Synthetic identity theft: what it is and how it works

Identity theft doesn’t always have to involve someone breaking into your bank account. Criminals are increasingly blending real and fabricated information to create new, fictitious identities in a quieter, harder-to-spot form of fraud known as synthetic identity theft.

This guide defines synthetic identity theft, explains how it works, and outlines steps you can take to reduce exposure.

What is synthetic identity theft?

Synthetic identity theft is a kind of financial fraud where identity thieves combine real and fake data to create a new identity that doesn’t belong to a real person. This false identity is used to help criminals pass basic checks, build a credit history, and steal money from lenders they’ve deceived.

Traditional types of identity theft, by comparison, impersonate a real person to take over existing accounts or open new ones in that person’s name. Because synthetic identity fraud has no clear, immediate victim, it’s more likely to go undetected and trigger fewer alerts tied to a real individual.

Synthetic identity theft mixes real and fabricated details to assemble a Frankenstein-like persona — just not one as charming as Jacob Elordi.

How does synthetic identity theft work?

Fraudsters typically follow these steps to create and make use of a synthetic identity:

1. Data acquisition

This first stage involves criminals gathering personally identifiable information, such as a valid SSN (Social Security Number), from sources including public records, data breaches, leaked databases, and even the dark web. 

Fraudsters often specifically target SSNs from people without a credit history, as these numbers are less likely to appear in credit reports, making them harder to monitor. This means vulnerable individuals, like children or senior citizens, are common targets.

2. Identity creation

Once scammers have the real, valid data they were looking for, they pair it with some falsified information of their own: a fake name, a made-up date of birth, and an imagined address.

This identity compilation can go even deeper to make the fraud more convincing. Fabricated email addresses, phone numbers, or social media accounts may be created to make this synthetic persona appear more consistent to anyone who investigates it.

3. Credit building

In this next step (also known as “nurturing”), identity thieves establish a footprint with their new persona by applying for small credit lines or store cards. Even if these requests are denied, a file for the new identity might be created at one of the three major credit bureaus (Equifax, Experian, and TransUnion), helping the criminals look more like legitimate borrowers.

Over time, fraudsters may secure a credit card, making small purchases and paying the minimum balance on time each month. This helps them build a positive credit history, making their fake identity seem all the more real.

4. Monetization

As synthetic identities gain legitimacy, scammers open larger credit accounts, take out personal loans, or purchase expensive goods on installment plans — without ever intending to repay.

When the fraudster is ready to cash out, they max out their credit lines, withdraw all available funds, and disappear. This final phase of synthetic identity theft, also called the “bust-out,” is what leaves lenders and financial institutions with potentially massive losses.

Why is synthetic identity theft hard to detect?

Synthetic identity fraud is relatively hard to detect for the following reasons:

• No direct account takeover: unlike a hijacked bank account, there isn’t a clear signal that someone fraudulently gained access to another person’s finances;
• Delayed consequences: fraudulent activity may only happen months after the synthetic identity is created. A thin but positive credit history is first built, so there often aren’t any signs of theft until the damage is done;
• Gaps in traditional verification methods: many ID checks only match a valid SSN with other basic details that a synthetic identity can easily satisfy;
• Fewer alarms for individuals: credit reports typically reveal suspicious activity that’s tied to your real identity. However, if your SSN is attached to a synthetic profile with different personal information, you might not immediately receive any alerts of suspicious activity at all.

Who is more exposed to synthetic identity theft?

You may be at risk of higher exposure to synthetic identity fraud if you:

• Frequently sign up for new services online: getting a new app or setting up an online account often requires you to share some kind of personal information. The risk of signing up for a single trusted service is small, but repeatedly giving details like your name, address, email, or phone number to sites you don’t recognize is much more dangerous;
• Reuse real personal details on every site you visit: anything from a free trial to a newsletter or online giveaway can ask for your personal information. In many cases, however, this data isn’t actually required, so sharing details that aren’t really necessary puts you at a greater risk;
• Post personal details on social media: anytime you share private information that can be linked back to you, you make it easier for scammers to commit fraud.

These habits increase the volume of real data in circulation that can be combined with fake details to create a synthetic identity.

How to reduce your exposure to synthetic identity theft

To limit the chances your data is used to commit synthetic identity theft, follow these practical, low-effort steps:

• Share only what’s required: if a service doesn’t truly need your full name, date of birth, or phone number, don’t provide it. If possible, use only trusted software and verified websites;
• Separate core identity from casual activity: use unique email addresses and phone numbers for low-priority sign-ups, such as free trials and newsletters. This ensures your primary contact details can’t be found across too many sites;
• Be selective with new accounts: fewer sign-ups lead to fewer places holding your data online. Skip accounts you don’t think you’ll regularly use, and consider using guest checkout when shopping;
• Don’t leave public breadcrumbs: minimize posting your name, birthdate, and full address across websites, as these can be tied back to you or used to build a synthetic identity. You can also actively try to remove your personal info from the internet;
• Protect your primary accounts: create strong, unique passwords and MFA (Multi-factor Authentication) for your email, social media, and bank accounts to lower the chance of your core profiles getting abused during verification.

How Alternative ID fits into safer online sign-ups

Many services you interact with online — like apps, newsletters, or free trials — don’t need to verify your real-world identity. They often just ask for basic details during sign-up to create a user profile, manage your account, or personalize ads and content. 

You can use a tool like Surfshark’s Alternative ID to gain access without revealing any personal information. Alternative ID lets you use distinct, low-stakes contact details for online sign-ups without repeatedly sharing your primary accounts or real personal data.

Specifically, Alternative ID generates a new name, alternate email, and secondary address you can use on sites you don’t trust. Using these details helps you avoid spam, unwanted attention, and data leaks of your primary contact information.

The tool can be applied to all kinds of use cases, including:

• Free trials;
• Newsletters;
• App downloads;
• Website sign-up forms;
• Marketing subscription emails.

Think of Alternative ID as a risk-reduction tool. It won’t prevent identity theft outright (no tool will), but it lets you mask your name and contact info, limiting data reuse and minimizing the likelihood of your data being used in synthetic identity theft.

Example: using Alternative ID in everyday online activity

Here’s an example scenario showing what using Alternative ID looks like:

1. Generate your alternative persona: create a new identity with Alternative ID, including a new name, email, and physical address. You’ll get something that looks like:

• Name: Emma Novak
• Email: emma.novak@rug.com
• Address: 805 W Bailey St., Sioux Falls, SD 57104, USA

2. Use your alternative details during sign-up: you find a free trial for a new online service that you’d like to try out. When you see the online registration form, you enter the name, email, and address that Alternative ID generated for you. The service creates an account based on this information and grants you access.
3. Keep your real identity separate: you receive trial confirmation emails and access the service as usual, but your primary email address and personal identity remain protected from marketing emails, profiling, or potential data leaks.

Key takeaway: stay in control of your data

Synthetic identity theft mixes real and fabricated information to create a new identity for financial fraud. It doesn’t take over existing accounts and often builds quietly over time, making it relatively hard to spot.

Avoiding synthetic identity theft is tricky, but using tools like Alternative ID reduces the volume of real personal data available for misuse, limiting how often your details could be mixed with fake information by third parties.

Put your privacy first

Mask your real name and contact information with Surfshark’s Alternative ID

Get Alternative ID