Synthetic identity fraud exposes the limits of legacy onboarding controls

At a glance

What this is: This is an analysis of synthetic identity fraud and why layered identity proofing plus data validation is needed to detect fraudulent onboarding.

Why it matters: It matters because IAM, CIAM and fraud teams must treat onboarding as an identity assurance problem, not just a form-filling problem, across human identity and downstream account risk.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Transmit Security's analysis of synthetic identity fraud and onboarding controls

Context

Synthetic identity fraud is a form of onboarding abuse where criminals blend real personal data with invented details to look legitimate. The problem for identity teams is that basic validation can confirm individual data points without proving that the person, device and contact methods belong together.

For IAM and CIAM programmes, this is a governance failure as much as a detection failure. If onboarding controls only check whether fields are populated or whether an ID image looks plausible, they will miss the combined pattern that synthetic identity fraud is designed to exploit.

Key questions

Q: How should security teams reduce synthetic identity fraud in customer onboarding?

A: Security teams should combine document proofing, data validation, device intelligence and reputation checks in a single onboarding policy. The goal is to confirm that identity attributes belong together, not just that each field looks plausible. High-risk or conflicting cases should trigger step-up verification or manual review before account creation is allowed.

Q: Why do basic validation checks fail against synthetic identities?

A: Basic checks fail because synthetic identities are built from enough real data to look credible while the attacker controls the missing pieces. A valid SSN, name or phone number can pass isolated tests even when the overall identity is false. Effective controls compare relationships across attributes, not just attribute presence or format.

Q: When should organisations require document-based identity proofing?

A: Organisations should require document-based proofing when the business impact of a bad account is high, when KYC rules apply, or when validation results are mixed. It is most useful as a step-up control after passive checks raise doubt, because it adds stronger evidence without forcing every user through the same friction.

Q: What should fraud teams do when identity validation sources disagree?

A: Fraud teams should not auto-approve or auto-reject solely on disagreement. They should use a decision layer that weighs the signals, applies policy by risk tier and routes unresolved cases to review. Discrepancies are often the strongest indicator that the identity is synthetic or partially controlled by the attacker.

Technical breakdown

Why synthetic identities evade basic identity validation

Synthetic identity fraud works because individual attributes can appear valid even when the identity as a whole is fabricated. A real SSN, real name and real date of birth can pass simple checks if the address, phone number and device are controlled by the attacker. That creates a false sense of confidence when validation is performed field by field rather than as a linked identity set. The problem worsens when businesses rely on static rules or single-source lookups that do not reconcile conflicts across data sources.

Practical implication: treat onboarding as an entity-resolution problem, not a form-completion problem.

How identity proofing and data validation work together

Identity proofing checks the document and the person, while data validation checks whether the identity data and contact channels make sense in the background. Proofing can catch forged documents, image tampering and liveness failures, while validation can detect mismatches in name, address, email, phone and device reputation. Used together, they create a layered decision model that can pass low-risk users without extra friction and escalate suspicious cases for stronger verification. This is why neither control should be treated as a standalone answer.

Practical implication: design step-up flows that escalate only when risk signals cross a defined threshold.

Why orchestration and decisioning matter in fraud controls

Fraud controls fail when checks are bolted together without a decision layer that can reconcile conflicting results. Orchestration allows the business to choose which sources to call, in what order and how to resolve discrepancies when one check is positive and another is negative. Native decisioning turns those signals into a consistent policy instead of a manual review queue. That matters because synthetic identity fraud adapts quickly, and the control stack has to adapt with it rather than wait for an analyst to interpret each exception.

Practical implication: centralise onboarding decisions so validation, proofing and review rules are applied consistently.

Threat narrative

Attacker objective: The attacker’s objective is to create a trusted-looking account that can be monetised before the fraud is detected.

1. Entry occurs when the attacker combines stolen personal data with fake contact details and a controlled phone number to satisfy initial onboarding checks.
2. Credential and account access follow when the synthetic identity passes identity proofing or data validation enough to create a legitimate-looking account.
3. Impact occurs when the fraudulent account is used for stolen-card purchases, new credit lines, laundering or other financial abuse.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity proofing alone does not solve synthetic identity fraud: The attack succeeds because a document can look legitimate while the surrounding identity is still fabricated. That means the governance problem is not simply whether an ID image is authentic, but whether the full identity profile is internally consistent across data, device and contact channels. Practitioners should treat proofing as one control in a broader trust decision, not as the trust decision itself.

