From Synthetic Identities to Synthetic Receipts: The New Frontier of Fraud

ChatGPT's March image generator upgrade delivers impressive visuals with enhanced text integration capabilities, a significant improvement over the previous version. However, this advancement comes with a concerning downside: the tool excels at creating convincing fake receipts, giving fraudsters a powerful weapon against retailers. While this AI-enabled threat may seem like new ground, but it’s just a new variation of a familiar challenge: synthetic identity fraud.                                                 

Organizations have dealt with synthetic identity fraud for years, and many of the same strategies used to detect it can also be applied to identifying fake receipts. By understanding the mechanisms surrounding this type of fraud and implementing strong detection strategies, organizations can protect their operations and revenue while focusing on serving and growing relationships with real customers.

Understanding Synthetic Identity Fraud

Synthetic identity fraud occurs when fraudsters create fictitious identities that can bypass traditional verification systems, such as knowledge-based authentication questions or passwords, by combining real and fabricated personal information. These IDs can trick businesses into letting bad actors gain access to money, goods, or services that they can then abuse, potentially leading to significant financial and reputational damage. In fact, according to a 2024 TransUnion report, the number of accounts opened using synthetic identities increased by 18% in 2024 compared to 2023.

The problem is expected to worsen due to the advancement of AI. Tools like ChatGPT and Google’s Imagen 3 have propelled fake document fraud beyond traditional licenses and social security cards to include fabricated social media profiles and more sophisticated fake IDs. Now, fraudsters are leveraging AI-enabled image generators to create convincing fake receipts, allowing them to claim refunds for items they have never purchased. This evolving threat particularly endangers small retailers and e-commerce businesses, which may face mounting losses from these emerging scams.                                                           

Typically, bad actors create synthetic identities through a four-step process:

1. Identity Creation: The fraudster finds stolen, manipulated or entirely fabricated data to craft a synthetic identity. This data can come from information exposed in a breach, surfaced on the dark web or constructed from scratch.
2. Credit Application: The fraudster then applies for credit with a credit card company or lender to establish a credit history. This often requires multiple attempts as lenders are cautious with new, unproven identities, but eventually they find a way to get through.
3. Building Credit: Once approved, the fraudster makes regular payments to build a positive credit history, enhancing the credibility of the synthetic identity.
4. Exploiting Credit: With an improved credit score, the fraudster secures larger credit lines, eventually maxing them out and vanishing, leaving financial institutions, including lenders, to absorb potentially huge losses of up to $3.2 billion, according to one report.

Early and Advanced Detection is Key

Modern fraudsters are smart and determined, and they will likely do everything possible to bypass systems and processes. Even the best training for employees can fail to deter a bad actor from their actions. The key is to detect and prevent fraud before it occurs.

To achieve this, companies must move beyond traditional verification methods, such as knowledge-based questions or purchase history checks, which can be easily bypassed. Fortunately, the same AI used to create fake documents can also be a powerful tool in detecting them. By implementing advanced, AI-driven detection measures, businesses can identify fraudulent patterns, reduce risk and protect organizational integrity. A few examples that companies use today include:

1. Digital Footprint Analysis: A user’s digital footprint, including email addresses, phone numbers and social media profiles, can provide insight into whether or not they are a real person. A legitimate user typically has a consistent and traceable online presence.
2. IP and BIN Lookups: Examining IP addresses and Bank Identification Numbers (BIN) can reveal inconsistencies. A discrepancy between an IP address’s geographical location and the country of a credit card’s issuing may indicate fraudulent activity. In the case of fake receipts, understanding whether a user has a history of visiting an e-Commerce site can be a giveaway for whether or not they made a purchase there.
3. Device and Browser Fingerprinting: Device fingerprinting involves collecting data about a user’s device and browser configurations. Unique patterns can be established for each user, making it easier to detect anomalies or repeated use of the same device across multiple synthetic identities.
4. Behavioral Biometrics and Velocity Rules: Monitoring user behavior, such as typing patterns, mouse movements and the speed of form completions, can help identify automated or suspicious activities. Velocity rules, which track the frequency and speed of specific actions, can further aid in detecting abnormal behaviors indicative of fraud.
5. Machine Learning Algorithms: Employing machine learning models allows for analyzing vast datasets to identify patterns associated with synthetic identities. These models can adapt over time, improving their accuracy in detecting fraudulent activities and reducing the number of false positives. And just like receipts can be created with AI, they can also be detected.

Synthetic identity fraud poses a significant challenge in today’s digital economy, particularly as AI tools facilitate the creation of fake documents. Companies that remain vigilant against these new threats will prevail. By proactively implementing the correct training, processes and systems, businesses can mitigate the risk of fraud while protecting revenue for the long haul.