Synthetic identity fraud in onboarding: what IAM teams need to fix

TL;DR: Synthetic identity fraud combines stolen personal data with fabricated details, fake IDs and controlled phone numbers to bypass onboarding checks, then uses fraudulent accounts for credit, purchases and laundering, according to Transmit Security. Legacy validation alone is not enough because confidence now depends on layered proofing, data validation and decisioning.

NHIMG editorial — based on content published by Transmit Security: synthetic identity fraud, identity proofing and data validation

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams reduce synthetic identity fraud in customer onboarding?

A: Security teams should combine document proofing, data validation, device intelligence and reputation checks in a single onboarding policy.

Q: Why do basic validation checks fail against synthetic identities?

A: Basic checks fail because synthetic identities are built from enough real data to look credible while the attacker controls the missing pieces.

Q: When should organisations require document-based identity proofing?

A: Organisations should require document-based proofing when the business impact of a bad account is high, when KYC rules apply, or when validation results are mixed.

Practitioner guidance

• Implement layered onboarding decisions Use identity proofing, data validation and reputation checks as distinct evidence sources, then define when a case can pass, step up or move to review.
• Reconcile conflicting identity signals centrally Route mismatched name, phone, device and address results through a single decision service so exceptions are handled consistently instead of ad hoc.
• Add step-up verification for high-risk enrollments Require stronger proofing when validation is mixed, when device intelligence is suspicious or when the applicant profile matches a fraud pattern.

What's in the full article

Transmit Security's full article covers the operational detail this post intentionally leaves for the source:

• The layered onboarding flow that combines identity proofing with data validation for different risk thresholds.
• The AI and machine learning methods used for document inspection, biometric matching and liveness detection.
• The operational checks for name, address, email, phone number, DoB and SSN validation across source data.
• The decisioning and orchestration approach for reconciling mixed or negative validation results.

👉 Read Transmit Security's analysis of synthetic identity fraud and onboarding controls →

Synthetic identity fraud in onboarding: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →