How Synthetic Identities Are Generated

A synthetic identity blends a real Social Security number with fabricated details to create a person who does not exist. Here is how one is built, stage by stage, and how to detect it.
By Adya Tewari
l
11
 min read
What are deepfakes — business risk overview article
Table of Content
No items found.

A synthetic identity is a person who does not exist, assembled from a real Social Security number and a set of invented details, and it has become one of the fastest-growing forms of fraud in the world. In 2025, synthetic identity fraud rose eightfold and now accounts for roughly one in nine reported fraud cases globally, according to LexisNexis Risk Solutions. What makes it so effective is not a single clever trick but a patient, industrialized process that starts with a stolen number and ends, sometimes years later, with a bank writing off a loan to a person who was never real.

This guide explains how synthetic identities are generated: what they are, the step-by-step process used to build one, where the underlying data comes from, how generative AI has accelerated the whole thing, and what actually detects them. It is written for fraud, risk, and identity teams who need to understand the construction of the threat in order to disrupt it.

The defining feature, and the reason these identities are so hard to stop, is that there is usually no victim to raise the alarm. A real person whose number was borrowed may not find out for years, and the fabricated persona itself will never complain. That single fact shapes everything about how synthetic identities are made and why they work.

  • A synthetic identity blends real data, usually a genuine Social Security number, with fabricated details to create a person who does not exist.
  • Unlike traditional identity theft, there is no real victim to notice or report the fraud, which is why it hides for so long.
  • Children's SSNs are prized because they are unused clean slates that will not be checked for 15 to 20 years.
  • Credit bureaus unintentionally help by creating a credit file the first time a synthetic identity applies, even if the application is declined.
  • Fraudsters nurture the identity with small on-time payments for months or years, then bust out by maxing every credit line and vanishing.
  • Generative AI now supplies the faces, documents, and deepfake selfies that let synthetic identities clear digital onboarding at scale.
  • Synthetic identity fraud rose eightfold in 2025 and now accounts for about 11% of all reported fraud worldwide (LexisNexis).
  • Static SSN and PII checks no longer catch it; defense layers eCBSV, behavioral signals, consortium data, and deepfake and document detection.
At a glance

A synthetic identity blends a real SSN with fabricated details to create a person who doesn't exist — and because no real victim ever complains, it can hide for years. It's now one of the fastest-growing forms of fraud worldwide.

0×
growth in synthetic identity fraud in 2025 (LexisNexis)
0%
of all reported fraud worldwide — about 1 in 9
$0B
estimated annual US economic losses (BIIA)
$0K
average loss per confirmed case (Proofpoint)
Sources: LexisNexis · BIIA · Proofpoint · Mitek/Datos — as cited in this article

What Is a Synthetic Identity?

A synthetic identity is a composite persona built by combining genuine personal data with fabricated data. Most commonly it pairs a real Social Security number with a made-up name, date of birth, and address. This is fundamentally different from traditional identity theft. In classic theft, a criminal impersonates a specific real person and that person eventually notices the fraudulent charges. A synthetic identity impersonates no one in particular; it is a new entity stitched together from parts, which is why the fraud can run undetected for so long.

Analysts distinguish two broad flavors. A blended synthetic identity mixes one real element, usually the SSN, with otherwise invented details. A manufactured synthetic identity goes further, merging and blending real fragments taken from several different stolen identities into a single new persona. Both aim for the same outcome: a profile that looks authentic to most verification systems while corresponding to no actual human being. For a closely related look at how these fabricated identities defeat onboarding checks, see our guide to how deepfakes bypass KYC.

How a Synthetic Identity Is Built, Step by Step

The construction of a synthetic identity follows a consistent sequence. Understanding each stage shows where the fraud can be interrupted.

Build → bust-out

A five-stage con that can take years to pay off

A synthetic identity isn't a one-shot fraud — it's a patient, industrialized process. It starts with a stolen number and ends, sometimes years later, with a bank writing off a loan to a person who never existed.

1 · Seed with real data
A genuine SSN — often a child's — bought from breach data.
Day 0
2 · Fabricate the persona
A fake name, DOB, address, phone and email are attached.
Day 0
3 · Generate the artifacts
AI face + deepfake selfie + forged documents clear digital onboarding.
Where deepfakes enter
Minutes
4 · Establish & nurture credit
Small accounts, on-time payments — a rising, legitimate-looking profile.
Months–years
5 · Bust out
Every credit line maxed at once, never repaid, then abandoned.
The payoff

The whole scheme works because there's no real person behind it to pursue. The borrowed number's owner may not notice for years, and the fabricated persona never complains — so the usual fraud alarm never fires.

Stage What Happens Purpose
1. Seed with real data A genuine SSN is acquired, often a child's, bought on the dark web Provides a valid identifier that passes basic checks
2. Fabricate the persona A fake name, date of birth, address, phone, and email are attached Builds a complete but fictional profile
3. Generate the artifacts AI creates a face, a deepfake selfie, and forged documents Clears photo, document, and liveness checks at onboarding
4. Establish and nurture credit Small accounts are opened and paid on time over months or years Builds a positive credit history and rising limits
5. Bust out Every credit line is maxed out at once and abandoned Extracts the maximum value before the identity vanishes

Table 1: The five stages of building and exploiting a synthetic identity.

The Data Behind a Synthetic Identity

The seed data is what makes a synthetic identity viable, and not all stolen numbers are equal. Children's Social Security numbers are the most prized, because a child has no credit history and will not apply for credit for another fifteen to twenty years. That makes the number a clean slate: a fraudster can attach it to a fabricated adult and let the identity age without the real owner or any monitoring service noticing. Javelin research has found that roughly one in nineteen children in the US fell victim to identity fraud over a recent six-year period.

Numbers belonging to people experiencing homelessness, the deceased, the elderly, and incarcerated individuals are similarly attractive, for the same reason: the real owner is unlikely to be actively watching their credit. All of this raw material trades on the dark web, harvested from the steady stream of data breaches, which is what keeps the supply cheap and the barrier to entry low.

How Generative AI Changed the Game

Building a convincing synthetic identity used to require real skill. A fraudster needed to forge documents, maintain a consistent backstory, and sustain the persona across channels for months. Generative AI collapsed those barriers. As one industry analysis put it, AI does not invent new fraud objectives; it removes the bottlenecks that used to keep fraud small, namely the time to produce believable artifacts, the skill to write persuasive narratives, and the effort to deploy the supporting infrastructure.

In practice that means a fraudster can now generate a photorealistic face that belongs to no one, produce a matching deepfake selfie to defeat liveness detection, and fabricate supporting documents that look genuine, all in minutes and at scale. AI-generated fakes accounted for roughly 2% of all documented frauds worldwide in 2025, a figure that was essentially zero a year earlier, and deepfakes now feature in about one in five biometric fraud attempts. The same tooling enables volume: criminals spin up large numbers of identities and automate enrollment across many platforms at once, and fraud analysts increasingly warn of autonomous agents that reattempt verification with small variations until one succeeds.

Metric Figure Source
Growth in synthetic identity fraud (2025) Eightfold LexisNexis
Share of all reported fraud About 11% LexisNexis
Share of first-party fraud using synthetic IDs 21% Sumsub
Estimated annual US economic losses $30B to $35B BIIA
US unsecured credit losses (2025) $2.94B Mitek / Datos Insights
Average loss per confirmed case About $15,000 Proofpoint
New-account fraud attributed to synthetic IDs Over 80% Proofpoint
Annual baseline growth rate About 16% Mitek / Datos Insights

Table 2: Key figures on the scale and cost of synthetic identity fraud.

Why Synthetic Identities Are So Hard to Catch

Three features make this fraud unusually resistant to detection.

Why it hides for years

Three reasons the alarm never rings

Synthetic identity fraud resists detection not through one clever trick, but because three structural features line up to keep it invisible until the money is already gone.

No victim
The persona is nobody, so no one notices fraudulent charges or files a report. Banks often find out only at charge-off — and log it as bad debt, hiding the true scale.
The system bootstraps it
The first application is usually declined — but the inquiry makes the bureaus create a file. That file makes the fake look like a real, thin-credit consumer, and later applications start to succeed.
The counterintuitive one
Static checks pass
A valid SSN plus a matching address returns a clean result on traditional PII matching — the data lines up even though the person is fictional. Even step-up document checks clear.

The takeaway for detection: the data is real enough to pass every data check. Catching a synthetic identity means looking for what's missing — an organic life behind the data — and flagging the AI-generated artifacts that clear onboarding.

The first is the absence of a victim. Because the identity does not correspond to a real, watchful person, there is no one to notice fraudulent charges and file a report, so the usual early-warning signal never fires. Banks often only discover the loss when the account is charged off, and they frequently record it as bad debt rather than confirmed fraud, which hides the true scale.

The second is that the financial system inadvertently helps. When a synthetic identity first applies for credit, the application is usually declined, but the inquiry itself prompts the credit bureaus to create a file. That new file makes the fake persona look like a real, if thin, credit consumer, and subsequent applications begin to succeed. The identity effectively bootstraps itself into legitimacy.

The third is that static checks pass. If a fraudster holds a valid SSN and a matching address, traditional personal-information matching returns a clean result, because the data lines up even though the person is fictional. This is why single-point identity checks, and even step-up document verification, can be defeated: the underlying data is real enough to clear them.

