Quick links: Breaking Election Invest Bitcoin Syria North Korea Startups Scandal
Wall Street Journal / Life - Entertain

The New ID Theft: Millions of Credit Applicants Who Don’t Exist

Synthetic-identity fraud is one of the fastest growing forms of identity theft—and the hardest to spot and combat. Scammers use phony names and unused Social Security numbers to secure debt, a crime that exposes a vulnerability in the U.S.’s credit-checking system. “It seemed too easy.”


By

Peter Rudegeair and

AnnaMaria Andriotis

196 COMMENTS

Keith Speers of the U.S. Postal Inspection Service tracked down a scammer who employed 300 phantom accomplices. Photo: Ryan Gibson for The Wall Street Journal

From a townhouse near a megachurch in Atlanta, Kelvin Lyles recruited about 300 accomplices to embark on a crime spree. His group scammed ATMs, internet retailers and credit-card companies, grabbing around $350,000, until late 2015, when federal agents closed in.

Mr. Lyles was the only one convicted. None of his accomplices existed.

In a twist on ID theft, criminals are deploying figments of their imaginations, in what is often called synthetic-identity fraud. It’s one of the fastest growing forms of identity crimes, the Justice Department says, and among the hardest to combat.

Because the person taking out cards or loans isn’t real, there are no consumer victims to alert lenders. When companies and law enforcement discover something amiss, they often wind up chasing ghosts. Mr. Lyles secured credit cards often using fictional names and numbers the Social Security Administration hadn’t yet assigned.

Synthetic-identity fraud exploits a vulnerability in America’s consumer-credit system. Lenders often consider a loan applicant legitimate if the applicant has a credit report at Equifax Inc., TransUnion or Experian PLC. But a new “credit file”—essentially a precursor to a credit report—often gets created when someone simply applies, even if the loan doesn’t come through.

How a Phantom Borrower Is Born

Fake

SSN

Loan

application

Scammer applies for loan using fake name and made-up Social Security number.

Rejected

application

Query to credit-reporting firm reveals no borrowing history. Applicant likely to be rejected.

Loan

application

Credit

file

Rejected

application

Query results in a new 'credit file,' a precursor to a credit report. Suddenly, a new identity has been born.

Loan

applications

Scammer applies for more loans, expanding credit file, giving lenders perception applicant is real.

Source: TransUnion

Some lenders approve loans after reviewing credit files, which helps turn those files into full credit reports. That’s how a fictitious person, or 300 fictional people, can end up with a credit card.

“When you see this type of scheme,” said Samir Kaushal, the assistant U.S. attorney who prosecuted Mr. Lyles, at a hearing, “one realizes how precarious our system actually is.”

While a small part of total identity-fraud losses—that number hit about $16.8 billion in 2017, according to consulting firm Javelin Strategy & Research—synthetic-identity losses are soaring.

TransUnion says a record $355 million in outstanding credit-card balances was owed by people who it suspects didn’t exist in 2017, up more than eightfold from 2012. It estimates lenders have issued credit cards or loans to millions of synthetic identities in the U.S.

In January, Accenture PLC listed synthetic-identity fraud as one of the biggest threats facing banks in 2018, saying it would be “costing banks billions of dollars and countless hours as they chase down people who don’t even exist.”

In Rock Hill, S.C., a 50-year-old man was arrested last year after applying under synthetic identities for more than 750 credit cards; he pleaded guilty. Earlier, a Southern California man pleaded guilty to conspiracy to commit bank fraud using synthetic identities, agreeing to forfeit properties in Los Angeles, West Hollywood and Santa Monica bought with the proceeds.

Shadow Boxing

Credit-card debt owed by borrowers who likely don't exist.

$400 million

300

200

100

0

’13

2012

’16

’14

’15

’17

Source: TransUnion

TransUnion says it began hearing from lenders and law enforcement about unusual fraud cases between 2012 and 2014. It began investigating, searching for driver’s licenses, voter registrations and other records to confirm identities. When nothing turned up, TransUnion investigators realized the cases could be tied to fabricated identities.

The company blocked thousands of credit reports from future use, figuring any real people would get in touch, says Lee Cookman, a director in its identity-solutions department. None did.

TransUnion and Experian say it is tough to distinguish between a fake person and a real person applying for credit for the first time with legitimate identifying information that isn’t on file. Equifax didn’t respond to requests for comment.

