Synthetic Identity Theft: All You Need to Know

Stephanie Faris
Dolores Bernal
December 4, 2023
scammer in front of laptop

Credit: Sora Shimazaki

He was living it up…on stolen money.

During the pandemic, the government distributed money through the Paycheck Protection Program, also known as “PPP.” The funds were designed to help small businesses continue to pay their employees during the upheaval caused by COVID-19.

Wanting to grab his share of the PPP money, a New York man reinstated a business that had been inactive since 2018. He landed almost $1 million from the U.S. government.

The money was never used for business. With a partner, the man bought two vehicles, spa services, clothing, restaurant meals, and gym memberships.

How did he get the money? He used a combination of fake and real information. It was his Social Security number and contact information, but he combined it with fake payroll reports and tax forms. The money was wired to a business account that was controlled by him.

This type of fraud has become so common, it has a name: synthetic identity theft. With synthetic identity theft, a scammer uses a combination of stolen and legitimate information to commit fraud.

It’s a complex crime that has become increasingly common and is important to learn what it is and how to protect yourself.

What Is Synthetic Identity Theft?

The term “synthetic identity theft” refers to a type of fraud that combines fake and real information.

Synthetic identity theft is a mix-and-match sort of crime. 

Here are some examples:

  • Scammers combine a stolen Social Security number with their own name, date of birth, and contact information.
  • Scammers who combine a stolen Social Security number with fake information, or a combination of real and fake information.
  • Scammers who make everything up, including the Social Security number.

Synthetic identity theft is nothing new

Before the Internet, fraudsters would commit the crime in person. The Internet has made identity theft easier though. On the dark web, criminals can pay for Social Security numbers, as well as bank account information and credit card numbers.

In some cases, a person who commits synthetic identity theft has good intentions. A person with bad credit might use fake information to get a credit card or a loan to make a big purchase. That person may have full intentions of repaying the debt. The goal is simply to be able to qualify for the loan.

Who Does Synthetic Identity Theft Hurt?

When I first heard of synthetic identity theft, I assumed it was a problem that couldn’t affect me directly. Someone defrauding the government hurts all of us, of course, but it won’t destroy my credit or empty my bank account.

Or, will it?

As it turns out, this type of identity theft can hit us directly and indirectly.

Let’s take a look at how synthetic identity theft can impact our credit score, finances, and personal safety.

1. Victims of Social Security Number Theft

In March 2023, a cybersecurity attack affected thousands of residents in the nation’s capital.

The breach came through DC Health Link, the health insurance marketplace for those living and working in the Washington, DC area. Personal information was leaked, and affected consumers have now been invited to sign up for three free years of credit monitoring services.

Those victims aren’t alone.

There were 344 healthcare data breaches in 2022, making it one of the top targets for hackers. Healthcare providers often use Social Security numbers as identifiers. 

Another top target? Financial services. Since Social Security numbers are used to run credit checks, this also puts your number at risk.

The problem with these data breaches is that often the numbers aren’t used right away. They’re added to a database that then can be accessed by scammers, intent on applying for credit or getting medical care.

Your Social Security number is attached to your credit score, so a stolen number means your credit could be at risk. As someone uses your number, credit bureaus start to see something called a “fragmented file,” which is attached to your main credit history. Someone else may have used your Social Security number, but the negative activities still affect you, even if that person didn’t use your name.

The good news is that you aren’t responsible for fraudulent or criminal activity conducted using your stolen information, whether it’s your Social Security number, name, financial data, or some other personal identifier.

The bad news is that the activity could create a mess that you spend years sorting out. And, since information is often stolen through data breaches, it can happen to all of us. In fact, our Social Security number could be circulating on the dark web at this very moment.

Related: How to Find Out if Your Data is on the Dark Web

a hand in keyboard

Credit: Soumil Kumar

2. Victims of Child Synthetic ID Theft

You aren’t the only one facing a synthetic identity theft risk. If you have children, they can become victims too. Yes, your child, who doesn’t even need a credit score yet, may be racking up negative credit report entries.

Children’s Social Security numbers are prime targets for identity thieves, with one study finding that one in 50 children have been impacted. Children are typically given a Social Security number at birth, and that number will probably remain dormant until they need it for a job or apply for a college loan.

In other words, they aren’t using it, so identity theft is less likely to be noticed.

In this type of fraud, synthetic identity thieves use a child’s Social Security number to get credit, apply for benefits, commit crimes, and more. It could take years for a child to learn about the activity, at which point it may be tough to get a job, apply for student loans, or get that all-too-important first apartment.