Data validation becomes brittle when it is not paired with proofing: A real SSN or phone number can still belong to a synthetic construct if the relationships between identity attributes are attacker-controlled. The failure mode is attribute-level confidence without identity-level assurance, which is exactly where legacy onboarding workflows break down. The implication is that programmes need to evaluate identity coherence, not just attribute validity.

Native decisioning is the operational difference between checking and governing: Fraud programmes that stitch together disconnected tools often produce inconsistent outcomes and manual exceptions that attackers can exploit. A decision layer is what turns multiple signals into a repeatable policy, especially when validation sources disagree. Practitioners should view orchestration as a governance capability, not just a workflow convenience.

Synthetic identity fraud exposes a trust-boundary gap in CIAM: Onboarding is often treated as a one-time verification event, but the fraud lifecycle continues after account creation. Once a fraudulent identity is admitted, downstream controls inherit the false trust signal and can be bypassed by otherwise normal account behaviour. The practical conclusion is that CIAM must be built to separate initial access from ongoing trust.

Layered onboarding controls reduce fraud only when the layers are actually independent: If document checks, data checks and reputation checks all rely on the same weak assumptions, they fail together. The better model is to combine different evidence types so one control can catch what another misses. Identity teams should design for complementary evidence, not duplicated confidence.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Our research also shows: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• If you are extending this analysis into delegated access and workload trust, start with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Synthetic identity fraud is a reminder that trust decisions fail when programmes treat identity as a set of fields instead of a relationship model: The practical signal for IAM and CIAM teams is that onboarding policy now needs to evaluate coherence across document, device and contact data in one flow. For teams formalising identity assurance, the NIST SP 800-63 Digital Identity Guidelines remain the most relevant external reference for assurance thinking.

Identity proofing and data validation should be separated operationally, even when they are delivered together: That separation lets teams tune friction to risk and prevents one weak signal from dominating the decision. Organisations that have not yet built a central decision layer should expect higher manual review rates and inconsistent customer outcomes as fraud tactics adapt.

With 79% of organisations having experienced secrets leaks, identity programmes are already living with trust deficits elsewhere, according to our Ultimate Guide to NHIs: the lesson carries into customer onboarding, where confidence has to be earned through layered evidence rather than assumed from the first check. The named concept here is identity coherence scoring: the practice of judging whether identity signals belong to one real person or a synthetic construct, and it is becoming essential to modern CIAM.

For practitioners

• Implement layered onboarding decisions Use identity proofing, data validation and reputation checks as distinct evidence sources, then define when a case can pass, step up or move to review.
• Reconcile conflicting identity signals centrally Route mismatched name, phone, device and address results through a single decision service so exceptions are handled consistently instead of ad hoc.
• Add step-up verification for high-risk enrollments Require stronger proofing when validation is mixed, when device intelligence is suspicious or when the applicant profile matches a fraud pattern.
• Review onboarding rules for synthetic patterns Test whether your controls can detect real data combined with fabricated contact details, prepaid phones, virtual numbers and spoofed identifiers.

Key takeaways

• Synthetic identity fraud defeats isolated checks by blending real personal data with fabricated identity elements.
• Layered proofing, validation and decisioning are needed because a believable attribute set is not the same as a trustworthy identity.
• Fraud teams should design onboarding policies around identity coherence, step-up verification and centralized exception handling.

Key terms

• Synthetic Identity Fraud: Synthetic identity fraud is the creation of a fake identity by combining real personal data with invented or attacker-controlled attributes. The result can look legitimate enough to pass weak onboarding checks, which is why the attack often succeeds before the business realises the identity is false.
• Identity Proofing: Identity proofing is the process of verifying that a person and their identity document are authentic and belong together. In practice, it uses document analysis, biometric matching and liveness detection to reduce the chance that a forged or manipulated identity is admitted during onboarding.
• Data Validation: Data validation checks whether the identity data a user submits is accurate, consistent and strongly associated with the claimed identity. It is usually performed in the background and works best when multiple sources are reconciled instead of being treated as independent yes-or-no tests.
• Identity Orchestration: Identity orchestration is the policy and workflow layer that coordinates multiple verification signals into one decision. It matters because fraud controls fail when evidence is scattered across systems and no single rule set decides whether to pass, step up or review an applicant.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by Transmit Security: synthetic identity fraud, identity proofing and data validation. Read the original.