Notifications
Clear all
Topic starter
10/06/2026 10:41 pm
TL;DR: Synthetic identities are built from real and fabricated data, can pass onboarding for months or years, and then bust out at scale, according to SumSub’s conversation with fraud investigator Steve Lenderman. The threat now spans fintech, payroll, government programmes, and AI-assisted fraud, which means identity controls must move beyond static verification to behavioural detection and lifecycle scrutiny.
NHIMG editorial — based on content published by SumSub: What happens when a fraudster does not steal an identity but builds one from scratch?
By the numbers:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should organisations detect synthetic identities after onboarding?
A: They should treat onboarding as the start of verification, not the end.
Q: Why do synthetic identities cause such large losses?
A: They cause large losses because they are built to earn trust before they are used.
Q: What do security teams get wrong about synthetic identity fraud?
A: They often assume fraud can be solved at account creation.
Practitioner guidance
- Add lifecycle re-validation after onboarding Require periodic legitimacy checks for accounts that have passed initial proofing, with higher scrutiny for dormant, low-activity, or newly activated identities that suddenly change behaviour.
- Correlate device, behaviour, and relationship signals Use behavioural intelligence to detect shared device patterns, repeated application attributes, and unusual account-age to value-action timing across customers or beneficiaries.
- Create bust-out detection thresholds Flag accounts that stay quiet and then rapidly increase transaction volume, funding, or benefit claims after a long period of apparent normality.
What's in the full article
SumSub's full article covers the interview detail this post intentionally leaves for the source:
- Steve Lenderman's investigative perspective on how synthetic identities are assembled and matured over time
- Discussion of bot-generated identities, AI-assisted fraud, sleeper accounts, bust-out schemes, and synthetic businesses
- The article's cross-sector examples across fintech, payroll, and government programmes
- The collaboration and behavioural-intelligence themes that practitioners can use to shape detection strategy
👉 Read SumSub's conversation on synthetic identities, bust-out fraud, and AI-assisted abuse →
Synthetic identities: what it means for IAM and fraud teams?
Explore further
11/06/2026 2:50 am
Synthetic identity fraud is an identity governance failure, not just a fraud-control failure. The core problem is that programmes often treat onboarding as a binary decision instead of the first checkpoint in a longer trust lifecycle. Once an identity is accepted, many controls assume the subject remains the same as the one originally verified. That assumption breaks when the identity is synthetic and intentionally designed to mature into legitimacy. The implication is that identity assurance must be maintained across the full account lifecycle, not only at creation.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own synthetic identity risk in an organisation?
A: Ownership should be shared across IAM, fraud, risk, and operations because the problem crosses onboarding, access, and transaction stages. When only one team owns it, the organisation misses the identity signals that appear in other systems and loses the chance to stop abuse before the bust-out stage.
👉 Read our full editorial: Synthetic identities expose the gap in modern identity controls