How do thieves get access to children’s information? Here are a few ways:

  • Physical Social Security card theft: Parents might carry the card around in a purse or wallet, but get stolen. A thief could also intercept the card from your trash or steal it from your house during a burglary.
  • Physical record theft: Your child’s information is printed on paperwork in a variety of locations. If those records are somehow intercepted, your child could later become a synthetic identity fraud victim.
  • Digital school records: Your child’s school system likely has information stored on servers that could eventually be hacked. The data could also be stolen by an employee or student who can physically access the information somehow.
  • Digital medical records: Names, dates of birth, contact information, and Social Security numbers are often collected for medical purposes. These could be intercepted by rogue employees or hackers.

The above isn’t an exhaustive list. The truth is, any time you input your child’s information into a form, there’s a risk that a scammer might later access it.

Related: Child Identity Theft: Risks, Prevention, And Consequences

3. Victims of Deceased Synthetic ID Fraud

As it turns out, we’re not only at risk while we’re alive, but our identities can be stolen after we’re gone.

How better to get away with identity theft than to steal the information of someone who’s no longer alive? The person no longer needs a good credit score, after all.

There’s one database that has all that valuable information. It’s called the Death Master File, and it’s used by businesses and government agencies to verify that a Social Security number isn’t assigned to someone reported as deceased.

Unfortunately, the list isn’t foolproof. For one, it can take time for a death to be reported. Also, not every organization checks the list. Lastly, someone has to report the person as deceased. If that doesn’t happen, the Social Security number may never show as “deceased” on that list.

How do criminals get the information in the first place? It might be right there in the obituary. Often, information like names, mother’s maiden names, birthplaces and dates of birth, and city and state of residence can be lifted straight from the local newspaper.

Social media is another prime resource. Those legacy social media pages can be a treasure trove of personal details. A scammer could even trace a person’s mother’s maiden name and birthplace based on comments on someone’s social media tribute page.

What about Social Security numbers? Easy. Long after we’re gone, our Social Security numbers will remain on medical records, with past employers, schools, and government records. A hacker might even choose to steal only the Social Security numbers of those who have been marked as deceased in the system.

4. Impacted Customers of Victims

As financial and medical fraud grows, it’s important to look at the indirect effects it has on all of us.

Say someone uses a combination of fake and real information to steal money from your bank. Your bank loses hundreds of thousands of dollars in the incident. In turn, that lender has to absorb the loss.

You, the bank customer, suffer as a result. It may just be that fraud prevention measures are tightened, forcing you to jump through more hoops if you want to take out a loan or withdraw a large sum of money. Over time, though, banks can’t operate in the red. You might see a long-term increase in fees or reduction of perks because of fraud that had nothing to do with you.

a woman is worried in front of laptop

Credit: Andrea Piacquadio

5. Business and Government Identity Theft Victims

The COVID-19 pandemic created several programs to help taxpayers and businesses. While the programs helped people, they also opened the door to fraud. In fact, an estimated $60 billion or more was stolen in the process.

However, government fraud isn’t limited to special programs like COVID relief.

Synthetic identity theft can be used to apply for unemployment benefits, SNAP (food stamps), Medicare, and any other program that requests your Social Security number.

Taxes pay for these benefits, which means when someone steals money, it comes right out of those budgets. Over time, taxes may increase, which takes more money out of your paycheck.

If you apply for government programs, you may see stricter fraud measures. It could mean more hoops to jump through to apply for the benefits you need.

Synthetic vs. Traditional

There are plenty of similarities between synthetic and traditional identity theft. They both involved fraudsters using stolen records for personal gain. However, there are some distinct differences between the two types. Here are some of the most important things that separate them.

1. Information Used

With traditional identity theft, multiple pieces of information are stolen from the same person. Your name and Social Security number might be used to secure credit, for instance.

The synthetic version of that combines real and fictitious information to create a new identity. Your Social Security number may be combined with a made-up name, for instance. This version doesn’t target one person in particular.

2. Time to Discovery

Any type of identity theft can take time to come to light. Your information may be stolen this year, only for it to be used years from now. In the meantime, it can exist on lists that are circulated on the dark web.

But synthetic identity theft can lurk in the background for years. A fraudster may test the waters, making small purchases that fly under the radar.

If an identity thief uses a deceased person or child’s stolen information, it may take even longer. The activity won’t show up on a credit report or as unusual activity on an account.

You’ll notice your identity has been stolen when you get a fraud alert from your bank or apply for credit. You may get a strange piece of communication in the mail relating to a tax refund you didn’t receive or a delinquent bill for something you never purchased.