Criminals have taken up this new ruse in part because lenders and borrowers have gotten better at protecting against more traditional fraud, which often involves using stolen data about real consumers, says Chris Pinion, who specializes in fraud strategy at LexisNexis Risk Solutions, a unit of RELX Group.

Bypassing actual consumers, scammers such as Mr. Lyles trip fewer alarms. An Alabama native, he had worked at a debt-collection firm and as a U.S. Navy service member trained in electronic warfare, according to court records. He was once chief financial officer at Chosen Destiny Foundation Inc., a nonprofit serving Atlanta’s homeless.

Over two decades, he was convicted of crimes such as motor-vehicle theft and marijuana possession, court records show.

“He’s a good son, a loving father, and he took care of his family to the best of his ability,” says Betty Hollinger, his mother. “Whatever else happened, I just don’t know.”

Mr. Lyles, in federal prison for the fraudulent credit-card scheme, didn’t respond to interview requests. His lawyer, Careton Matthews, declined to arrange an interview with his client. “Mr. Lyles accepted responsibility early on,” he says. “He is remorseful for having committed the acts that caused him to be sentenced.”

In 2014, two months before the marijuana conviction, Mr. Lyles registered a business, Horizon Mediation LLC, specializing in “business performance improvement,” according to its website. Its official address was a strip-mall UPS Store. Bob Persky, the store’s owner, says: “We follow the guidelines of both the U.S. postal office and UPS corporate with all our mailbox holders.”

The UPS Store that was the official address of Kelvin Lyles’s business Photo: Ryan Gibson for The Wall Street Journal

Risk managers at credit-card issuer Capital One Financial Corp. started noticing peculiar patterns with transactions at Horizon and other merchants in the Atlanta area, according to federal investigators. Several of the accounts went delinquent shortly after purchases.

A Capital One review found that even though the applications were filled out in names of multiple individuals, several were submitted from common IP addresses. Some cards were being mailed to the same location.

Numbers game

Mr. Lyles had been looking to rehabilitate his credit when he learned about what are often called credit-profile numbers, Mr. Matthews said at his client’s sentencing hearing.

Also simply called CPNs, these are essentially fake Social Security numbers, nine digits the agency hasn’t assigned or, in some cases, numbers assigned to children that haven’t ever made it into credit files. People with tainted credit histories sometimes use them rather than their legitimate numbers so they won’t be dogged by prior delinquencies. Underground websites sell them in batches.

Kelvin Lyles. Photo: Georgia Department of Corrections

Using CPNs on loan applications is illegal, says Stephen Stigall, partner at law firm Ballard Spahr LLP, and can subject their users to charges of making false statements to banks, bank fraud or conspiracy to commit bank fraud.

Lenders lack methods of instantly distinguishing credit-profile numbers from Social Security numbers—in part an unintended consequence of a Social Security Administration move meant to reduce identity fraud.

The agency used to generate numbers in predictable patterns. The first few digits corresponded to a person’s ZIP Code when the number was issued, letting lenders cross-check the number with other application entries. In 2011, the agency began generating numbers randomly. That made it tougher for lenders to spot fakes.

An agency spokesman, Darren Lutz, says “randomization represents an important step forward in preventing the compromise of SSNs and preventing identity theft” including by making it harder for scammers to reconstruct numbers using public information.

Lenders can ask the agency to cross-check numbers, but most don’t. The agency requires an applicant’s handwritten signature, which can be time-consuming.

The agency’s Mr. Lutz says: “We are currently exploring authentication capabilities to enhance the consent process.”

The missing tool for preventing synthetic fraud is an instant way to verify a Social Security number through an agency process, says Brian Murphy, senior director of policy at the American Bankers Association trade group. “At this point,” he says, “it is the number—the single identifier—on which everything turns.”

Lenders tend to use their own data and fraud-detection tools and review information from credit-reporting companies. Those companies build histories for people based on information lenders provide.

That can create openings for fraud because of the vulnerability in the system. If an applicant hasn’t received credit before, a lender’s query to a credit-reporting firm will reveal no borrowing history, and the lender will likely reject the application.

But that very query typically results in the creation of a new credit file for the person. If the person applies for more loans, that process expands the credit file and can give the perception the applicant is real.

