A Social Security number belonging to a six-year-old. A name pulled from thin air. A mailing address tied to a rented mailbox. Stitch those fragments together and you get a credit file that looks legitimate enough to pass a lender’s identity check. Criminals have been doing exactly that for years, and the financial system is only now catching up.
“I didn’t even know my daughter had a credit file until a collector called about a $12,000 balance,” one Texas mother told a local CBS affiliate in 2023 after discovering her toddler’s Social Security number had been used to open three credit cards. Her experience is not unusual. Equifax, one of the three major U.S. credit bureaus, has begun deploying detection tools built specifically to flag synthetic identity fraud, a scheme the Federal Reserve, the FBI, and the Government Accountability Office have all identified as a serious vulnerability in how lenders verify borrowers. The bureau markets these capabilities under its FraudIQ product line, though it has not published a press release detailing a specific launch date or independent performance benchmarks. The effort marks an acknowledgment that traditional credit-screening methods were never designed to catch identities that have no real-world owner.
How a fake person gets a real credit score
Synthetic identity fraud does not work like conventional identity theft. Instead of stealing one person’s full identity, fraudsters take a single real element, usually a Social Security number, and pair it with fabricated details: a made-up name, a false date of birth, a rented mailbox for an address. The result is a composite that resembles a real person with a thin credit history.
A Federal Reserve white paper published in 2019 described the playbook in detail. Fraudsters use these manufactured profiles in what the industry calls “bust-out” schemes: they open accounts, make on-time payments for months or even years to build credibility, then max out every available credit line and disappear. Because the borrower never existed, there is no one to pursue. The Fed concluded that synthetic identity payments fraud “can escape detection by today’s identity verification and credit-screening processes” because those systems assume every applicant corresponds to a real human being.
The FBI’s Portland field office reinforced that point in a consumer-facing advisory published as part of its “Tech Tuesday” blog series. The post, aimed at helping everyday internet users protect themselves, warned that lenders often do not discover the fraud until accounts default. By that point, the fabricated borrower has vanished and the lender absorbs the loss with no one to hold accountable. The advisory is not an investigative finding or enforcement action, but it reflects the bureau’s view that the threat warrants broad public awareness.
A 2017 GAO forum report highlighted why certain populations bear the greatest risk. The Social Security numbers most commonly exploited belong to children, elderly individuals, and recently deceased people, groups unlikely to monitor their own credit. That gives fraudsters a long runway to build up accounts and higher credit limits before anyone notices something is wrong.
What Equifax is building to fight back
Equifax has marketed synthetic identity detection capabilities under its FraudIQ product line, which includes what the company has called Synthetic Identity Alerts. However, the bureau has not disclosed the full technical architecture of these tools or released performance data showing how many fraudulent profiles they have intercepted. Its public descriptions point to a shift away from point-in-time identity checks, the kind that simply confirm whether a name and Social Security number match at the moment someone applies for credit, and toward behavioral pattern analysis. That approach examines how a credit profile develops over time and across multiple institutions, looking for the telltale signs of a manufactured identity: an unusually clean payment history that appears out of nowhere, an address shared by dozens of unrelated applicants, or a Social Security number that was issued to someone far younger or older than the applicant claims to be.
Equifax is not working in isolation. The Social Security Administration launched its electronic Consent Based SSN Verification (eCBSV) service, which lets participating financial institutions verify in real time whether a name, date of birth, and Social Security number match SSA records. The service directly targets the mismatches that synthetic profiles depend on. However, eCBSV requires consumer consent and institutional enrollment, and as of spring 2026, the SSA had not published data on how broadly lenders have adopted it.
The data gap that makes this threat hard to size
One of the most frustrating aspects of synthetic identity fraud is that no one can say with confidence how big the problem actually is. The Fed’s white paper is now nearly seven years old. The GAO’s forum report dates to 2017. Neither agency has published an update with current loss figures or detection benchmarks.
The Financial Crimes Enforcement Network (FinCEN) released a Financial Trend Analysis in December 2022 covering 2021 Bank Secrecy Act filings that flagged identity-related suspicious activity, including circumvention of verification standards and abuse of remote onboarding processes. But those filings reflect activity from several years ago, and no public follow-up has extended the data into 2023 or beyond.
Fraud-prevention vendors and industry groups routinely describe synthetic identity fraud as one of the fastest-growing categories of payments fraud. That may well be true, but without standardized loss-reporting across lenders, it is difficult to separate genuine acceleration from improved awareness of a problem that has existed quietly for over a decade. Even basic questions, like what share of charge-off losses at major banks stem from synthetic identities versus traditional identity theft, remain unanswered with any precision.
What consumers should do right now
The people most exposed are those whose Social Security numbers are most vulnerable to misuse, and who are least likely to catch it themselves. Parents should consider placing a credit freeze on their children’s files through each of the three major bureaus. Adults caring for elderly relatives should monitor those credit reports regularly. And anyone can request free credit reports through AnnualCreditReport.com to check for accounts they did not open.
A credit freeze will not prevent every form of synthetic fraud, particularly if a child’s Social Security number has already been embedded in a fraudulent profile. But it creates a barrier that forces a lender to contact the account holder before opening new credit, which is often enough to stop a bust-out scheme before it starts.
Why lenders still cannot measure what they are fighting
The documented record from federal agencies points in one direction: synthetic identities can reliably bypass the credit-screening systems that most lenders still depend on. That finding has been consistent across the Federal Reserve, the FBI, and the GAO for nearly a decade. It was serious enough to prompt Equifax to build specialized detection products and the SSA to stand up a real-time verification service.
What remains missing, as of spring 2026, is the data infrastructure to track whether those responses are working. Federal agencies have not published updated loss estimates. Lenders do not report synthetic fraud losses in a standardized way. And no regulatory body has mandated the kind of consistent disclosure that would let policymakers, or the public, gauge whether the problem is being contained or continuing to grow unchecked.
Until that changes, the financial industry is fighting a fraud category it still cannot accurately measure.
