In recent years, identity fraud has been researched and quantified possibly more than any other societal issue. However, all measurements of identity fraud have, to date, relied on victim accounts, whether recorded by Gartner or Javelin in consumer surveys or as reported to the Federal Trade Commission.
Victim reports, however, account for only a small portion of all identity fraud — 10 percent to 15 percent, based on our research at ID Analytics. That type of identity fraud, where a consumer’s personal information is stolen and used to perpetrate financial fraud, is what we call “true name identity theft.”
While “true name identity theft” is a very real problem, the reality is that the majority of identity fraud is never reported by consumers because consumers are never directly victimized.
This classification is what we call “synthetic identity fraud,” and it accounts for 80 to 85 percent of all identity fraud. Synthetic identity fraud is when a fraudster creates, or synthesizes an identity using a combination of real and false identity elements — say, a false name, my Social Security number, and the address and mobile phone number of the fraudster himself.
With synthetic identity fraud, there’s no consumer victim to say “that’s not me.” Meanwhile, the fraudster continues to open new accounts and have credit cards, mobile phones and other goods sent to his address. As you can imagine, this type of identity fraud is much harder to detect.
Armed with this knowledge based on prior research into true-name vs. synthetic identity fraud, ID Analytics set out to measure identity fraud rates by geography, all the way down to the five-digit zip code level.
This research, which was the first ever to be based on actual and attempted frauds rather than on consumer victim reports, revealed results that were both expected and surprising.
First, some definitions: What do we mean by “actual and attempted frauds?” The data in this research was drawn from ID Analytics ID Network, an identity fraud prevention system that gives visibility into fraudulent patterns of behavior using sophisticated analytics.
The ID Network comprises three billion identity elements — including names, addresses, Social Security numbers and phone numbers — which are contributed in real time, by organizations spanning multiple industries, for the sole purpose of preventing identity fraud.
The data is drawn from a variety of sources including applications for credit, debit and new accounts. Fraudulent applications are tagged as such. Applications in this analysis were submitted to credit granters from January 2005 through June 2006.
In our data study, fraud rates were calculated based on the total number of reported identity frauds divided by the number of applications; as a result, the population density was scaled out, enabling comparisons among areas with differing populations.
So what did we learn about those populations? Not surprisingly, identity fraud rates were highest in major metropolitan areas, namely New York, Detroit and Los Angeles. What was surprising however was identity fraud is also high in some less populated cities like Little Rock, Ark. and Springfield, Ill.
Top Ten Areas
When examined at a 3-digit zip code level, the ten metropolitan areas with the highest identity fraud rates are:
- 1. New York, N.Y.
- 2. Detroit, Mich.
- 3. Los Angeles, Calif.
- 4. Little Rock, Ark.
- 5. Greenville, Miss.
- 6. Atlanta, Ga.
- 7. Phoenix, Ariz.
- 8. Portland, Ore.
- 9. Dallas, Texas
- 10. Springfield, Ill.
Identity fraud in cities is relatively easy to explain. When large populations of people live together in close quarters, it’s easier to access and steal personal information, usually out of mailboxes, or at busy places of work, from file cabinets, databases and the like.
It might seem harder to explain high rates of identity fraud in less populated areas. We don’t think so. This is where our previous research on synthetic identity fraud became especially relevant.
The addresses on the fraudulent applications in our recent research may have belonged to the victims of the identity fraud if the perpetrator were to use the complete and accurate identity information of the victim.
However, we believe the majority of the addresses were associated with the perpetrators of the fraud using synthetic identities of real and false identity elements. While the applications included real addresses for the purposes of verification and receipt of credit cards and goods, the addresses may have been residences, places of work or any other physical location where fraudsters could conveniently receive the tools and plunder of their trade.
In other words, a hardworking fraudster sitting comfortably in Little Rock could well be committing hundreds of frauds using synthetic identities. Because the citizens of Little Rock aren’t being defrauded, no one is filing reports with the police.
The victims in this case are the businesses themselves — the companies issuing the fraudster credit cards, mobile phones, and the companies selling merchandise that he purchases with his new credit. These transactions are typically not face-to-face for good reason. They’re typically online. They’re often e-commerce transactions.
The other explanation for higher identity fraud rates in these lower populated areas is that multiple identity criminals are actually operating in an organized manner. ID Analytics analyzed the data down to the 5-digit zip code level, giving precise visibility into concentrations of identity fraud, which may indicate fraud rings or some other criminal activity.
While some of the zip codes predictably included places like Queens, N.Y., and the south side of Chicago, the riskiest zip codes also included Merlin, Ore.; Lilesville, N.C.; and South Hill, Va.
It’s hard to say whether the overall rate of identity fraud is going up or down. Javelin Strategy and Research recently announced that identity fraud is dropping. Meanwhile, according to Gartner’s survey of 5,000 Americans, identity theft has increased more than 50 percent since 2003.
Regardless, identity fraud continues to have an impact on e-commerce business, especially given the “faceless” nature of the transactions, and especially given the high rates of synthetic identity fraud. The only way businesses can protect themselves is by taking steps to determine if customers are who they say they are before granting credit or opening new accounts.
Credit scores are no indication of whether customers are who they claim to be. Identity scores are. Fortunately, plenty of technologies are available today to help determine to a high degree of accuracy with whom you are doing business. Whether that person is sitting in New York or Springfield, Ill., shouldn’t matter.
Stephen Coggeshall, PhD, is chief technology officer for ID Analytics, an identity risk management company based in San Diego, Calif.