If one lender approves a card for that applicant, that information can make the file a full-fledged credit report. While the person probably won’t get a high-spending-limit card without a repayment history, lenders who provide low-limit cards often take chances on newer borrowers.

Some identity fabricators pay bills promptly to qualify for higher limits, then “bust out,” running up the maximum charge.

TransUnion’s Mr. Cookman says it informs lenders when applicant information is consistent with synthetic fraud—an address associated with more than 200 people, say. Experian last year introduced a score alerting lenders if an applicant exhibits characteristics of a synthetic fraudster. TransUnion introduced a similar service in 2015.

Banks are looking to put more emphasis on factors besides Social Security numbers and other static identifiers, says the ABA’s Mr. Murphy.

Amanda Landers, a spokeswoman for Capital One, which was pulled into Mr. Lyles’s ruse, says: “When opening new accounts, Capital One has multiple defenses in place and layered verification checks to identify potential fraud.”

Tracking Mr. Lyles

Mr. Lyles used credit-profile numbers to win cards in nonexistent people’s names, investigators say. Investigators found a receipt at his house from a website that sells such numbers.

One of his “people” was a Mike Milton, born May 7, 1987, and from Fayetteville, Ga. He applied for and received a Capital One credit card in that name, investigators say.

Mr. Lyles ran new cards through phony merchant accounts he controlled with Square Inc. and PayPal Holdings Inc. payment systems—resulting in payments from Capital One and other banks into the accounts. Square and PayPal declined to comment. Investigators say he also used cards for actual purchases and cash advances.

“Realizing how easy that appeared to be and how these CPNs were not real people,” said Mr. Matthews at the hearing, “it seemed too easy.”

In late 2014, Capital One became concerned enough about signs of fraud it was spotting as well as delinquencies in the accounts used at Horizon that it contacted Keith Speers, a U.S. Postal Inspection Service investigator.

Mr. Speers, a former U.S. Air Force security-forces officer, says he spent the first weeks of 2015 cross-referencing account information with public records and calling affected businesses, hoping to uncover who was behind the transactions.

The addresses to which new cards were mailed were often vacant or mail centers from which mail was forwarded elsewhere. In February 2015, Mr. Speers received security-camera images of someone withdrawing $300 from a PNC Financial Services Group Inc. ATM using a Capital One card in a name flagged to Mr. Speers. Images showed a man with a buzzcut.

In March, Mr. Speers says, information from Amazon.com Inc. and other retailers about online purchases of clothing, shoes and other goods using fraudulent cards shared a shipping address. The recipient appeared to be female.

Mr. Speers says he ran the address through motor-vehicle records and found Mr. Lyles. His license photo matched the man in the PNC pictures.

Discover Financial Services had also issued cards to some of the same “people” that had raised suspicions at Capital One, Mr. Speers says. Discover, Amazon and PNC declined to comment.

Given the number of suspicious identities involved, Mr. Speers wanted to make sure Mr. Lyles wasn’t a patsy. He recalls worrying that “we’re going to take off kind of one head and there may be multiple people connected but essentially independently capable of continuing, and then they would know we were out.”

After subpoenaing cellphone and other records, Mr. Speers says, lenders “would always come back with, ‘That linked us to these additional accounts.’ ” GPS data tied to payment terminals showed the activity centered in Mr. Lyles’s neighborhood.

Mr. Speers and six other agents arrived at Mr. Lyles’s home with a search warrant. Investigators found multiple payment terminals, five fake IDs, 30 credit and debit cards mostly in other people’s names, a list of more than 300 credit-profile numbers and the receipt from the site selling those numbers.

Among the IDs was one for Mr. Milton.

The U.S. attorney’s office charged Mr. Lyles not with identity theft, because he didn’t try to defraud real people, but with wire fraud. He pleaded guilty in January 2017.

At an April sentencing hearing, he told U.S. District Judge Mark H. Cohen that “I thought it was something legal at first...It was helping me take care of my family, it was actually helping me grow my business. And life just started to look up.”

Judge Cohen sentenced him to 46 months in prison. “This is not a victimless offense,” the judge said. “This is basically abusing the credit system of, frankly, this country.”

Write to Peter Rudegeair at Peter.Rudegeair@wsj.com and AnnaMaria Andriotis at annamaria.andriotis@wsj.com

ADS