How People Commit Credit Card Fraud (And Why You Accidentally Trigger Alerts)

After writing recently about legislation in New York where banks have to let you redeem your accumulated points even if they decided to close your account, I wound up having several conversations with readers about the kinds of activities that look risky to a bank and may make them decide they don’t want your business anymore.

I was reminded about something I wrote three years ago based on a presentation at a credit card industry conference I spoke at: a talk by Steve Lenderman, Fraud Operations Lead for Paypal, who talked about how people commit fraud against financial institutions. He explained in particular why having a lot of authorized users, and why making mid-cycle payments to a card, can look like fraud. And behaviors undertaken by bad actors look suspicious when they’re legitimately undertaken by the rest of us.

Fraudsters create synthetic identities and it’s easier to do it than most people would imagine. They’re creating a person financially or digitally that doesn’t exist, new identities using a combination of real data and fabricated information.

  • Social security numbers are easy for people who know what they’re doing. Prior to 2008 social security numbers weren’t randomized, and there’s still an algorithm used to create these numbers.
  • Social security numbers that get targeted most are ones infrequently used — those of children and the elderly — he recommends freezing the credit file of your children.
  • Everyone’s data is out there. Using social security numbers, dates of birth, and mother’s middle name for validation has become worthless, after the Equifax breach but even before.

Here’s how a phantom borrower is born. The scammer creates their fake identity, gets a fake ID and decides what social security number to use. They go into a store, say Target, and they’re offered a credit card at checkout. The clerk at the store isn’t looking for fraud, they’re incentivized for getting the application.

  • Applying creates a credit file.
  • They’re probably turned down for credit.
  • They go back 2 or 3 times to different issuers and do that again. Now there’s more data in the file.
  • Eventually a bank will approve with a small limit. That bank has a limited risk (because of the small limit) but the ‘person’ now exists.

There are super easy cards to get with $500 limits. Then that person gets marketed to for more cards.
The identity itself is worth more than the credit lines, so they don’t go spend the $500. Their credit lines increase as bills get paid.

The ‘person’ is able to apply for credit, open deposit accounts, purchase insurance policies, enroll in medical benefits, and obtain drivers licenses and passports.

  • The process gets sped up through authorized users. They’ll pay to be added to an existing real account as an authorized user. They use credit repair services which are viewed as ‘legalized brokers’.

  • When these new authorized user accounts report to credit bureau, they can improve the FICO score. It’s not uncommon to see accounts with 70 or more authorized users because people are selling their authorized user additions.

  • Every 10-21 days (depending on the speed of reporting) FICO scores will jump 30-60 points. So they sit on it for six months and they’ve got a 750 score. Then the authorized users start to become primary cardholders. Someone that’s an authorized user on 70-80 accounts is a future credit risk, having 10 or more authorized users on your own cards is a fraud flag.

Large banks are bigger targets than small credit unions, it’s easier to hide within millions of customers. 85% of identity theft is tied to synthetics. There’s $355 million in outstanding credit card balances owed by people that don’t exist (and this is up eight-fold over the last 5 years).

There are 6 million new credit files each year with little or no data/history. There are 20 million valid identities with overlapping social security numbers. There is no person victim to report the fraud, no real person to inquire of for collections. Most of this is treated as a credit loss and charged off.

These synthetic identities apply to rewards accounts, too. They stick it to the bank for the transactions and earn rewards doing it.

Customers do payment kiting between accounts. They take their $10,000 card, buy $10,000 worth of stuff at Macy’s, and send in a $20k payment from a checking account with $50 in it. Now they have more credit to spend at the store the next day, before the $20,000 payment bounces. This is one reason banks may flag mid-cycle payments.

There are also merchant rings that ‘cut out the middle man’ of Macy’s or Best Buy. The merchant runs a $10,000 charge and writes a check back to the cardholder for the net (mins merchant fees). Or they use fictitious merchants — it’s easy to become a small merchant with credit card processing.

Credit repair services can be used to preserve synthetic identities taking advantage of the ability to dispute inaccuracies on a credit bureau. Some institutions can’t manage to complete their investigation and respond within 30 days and so negative items come off a report. People will dispute the same items over and over until the institution fails to respond in time.

Ultimately credit reports that look like reports which have been used for fraud in the past get flagged.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »



  1. Great summary; it’s both impressive and scary that this is such a “long con.” How would this change if the target had already frozen their credit at Equifax, Experian, and TransUnion?

  2. can you share the name of the “industry conference” and can just any one register?

  3. Very interesting- have read a bit about this as the term “bust out risk”. Like you said, a credit profile is built up slowly, because it’s synthetic it doesn’t affect the profile of the fraudster. Then once high enough credit scores are attained, multiple cards with high credit lines are obtained within a few months, followed by running up huge charges and “busting out” as the synthetic person disappears and never pays anything off.

    This is why the credit card issuers have gotten more sensitive about multiple recent applications for credit, even with other issuers.