3. Perception of Responsibility

There is one way synthetic identity theft can be easier to take. If a piece of your identity is combined with other information to commit a crime, you’ll be more easily let off the hook. It’s much clearer, right away, that you weren’t involved. If it was your name and someone else’s Social Security number, for instance, it’s hard to point the finger at you.

With traditional identity theft, you might initially be assumed to be at fault. You may also have a harder time disputing entries on your credit report. 

Now that we’ve taken a look at what synthetic identity theft is and how it can be used, it’s time to look at what we can do to prevent it.

How Can You Reduce Your Risk of Identity Risk?

Synthetic identity thieves usually grab your information without you even realizing it. The information may be for sale on the dark web after a security breach. The fraudster may be an experienced hacker who can get the information firsthand.

Whatever the case, there are things you can do to reduce your risks. Here are a few to consider.

1. Safeguard Your Social Security Number

When was the last time you gave your Social Security number?

Just last week, I had to call the bank about something. The customer service representative gave two options for verifying my identity: account number or Social Security number. Even though I’d called the number, I decided to give the less dangerous of those two options, my bank account number.

When someone wants your Social Security number, ask if it’s necessary. This goes for your children, too. The Federal Trade Commission recommends asking questions of anyone who demands your child’s Social Security number:

  • Why do you need it? 
  • How will you keep it secure? 
  • Is there another option? 
  • Can you just give the last four digits?

2. Protect Your Electronics

You can’t control which servers might be hacked. All you can do is hope the businesses and government agencies that collect your data will keep it safe.

You can control your own devices, though. 

Hackers sometimes operate by collecting information from individual devices infected with malware. How does that software get on your device? Often it comes from phishing links you click and files you download.

First, be careful when clicking on links in emails and messages. The same goes for files attached to messages.

Second, invest in malware protection. I don’t click on links in messages, but occasionally, my software alerts me that I’ve clicked on a page from search results that may be infected. Malware and virus detection and protection tools do work.

Third, protect your Wi-Fi network. Make sure that the lock is visible next to your router on the list. When traveling, avoid inputting sensitive data or visiting financial sites on public Wi-Fi. If you’re a road warrior, a VPN can help keep your information safe.

3. Consider Identity Theft Protection

Every time I hear about a big cyberattack, I panic, especially if it’s a business that might have my information on file.

Identity theft protection helps me sleep a little better at night. I use Aura.

Aura not only covers costs if your identity is compromised, but you’ll also get alerts when something’s fishy with your credit. This can help you take action quickly to prevent further damage.

4. Protect Deceased Loved Ones

When someone dies, the stress of making arrangements can cause tasks to slip through the cracks, but there are some things you can do to protect your loved one’s identity.

The first is to keep sensitive information out of the obituary. If you turn your loved one’s social media presence into a legacy account, scroll through and remove anything that could be used to apply for credit such as the mother’s maiden name, birthdate, and birthplace are especially valuable to synthetic identity thieves.

Safeguard Your Child’s Identity

Take measures to limit those who have your child’s Social Security card. Tuck the card away for safekeeping and only take it out when you absolutely need to. If you ever dispose of paperwork that has your child’s information on it, shred it first.

Social media can provide a research source for identity thieves. Avoid posting details publicly online like your child’s name, date of birth, or birthplace. If you want to share such information, lock your profile down so that only people you know in real life can see it.


Credit: Pixabay

What to Do If You’ve Been Victim?

So you’ve found out one or more of your credentials has been used for fraud. What next?

It’s important to take action quickly to avoid further damage. The steps below can help get you started.

1. Change Passwords

Did the identity thief gain access to one or more of your online accounts? Even if this isn’t the case, changing your password can’t hurt.

2. Contact Your Bank

If you believe your bank account might be impacted by synthetic identity fraud, get in touch with customer service as soon as possible. Gather as many details as you can. Your lender should be able to walk you through the next steps.

3. File an FTC Report

Social Security numbers often get caught up in synthetic identity fraud. If your Social Security number was stolen, you’ll want to report it as soon as possible.

The best place to file a fraud report is The site is set up to walk you through the steps of reporting the fraud and starting the recovery process. This includes contacting affected companies, placing a fraud alert and requesting a copy of your credit report, alerting the FTC of the incident, and filing a police report, if applicable.

Synthetic identity theft is yet another way scammers are using personal information to commit fraud. While it might not hit individual consumers as directly as traditional identity theft, it has long-lasting repercussions on governments and businesses, as well as the people who rely on the products and services they offer. It’s important to take measures to reduce your risk to prevent identity theft from impacting you.

Related Article About Identity Theft: Identity Thief Movie Review