4 min read
Synthetic Identity Attacks in Service Businesses
Fraud teams are increasingly contending with attacker efforts to establish and exploit synthetic identities within service businesses. This is not a theoretical exercise; it represents a significant, evolving threat vector that demands a robust, integrated defense strategy. The challenge lies not in understanding what a synthetic identity is, but in constructing a defense that spans organizational silos and withstands determined, adaptable adversaries.
Why Synthetic Identity Attacks in Service Businesses Matters Now
Twenty years ago, "identity and verification" was largely a quarterly compliance checkbox, relegated to back-office functions. Today, it is a daily, critical operational concern. The shift is driven by a confluence of factors: the prevalence of low-cost, high-efficacy attacker tooling, the proliferation of customer interaction channels, and increasing regulatory scrutiny. Organizations that delayed prioritizing identity fraud prevention are now significantly disadvantaged, a gap that continues to widen as generative AI democratizes credible impersonation. We observe this trend not just through incident reports, but in the growing volume of internal company searches for terms like "synthetic identity policy template" or "synthetic identity verification workflow"-a clear indicator of the urgent, hands-on work presently underway in many enterprises.
The Threat Pattern in Practice
There isn't a silver bullet for synthetic identity. Effective defense always involves a layered control strategy, each layer designed to incrementally increase the cost and complexity for the attacker. The objective is to elevate the "cost of attack" to a level where less resilient targets become more attractive. This principle is fundamental to cybersecurity writ large and holds equally true for protecting identity and verification workflows.
Examining field data, synthetic identity exploitation frequently surfaces in workflows originally designed for customer convenience. This includes account recovery paths (e.g., "forgot password"), manager overrides, after-hours processing, or any mechanism intended to streamline operations when standard procedures hit a snag. Adversaries, much like internal auditors, meticulously map these alternative paths, often identifying and exploiting them before internal teams fully grasp the exposure. The most reliable predictor of a successful attack isn't the sophistication of the attacker's technical toolkit, but rather the degree of friction they encounter once they have infiltrated a workflow. A low-friction bypass is an open invitation.
Consider the classic SIM swap: an attacker social engineers a mobile carrier to port a phone number to their control. This is often the precursor to an account takeover. Once they control the phone number, subsequent defenses like SMS-based OTPs become trivial to bypass. If the downstream service (e.g., a bank, an e-commerce platform) has a "self-service password reset" flow that relies on that compromised number, the synthetic identity (or the hijacked legitimate one) now has a clear path to transact. We've tracked instances where this initial SIM swap, achieved via a low-friction carrier support channel, eventually led to FNOL straight-through-processing abuse in insurance, unauthorized credit line increases, and even illicit crypto transfers. The initial point of compromise is rarely the point of profit.
Another common vector involves the abuse of initial onboarding for novel services. For instance, a new fintech offering rapid credit approval or a telecommunications provider with expedited device upgrade paths. Attackers construct synthetic profiles, often leveraging compromised PII from data breaches combined with fabricated elements, and then use these to open accounts. Early-stage verification processes, particularly those reliant solely on database checks, are often insufficient to flag sophisticated synthetics. The focus on customer acquisition speed frequently de-prioritizes robust identity proofing, making these early touchpoints highly attractive for establishing a beachhead.
What Effective Defense Looks Like
A key distinction in communications security, particularly regarding synthetic identity, is that controls directly intersect with customer experience. Introducing friction to a web login is a well-understood, generally accepted tradeoff. Imposing similar friction on a voice interaction, however, often elicits significantly more business resistance. Bridging this gap requires demonstrable data, which necessitates meticulous measurement and an ongoing program of work, not just a one-off project.
Our guidance to clients is concise: "raise the cost." Effective controls do not promise immunity from all attacks. Instead, they elevate the time, effort, and preparatory costs of a successful exploit to a point where the adversary logically shifts focus to easier targets. This logic mirrors successful security programs in other domains; its disciplined application is equally effective here.
For example, detecting an account takeover attempt triggered by a synthetic identity might involve a combination of: 1) ANI spoofing detection to flag calls originating from untrusted numbers but presenting as legitimate; 2) Voiceprint analysis to identify known fraudster voice patterns or inconsistencies with registered customer voiceprints; 3) OTP relay detection, where an attacker attempts to trick a legitimate customer into providing an OTP by acting as an intermediary; and 4) Behavioral biometrics during a web session to flag unusual navigation patterns. No single control is definitive, but the combined effect creates significant friction.
Consider an attack where a synthetic identity attempts to reset a password or initiate a sensitive transaction. A robust defense would, at minimum, incorporate: a) multi-factor authentication (MFA) that is _not_ reliant solely on SMS (e.g., app-based TOTP, FIDO2 tokens); b) out-of-band verification for high-value actions, such as a callback to a pre-registered, verified number; c) challenge questions that are not publicly discoverable (avoiding "mother's maiden name" type questions); and d) real-time risk scoring that evaluates the transaction's context, customer history, device ID, and IP address for anomalies. A successful prompt injection via system-message smuggling into an AI-powered chatbot used for customer service could also be a vector, allowing attackers to manipulate the bot into revealing sensitive information or bypassing identity checks, requiring strict input validation and sandboxing for AI interactions.
Practical Next Steps for Your Team
If your organization is building out a comprehensive defense program against synthetic identity, the starting point is typically a Communications Security Assessment. This assessment establishes the necessary baseline data for subsequent program development, identifying specific vulnerabilities and critical control gaps that drive prioritization.
As a more immediate, actionable step, we recommend a focused internal review: Map out the specific actions a single inbound interaction (e.g., a phone call, a chat session) can authorize within your most sensitive workflows. For each identified action, critically assess its resilience against a determined impersonation attempt. This exercise frequently uncovers a concise, high-impact list of changes that can be implemented rapidly, yielding significant security improvements without requiring substantial new investments.
What We Are Watching Next
In the coming quarters, we anticipate that the management of synthetic identity risk will continue its migration from solely the purview of security teams into broader operational, legal, and customer experience domains. This expansion of ownership is a positive development, indicating a maturing understanding of the threat. Proactive planning for this shift now will yield better outcomes than a reactive scramble later. We intend to continue publishing field observations as these patterns evolve.