  4. Thanks for the
    Step by step, now I have something to do this summer –

  5. Synthetic fraud is an issue because banks haven’t improved their algorithms enough. Look at what Palantir has done to improve ‘vetting’ of foreign nationals. There is enough data out there for banks to distinguish a real customer from a synthetic – they just need to make an effort to get and use it.

  6. It is mind boggling that CRAs do not flag duplicate SSNs across .multiple “individuals.” Or flag SSNs that were clearly issued before the person turns 18. Either the IT systems are incredibly antiquated or they just don’t care. I hope that every Congressman is the victim of identity theft so that we can finally get appropriate regulation from Washington.

  7. Thanks for the report. Interesting stuff. I have a college-aged family member and I can tell that the banks are “checking his identity” more than other young adults I’ve helped in the past. We’ve had to do things like send in copies of ID and such. No big deal, just a modest hassle. I’m now guessing this extra scrutiny is in response to the fictitious person problem you’re discussing.

    Your post also suggests that it’s a good idea not to get too many authorized users on your accounts. I’ve never “gone crazy” with this like some have to exploit (say) AMEX Offers, but I have gotten AMEX cards for all my immediate family members to qualify for more Offers. I think that’s probably fine, but it also seems like you shouldn’t get additional cards for other accounts unless you really need them. Better to be safe than sorry on this stuff.

  8. Hey, Gary…idea for a follow-up. It seems every time I travel, some account is hacked (my SPG Amex twice, my Barclay Aviator once and — most recently — $900 was siphoned out of my PayPal account). I have strong passwords, two-factor authentication wherever possible, I line my travel wallet to prevent RFID attacks, etc. What else can/should/must we do? And what are our options for WiFI access when traveling? It is so easy to think that the WiFi access offered by lounges (e.g., Admirals Clubs, etc.) are relatively “safe” — but are they? Also, interesting data point: I spent a couple hours each way recently in Doha’s Al Mourjan lounge. Not a single computer terminal had an active antivirus program. I pointed this out to the lounge’s IT “manager” on my outbound visit. On my return a week later, nothing had changed! I’d love to see a series of articles on how to protect ourselves.

  9. I wish I was there. My type of business commands me to do 2-3 MM a year with PayPal and have been with them since 2000. Their system is flawed especially when we encounter a case that is CLEARLY identity fraud. Paypal makes it very difficult to stop these folks despite numerous phone calls to their phone centers in the philippines and the US. We have clearly explained to them many times how frustrating it is compared to the old days and how they have removed many of the tools we used to rely on to make a decision on whether a person is legit or a scam ( like the old rating system they used to have). Im sure they are making a fortune, but not nearly as much as they could be making if they didn’t have some of their procedures in place in instances where there is CLEAR fraud involved.

  10. @Jim F

    Your accounts should not be getting hacked that often. Are you sure your computer is not compromised?

  11. I’m interested in @Jim’s situation above. Will the VPN really solve that much?

  12. It seems like a lot of work, a long time and a lot of organizational skills to create fake identities. if the scammers would devote the same resources to work or school, they could probably be very successful at a legitimate business.

  13. Note: many of the VPN services out there are just cons themselves. Supposedly protecting you from others, while they just monitor and sell your data themselves.

    So, before choosing one, be sure to do your due diligence. There are lots of reviewer articles it there on security websites.

  14. Gary,

    I’m not sure if you’ve written about it before, but here’s a very informative white paper from Experian about how they calculate “bust-out fraud” risk. Part of what is describes is how churners with excellent credit can end up looking like a huge fraud risk if they open cards too quickly and suffer adverse action as a consequence.

    Chase, for example, is known to run the bust-out score on new applications. So some churners, if they’re not careful, may get a swift axe and all their accounts closed.

  15. “Everyone’s data is out there. Using social security numbers, dates of birth, and mother’s middle name for validation has become worthless, after the Equifax breach but even before.”

    Could not agree more.

  16. Agree with using a VPN. I used to work for the #2 U.S. bank and worked from home. I couldn’t login to the bank systems without going through the enterprise VPN on my laptop. That’s when I signed up for a VPN for my own laptop. I also use it on my tablet and my cell phone. A VPN creates a secure, encrypted connection between your device and the site you’re trying to reach, making your activity invisible to those trying to hack your system. I also use a TOR-based browser to ensure my online activity isn’t tracked.

    As a frequent traveler, I have found two other advantages. First, I can use some streaming services overseas by setting my VPN location to a U.S. server. Second, I have occasionally found that by setting my location to say, Switzerland, that I have found better fares when booking Lufthansa and the same goes for other airlines (sometimes certain taxes are not assessed).

  17. What we need is active enforcement with 10-20 year prison sentences for committing identity theft.

  18. @Gary: “Here’s how a phantom borrower is born. The scammer creates their fake identity, gets a fake ID and decides what social security number to use.”

    How do they get a SSN?

  19. This kind of stuff with identity theft is why some parents of Americans born abroad don’t always want to apply for the child’s Social Security number at the time of applying for the citizenship paperwork and US passport of the US child born and living abroad. Fortunately, US citizens without a SSA number can still get passports without having SSA number.