How to Detect and Stop Synthetic Identities

Because no single control catches a synthetic identity, effective defense layers several signals that fail in different ways. In the US, the Social Security Administration's electronic Consent Based SSN Verification service lets permitted institutions check a name, date of birth, and SSN combination against official records and returns a yes or no, along with a death indicator, though it requires the number holder's consent and works best as a step-up check when fraud is already suspected rather than as a standalone gate.

Beyond that, the strongest signals look for evidence of a real life behind the data. Proof-of-life checks look for an organic digital footprint, a consistent history of addresses, phones, and emails, and connections to other verified people, all of which a fabricated persona tends to lack, appearing isolated and disconnected. Behavioral biometrics analyze keystroke dynamics, mouse movement, and touch pressure to separate human applicants from scripted enrollment. Consortium and industry data sharing surfaces the reuse of the same fragments across many institutions, a strong marker of manufactured identities, given that a large share of false-identity reports link back to individuals who have submitted other false identities.

The final layer targets the artifacts. Because so many synthetic identities now rely on an AI-generated face, a deepfake selfie, and forged documents to clear digital onboarding, detecting that synthetic media directly closes a door the data checks cannot. This is where DuckDuckGoose's DeepDetector fits, analyzing profile images, selfies, and document scans for the signatures of synthetic media so that an AI-generated persona is flagged at the point of onboarding, complementing the SSN, behavioral, and consortium checks that address the data side. Mordor Intelligence names DuckDuckGoose AI among the major companies in the fake image detection market.

Layer What It Checks What It Catches
SSN verification (eCBSV) Name, DOB, and SSN against SSA records Fabricated or mismatched identifiers
Proof-of-life signals Organic digital footprint and history Isolated, disconnected personas
Behavioral biometrics Keystroke, mouse, and touch patterns Bot and scripted enrollment
Consortium data sharing Reuse of data across institutions Repeat and reused synthetic identities
Deepfake and document detection Synthetic faces, selfies, and forged IDs AI-generated onboarding artifacts

Table 3: Layered detection signals for synthetic identities, and what each one catches.

Frequently Asked Questions

What is a synthetic identity?
It is a fabricated persona created by combining real personal data, usually a genuine Social Security number, with invented details such as a fake name, date of birth, and address. The result is a profile that looks authentic to verification systems but does not correspond to any real person.

How is a synthetic identity different from identity theft?
Traditional identity theft impersonates a specific real person, who eventually notices the fraud and reports it. A synthetic identity impersonates no one in particular; it is a new, fictional entity, so there is no victim to raise the alarm, which lets the fraud run undetected far longer.

Why do fraudsters use children's Social Security numbers?
Because a child has no credit history and will not apply for credit for fifteen to twenty years, the number is a clean slate. A fraudster can attach it to a fabricated adult persona and build credit over time without the real owner or a monitoring service noticing.

How does generative AI make synthetic identities easier to create?
AI removes the old bottlenecks. It can generate a photorealistic face, a matching deepfake selfie to pass liveness checks, and forged supporting documents in minutes, and it lets fraudsters mass-produce identities and automate enrollment across many platforms at once.

What is a bust-out?
It is the final stage. After nurturing a synthetic identity with small, on-time payments to build credit and raise limits, the fraudster maxes out every available credit line at once, never repays, and abandons the identity. Because there is no real person behind it, there is no one to pursue.

Why do traditional checks fail to catch synthetic identities?
Static personal-information matching only confirms that the data lines up, and a synthetic identity uses a real SSN with a matching address, so it passes. There is also no victim to report the fraud, and the credit bureaus create a file on the first application, which lets the fake persona bootstrap itself into looking legitimate.

How can organizations detect synthetic identities?
By layering signals: SSN verification through eCBSV, proof-of-life checks for an organic history and footprint, behavioral biometrics to spot scripted enrollment, consortium data sharing to catch reused fragments, and deepfake and document detection to flag AI-generated faces and forged IDs at onboarding. No single check is sufficient on its own.

How big is the synthetic identity fraud problem?
It is large and growing fast. Synthetic identity fraud rose eightfold in 2025 and now accounts for about 11% of all reported fraud worldwide, with estimated US economic losses in the tens of billions of dollars annually and a baseline growth rate of roughly 16% per year.

By Adya Tewari
DuckDuckGoose AI

About the author

By Adya Tewari
DuckDuckGoose AI

Discover the Power of Explainable AI (XAI) Deepfake Detection

Schedule a free demo today to experience how our solutions can safeguard your organization from fraud, identity theft, misinformation & more