I had trouble prepaying the balance on a Chase credit card recently before the statement’s close date. It was frustrating, but reminded me how many things that we want to do that are totally normal also look like things that people do when they’re trying to commit fraud. And this reminded about something I wrote based on a presentation at a credit card industry conference I spoke at: a talk by Paypal’s head of fraud operations who explained why having a lot of authorized users, and why making mid-cycle payments to a card, can look like fraud.
Fraudsters create synthetic identities and it’s easier to do it than most people would imagine. They’re creating a person financially or digitally that doesn’t exist, new identities using a combination of real data and fabricated information.
- Social security numbers are easy for people who know what they’re doing. Prior to 2008 social security numbers weren’t randomized, and there’s still an algorithm used to create these numbers.
- Social security numbers that get targeted most are ones infrequently used — those of children and the elderly — he recommends freezing the credit file of your children.
- Everyone’s data is out there. Using social security numbers, dates of birth, and mother’s middle name for validation has become worthless, after the Equifax breach but even before.
Here’s how a phantom borrower is born. The scammer creates their fake identity, gets a fake ID and decides what social security number to use. They go into a store, say Target, and they’re offered a credit card at checkout. The clerk at the store isn’t looking for fraud, they’re incentivized for getting the application.
- Applying creates a credit file.
- They’re probably turned down for credit.
- They go back 2 or 3 times to different issuers and do that again. Now there’s more data in the file.
- Eventually a bank will approve with a small limit. That bank has a limited risk (because of the small limit) but the ‘person’ now exists.
There are super easy cards to get with $500 limits. Then that person gets marketed to for more cards.
The identity itself is worth more than the credit lines, so they don’t go spend the $500. Their credit lines increase as bills get paid.
The ‘person’ is able to apply for credit, open deposit accounts, purchase insurance policies, enroll in medical benefits, and obtain drivers licenses and passports.
- The process gets sped up through authorized users. They’ll pay to be added to an existing real account as an authorized user. They use credit repair services which are viewed as ‘legalized brokers’.
- When these new authorized user accounts report to credit bureau, they can improve the FICO score. It’s not uncommon to see accounts with 70 or more authorized users because people are selling their authorized user additions.
- Every 10-21 days (depending on the speed of reporting) FICO scores will jump 30-60 points. So they sit on it for six months and they’ve got a 750 score. Then the authorized users start to become primary cardholders. Someone that’s an authorized user on 70-80 accounts is a future credit risk, having 10 or more authorized users on your own cards is a fraud flag.
Large banks are bigger targets than small credit unions, it’s easier to hide within millions of customers. 85% of identity theft is tied to synthetics. There’s $355 million in outstanding credit card balances owed by people that don’t exist (and this is up eight-fold over the last 5 years).
There are 6 million new credit files each year with little or no data/history. There are 20 million valid identities with overlapping social security numbers. There is no person victim to report the fraud, no real person to inquire of for collections. Most of this is treated as a credit loss and charged off.
These synthetic identities apply to rewards accounts, too. They stick it to the bank for the transactions and earn rewards doing it.
Customers do payment kiting between accounts. They take their $10,000 card, buy $10,000 worth of stuff at Macy’s, and send in a $20k payment from a checking account with $50 in it. Now they have more credit to spend at the store the next day, before the $20,000 payment bounces. This is one reason banks may flag mid-cycle payments.
There are also merchant rings that ‘cut out the middle man’ of Macy’s or Best Buy. The merchant runs a $10,000 charge and writes a check back to the cardholder for the net (mins merchant fees). Or they use fictitious merchants — it’s easy to become a small merchant with credit card processing.
Credit repair services can be used to preserve synthetic identities taking advantage of the ability to dispute inaccuracies on a credit bureau. Some institutions can’t manage to complete their investigation and respond within 30 days and so negative items come off a report. People will dispute the same items over and over until the institution fails to respond in time.
Ultimately credit reports that look like reports which have been used for fraud in the past get flagged.
Gary,
This is why the SSVNS was recently created. Google it.
It was created to try to prevent this. It’s opening up the Social Security Administrations private database to private comapnies like financial institutions to actually verify the name and date of birth and other information is valid and mirrors a real person.