  20. Nick,

    Sounds good in an ivory tower, but in the real world the costs of incarceration are very high. Burning good money after bad sounds like a waste of money. Crime prevention should be the name of the game, while keeping in mind that growing the prison industrial complex is not a great way to prevent crime.

    There are other models out there to reduce the ability for fraudulent identity-based credit theft to hit lenders. Look at what the Scandinavian countries have pulled off to reduce credit theft.

  21. Always amazed at the number of cards we have to cancel each year for fraud. Three out of about thirty between myself and my SO in 2020 and we have all cards in our possession, credit use is down 85%, passwords are secure, no cards have been skimmed , nothing is being leaked over public internet and virtual card numbers are frequently used.

  22. @GUWonder
    The Asian public caning model sounds better to me and also wouldn’t cost much nor grow the prison complex.

  23. @Jim F. a government security expert recommended to me that I use a Chromebook for any financial transactions. The Chromebook is like a terminal for Google’s servers, so there’s no place on a Chromebook for viruses or key-loggers to hide. If thieves want your data they’ll have to steal it from Google, which is possible but much less likely than stealing it from your phone or computer. But make your password very very strong and change it regularly.

  24. The business from providing services to unverifiable accounts surpasses the cost of fraud. There are 20+ million unverifiable people in this country.

  25. For US citizens who have minor children born and living abroad, if not claiming the children for US tax purposes, then there is no need to even apply for such children to have a Social Security number before it’s of use to such children. Delaying the acquisition of a valid SSA number for minor children reduces the chances of being subject to the more difficult SS number-using identity theft that goes on in the US.

  26. @Jim F.: One concrete suggestion: Use a ‘burner’ credit card. Whenever you buy anything online you go through your card issuer’s portal to make the purchase. They create a “credit card” with exactly the amount you need for that transaction and charge your actual credit card. The vendor and interloping crooks can steal this burner — and have their own $0 credit line.

    More and more banks are offering this. One I recently saw was Capital One, although I have not used that.

    Obviously, this is a solution for just a subset of transactions, but an important one if you book online. There is no solution that deals with all cases.

  27. I tend to pay off all my CC statements early as I understood that credit ratings(scores) were based on the “final” balance, and so, by not having a balance at the time payment was due would be beneficial, Is this not correct?

  28. @Brian: the VPN creates a secure connection between your device and a proxy server on the internet; not the actual server you are trying to reach. Still safer than no VPN and quite helpful when traveling or on public wifi, but doesn’t further protect the exchanges between proxy and the actual server reached.

  29. I have used the VPN overseas & then gotten a call from the bank that someone unrecognized just logged onto my account.

  30. Good day !I am so excited today because, two months ago My bank account details was compromised from the bank data ,about $28,,000.00 was transferred out of my account. Bank fraud was said to be the cause, and the squad in charge of fraud is investigating .I was told it will take some days to trace the money, I might not get it all back. I took it upon myself by doing an underground investigation by hiring GX ,whom I found their email (GENERATIONXWEENIE@GMAIL.COM) by accident, while I was searching on Bing for something else.I would just like to say cheers to a marvelous fund retrieval and bring justice by revealing the identity of the bank staff who connived with another hacker to steal customers money through the help of GX in 24hours..The culprit has been handed to the police for further investigation as he claims he has been doing it for 2 years plus.

  31. ANDREW DOUG — Let me make sure I understand this. $28K was transferred from your account and a guy with a Gmail account got your money back for you???

    I did a Google search of Mr. Weenie and most of the results came back in Russian, directed me to sites that could generate fake gmail accounts or referred me to sketchy credit “repair” services.

    I don’t think you lost money due to fraud; I think YOU are the fraud. A warning to anyone else who sees this, I sure as hell wouldn’t contact generationxweenie if I had a problem.

  32. @BRIAN ,one man’s food is another man’s poison… don’t have to criticize andrew for his post ,you can have it deleted or reported..if you think he is not truthful about his comment.The guy he recommended must have proved him right by fixing his problems before posting such comment.

  33. The police in the USA don’t care about that kind of fraud. There was a big data breach where a local employer’s payroll data got hacked and sold on the dark web. When a friend’s SSN was used to try to establish electrical service in Arizona, law enforcement there wouldn’t even drive by the house where the new electric account had been set up. Which would seem to be a slam dunk easy case for the cops to close and all.

  34. How about sticking to TRAVEL topics on a blog about, uhm, TRAVEL ?

    You’re a smart person and know a lot of different subject, so start blogs for such subjects! But on a TRAVEL blog, please keep it to TRAVEL, and not spamming about other topics!

  35. @Jim my cc # has been repeatedly filched overseas and my guess is that it was swiped at restaurants. It is almost impossible to prevent unless you pay cash which I prefer not to carry in significant amounts.

    So now I always use a no AF CrapOne card at problematic vendors when I travel. I simply replace it with a new as needed and don’t use it for anything else. Less inconvenience than replacing an Amex Plat or other rewards card that might be tied to certain MRCs.

Leave a Reply

Your email address will not be published. Required fields are marked *