
• After you create the account, complete the short Identity Proofing quiz. 
• Open the myE-Verify dashboard. Scroll down and select “Manage my SSN” and then “Lock My SSN.” 
• Set your Self Lock challenge questions. Then select “Lock My SSN.” You can unlock your SSN by answering your challenge questions and selecting “Unlock my SSN.”

💡 Related: What To Do If Someone Has Your Social Security Number →

5. Don’t ignore strange mail about new accounts or credit card offers

One of the most common warning signs of identity theft is receiving letters or phone calls about new bank accounts, loans, or credit cards. If you get unexpected mail or calls linked to a different name, someone could be running synthetic identity theft scams using your details. 

Here’s what to do:

• Contact your bank or card issuer immediately. Tell them you might be a target of identity fraud. 
• Block or cancel your cards, and consider a credit freeze to stop the scammers from opening new accounts in your name.
• Order your free credit reports from the three bureaus. You can download a free copy from each of the three major credit reporting agencies at AnnualCreditReport.com.

6. Scan the Dark Web to see what personal information has been leaked

With the sheer amount of data breaches that have happened in recent years, criminals can now buy stolen SSNs on the Dark Web for as little as $2 [*]. 

In order to stay safe, you need to know your personal data exposure on the Dark Web. Specialized tools called Dark Web scanners and Dark Web monitoring tools can scan millions of known Dark Web forums and marketplaces for your sensitive information.

Here’s what to do:

• Use Aura's free Dark Web scanner. This tool checks if your personal information was exposed during a data breach.
• Enter the email address you use most frequently when creating online accounts.
• View your free personal report. You’ll see if there is any exposed information and get recommendations for protection.

💡 Related: Have I Been Hacked? How To Recognize (and Recover From) a Hack →

7. Secure your devices against hackers by using antivirus

Hackers use malicious programs to infiltrate your devices and hard drives, scanning for private information to steal. Maintaining a robust security posture and good cyber hygiene is crucial to defending against malware, ransomware, and trojans. 

Here’s what to do:

• Install antivirus software and run regular scans to protect against existing vulnerabilities, and to detect new cybersecurity attacks in real-time.
• Always scan external drives like USBs for viruses before you open any files. You can do this by right-clicking the drive icon and selecting the scan option.
• Ensure you keep all software up to date with the latest security patches released by the software providers. 

8. Learn to spot the signs of a phishing attack

Scammers use phishing tactics to impersonate reputable organizations in emails (or smishing texts) to steal your personal information — such as login credentials, banking information, or credit card numbers. Over 300,000 Americans fall victim to these attacks every year [*]. 

Here’s how to spot a phishing scam:

• Unsolicited contact about an unfamiliar issue. If you get an unexpected email about an account issue or problem with an order that you don’t remember making, consider this a red flag. 
• Strange domain name or sender address. Often, scammers spoof the sender's name with a slightly different spelling than the genuine company. For example, you might get an email from “amazon.xyz” instead of from the official “amazon.com” domain. 
• Urgency in the message. Fraudsters try to elicit fear in their victims to coerce them into acting quickly without taking time to think. No genuine bank or reputable organization will use scare tactics to pressure you.
• Suspicious links. Almost all phishing scams include links in emails or text messages. Don’t click on these, as they will lead to bogus websites or may install malware on your computer. 

💡 Learn More: How To Tell If An Email Is From a Scammer [With Examples] →

9. Use Safe Browsing tools to protect you from fake websites

Without the right precautions, you risk disclosing your personal information every time you access the internet — especially if you use public Wi-Fi. Any time you open your banking app or shop online, a hacker could be snooping, ready to steal your information. Adopt a mindset of safe browsing to keep your devices and identity safe from fraudsters.

Here’s what to do:

• Use a virtual private network (VPN). By hiding your IP address, you can keep your browsing habits and data safe from hackers, advertisers, and government agencies.
• Store your login credentials in a reliable password manager. This application helps you create and store unique, complex passwords for every online account. 
• Set Parental controls on your family's computers and children's devices. These measures will limit your children's screen time and reduce the chance of them falling prey to predators and fraud. 

10. Consider signing up for identity theft protection with SSN monitoring

An identity theft protection service monitors critical aspects of your identity, including your financial accounts, phone number, and Social Security number. 

With a reliable service, you can receive rapid alerts about suspicious activity. For example, if fraudsters use your SSN to open a new bank account in your name, you'll be alerted in time to stop the thieves in their tracks.  

Here’s what to do:

• Research the best identity theft protection companies.
• Look for a robust solution that offers SSN and Dark Web monitoring, and fast alerts.
• Choose a service that provides support to help you recover your identity and finances if you become a victim of identity theft.

Is Someone Using Your SSN for Synthetic Identity Fraud? Do This

As synthetic identity theft comprises fake details and a mixture of stolen pieces of personal information, the main risk is if a criminal uses your SSN. 

If you believe you might be a victim of synthetic identity theft, here are five steps to help you recover:

1. Check if your SSN is being used. Visit the SSA’s Statement request page and sign in using your my Social Security account. Review your Statement to make sure there are no inaccuracies. 
2. Review your credit report for any unfamiliar activity — like new accounts, hard inquiries you didn’t request, and incorrect information. You can download a free copy of your credit report from each of the three major credit reporting agencies by visiting AnnualCreditReport.com.
3. Report the fraud. After reviewing your Social Security Statement and credit reports, and making notes about suspicious activity, you can contact the fraud hotline of The Office of Inspector General (OIG) at 1-800-269-0271 or submit a report online at oig.ssa.gov. You can also file a police report with local law enforcement. 
4. File an identity theft affidavit with the Federal Trade Commission (FTC). If you’ve discovered evidence of ID theft on your credit file, this critical step helps you get reimbursed for debts that you didn’t accrue. Visit IdentityTheft.gov to complete the form. The FTC will provide a personalized recovery plan to help you. 
5. Dispute transactions with impacted companies. Call the fraud department of any company where your SSN was fraudulently used to explain the situation and request charges to be reversed. You can share your FTC affidavit and police report to support your claims. Follow up and keep checking your credit reports until all fraudulent records and credit losses have been rectified. 

💡 Free Template: How To Write a Credit Dispute Letter →

Don’t Become a Part of Someone’s Frankenstein ID

If you fall prey to synthetic identity theft, the fraudsters could destroy your credit score and financial reputation. Recovering from this type of identity theft can take months or even years. With Aura, you can proactively protect yourself and your family against identity thieves. 

With Aura, you get 24/7 credit monitoring, Dark Web monitoring, and near real-time credit alerts to notify you of any suspicious activity on your accounts. You can browse, shop, and bank online safely knowing you have the protection of a VPN, antivirus software, and a password manager. 

And in the worst-case scenario, every adult Aura plan member is covered by a $1 million insurance policy for eligible losses due to identity theft. Aura’s experienced White Glove Fraud Resolution team will help you secure your accounts and get your life back on track.

Stay safe — online and in the real world. Try Aura free for 14 days →