I know in the past 12-18 months that many of the larger banks are now doing this (Capital One and AMEX for instance) and it is cutting this method off real fast. The midsized banks and regional banks are slower to adopt and it takes time so this won’t resolve overnight.
But at least it is a start.
“When these new authorized user accounts report to credit bureau, they can improve the FICO score. It’s not uncommon to see accounts with 70 or more authorized users because people are selling their authorized user additions.”
Thanks for the article, very eye opening. Why wouldn’t 5 or more authorized users raise a flag or not even be allowed? It appears the credit card companies brings this on themselves. Does the credit card companies write off a lot of the debt so they don’t have to pay as much in taxes? I’m not an accountant, but if this is the case some limits need to be set because ultimately this reduces legitimate tax income the government collects.
Happy New Year!
EDIT: Sorry, SSVNS is the one for employers that has existed for a long time. The new system is the Consent Based SSN Verification (CBSV) / eCBSV that was recently created for banks and other financial companies to voluntarily opt-in — and it cost a lot. I believe there is an initial fee of like $5,000 plus charges for each lookup.
When I was a teen, I got a credit card for a fake name as a gag. I never used it but carried it around to show friends.
In a similar vein, look at tax deductions. Put money into an HSA and then, unless you can afford to save it, withdraw it almost immediately to pay for past medical expenses. Instead just give us an annual tax deduction for medical expenses without requiring them to be more than a percentage of income. How about 529 plans. How many people paying tuition are able to save the money they deposit in a 529, rather than depositing it and withdrawing it immediately to pay tuition bills? Instead give us a $5000 state tax deduction per child attending schools that charge tuition. Otherwise it feels like money laundering even though it’s legal.
@derek — Hope you were under 18, because, otherwise… FRAUD! /s
If authorized users are a source of credit card fraud, why are my credit cards constantly encouraging me to add authorized users? One card recently sent me an email saying that if I were to add up to ten authorized users, I would be paid $50 for each one. That’s ridiculous!
This is generally the fault of the credit card companies. I was under the impression that in order to get a credit card required a social security number and a matching name? The article makes it sound like that you can just come up with the social security number and any random name.
You would think that credit card company would flag authorized users that have 70 plus on them. You would also think that unless the account was a business account it would definitely be flagged. I could see less than 10 for a large family who distribute credit cards. Adding authorized user does not always increase your credit score.
Isn’t it a tax write-off for the banks?
After all, the feds guarantee that banks are too big to fail.
Anyway, very interesting analysis. . Probably overseas dark web organized criminal bosses and their hacker bot minions.
Without references, it’s hard to verify any of this. I do know that check kiting used to be possible, but it’s very difficult/impossible as banks have systems (Plaid, anyone?) that can check the balance. There is always that one (business) day delay due to the ACH system.
As for the person who asked why do credit card issuers encourage additional authorized users? Because it increases the payment flow. And Payment flow = more money, because if you are good at it, you should be able to make at least 90 basis points (0.9%) off of the flow, which can fluctuate on all of the middlemen you have to pay along the way, especially PayFac’s, ISO’s Gateways, and a whole number of sales agents who get a slice of the payment stream, right down to the retail account manager who signed up the local restaurant.
Everyone gets paid.
I created a Pay Fac in 2013 before it became in vogue. We were doing about $1 Billion at the time, and if you followed the rules, put up a $30 Million bond (doesn’t cost as much as you think, BTW), and you too could start signing up merchants, get the best Interchange rate (the rate that VISA/MC/AE/DISC/etc charges you), but you had to take on the fraud risk.
And it exists! Except, if you know what you are doing, you can catch it quickly enough before it costs more than the added business you are getting.
And in reality, we still had to be sponsored by a level 1 organization, which is usually someone like Global Payments or FiServ. WorldPay, etc. And guess what??? Even though your contract FORBIDS them to start charging your clients BS fees (Like “PCI Insurance”, only $49/quarter!), they still do!!!
So IMO, the biggest fraud is by the biggest payment providers, where they treat entire chunks of client segments for their ISO’s as opportunities to pillage and ‘extract value’… Oh, they always claim “it wasn’t on purpose”, and the best answer I got?
“We are simply too big to know that this decision effected you. Sorry.”
Hmmmm…
Yes, this happened to me. I made a mid-cycle payment on CSR Biz in order to accommodate an impending property tax payment and complete the SUB. No dice, Chase made me wait 2 weeks for the payment to clear.
There is a service that will handle all the paperwork to freeze your children’s credit reports for a nominal fee. Well worth the money to avoid the hassle. When they turn 18 the parents lose access and the kids simply set up their own CRA accounts.
Gary is confused when it comes to mid-cycle credit card payments.
Any time you have a balance on your credit card you can make a payment with no hinderance at all with any US credit card issuer. Once you make that payment, most credit card companies will automatically restore your available credit while the payment is going through the clearance process for a couple of days.
The problem arises when you have no balance and still want to make a payment. The vast majority, but not all, credit card issuers will discourage that. There are still ways to make that pre-payment, but you’d have to use a service such as BillPay to accomplish that. Now, even when you make a successful pre-payment, with the exception of retarded American Express, that pre-payment does *not* increase your spending limit.
Card issuers have an effective way to reduce fraud. For example, let’s say you pre-pay your credit card with a $10,000 limit by $10,000. Your attempt to make a $15,000 purchase will fail. You will have to make a $10,000 purchase, wait a day or more for that charge to settle and actually post to your account, and then make another purchase. Still, fraud is definitely possible. You just make the $10,000 payment, make a fraudulent payment once it posts and then wait a day before you cash out.
The real reason why pre-payments are discouraged is because banks do not want you to end up with a credit balance. What the bank wants is you to take, for example, a $99.99 purchase and then pay of that amount at the appropriate time. They do not want you to make a $100 payment and then charge only $99.99 to your account while leaving a credit balance of $0.01.
I have one particular credit card that I do not use often. In order to keep in from being closed for inactivity, I make a purchase of $10 every three months. Once payments post to any of my credit card accounts, I make payment without waiting for the monthly statement. The problem with the credit card in question is that it earns 2% rewards and the statement always shows a credit balance of $0.20. Sometimes I wait four months before using the card again, but after the third the bank sends me a check for $0.20. It costs them about $2 just to send me that check for twenty cents. And that is really why banks do not like pre-payments.
I will send in a partial payment before the 15th (when they report balances to credit agencies) if I’ve made a particularly large purchase – to keep the balance under 10% of the card limit. Maybe this is putting me on some watch list.
I did lose over 50 points on my credit score in 2025 for 1) paying off my 15-yr mortgage 5-years early, and 2) opening up a DL Amex Platinum (first new card in 13 years).
$335 million is really no fraud at all. That’s $1 per person in the US. It’s already been reduced to a tiny amount, and just not economically worth fully stopping it.
@Christopher Raehl — Ah, yes, $335 million… ‘no big deal’… LOL.
Christopher Raehl is correct.
math is hard.
There is a difference between paying mid cycle or before the statement cuts and cycling the credit line. There should be no issue in paying mid cycle or prior to statement cut on any card account. Especially accounts you have a relationship with. Cycling brings on much more risk and there are several reasons for that. AMEX does not mind about mid cycle payments or cycling on cards that have a hard line. That does not mean that if you are chaging huge amounts out of your spending pattern, that wont eventually get a Financial review. Dont cycle with Chase ever trying to get the signup reward. They dont like it and it could trigger a shutdown.
@BigTee sorry, but I’m so tired of the “write off” argument. Yes, an expense for a US corporation costs them about 70% after fed and local income taxes. So, yeah it is less painful, but real. They don’t ignore things they can “write off.” Dou you?
@Mike, this is encouraging:
“eCBSV allows permitted entities to verify if an individual’s SSN, name, and date of birth combination matches Social Security records. Social Security needs the number holder’s written consent with a wet or electronic signature in order to disclose the SSN verification.” While I don’t know what ‘wet” means here, I like they’ll contact me.
On the push for authorized users. Of course, the cc company wants to you to put your spouse and kids on the card. They’ll probably charge a lot.
OK, it should have been obvious by context, a wet signature is one done in person with a pen. Duh!