How People Commit Credit Card Fraud (And Why You Accidentally Trigger Alerts)

After writing recently about legislation in New York where banks have to let you redeem your accumulated points even if they decided to close your account, I wound up having several conversations with readers about the kinds of activities that look risky to a bank and may make them decide they don’t want your business anymore.

I was reminded about something I wrote three years ago based on a presentation at a credit card industry conference I spoke at: a talk by Steve Lenderman, Fraud Operations Lead for Paypal, who talked about how people commit fraud against financial institutions. He explained in particular why having a lot of authorized users, and why making mid-cycle payments to a card, can look like fraud. And behaviors undertaken by bad actors look suspicious when they’re legitimately undertaken by the rest of us.

Fraudsters create synthetic identities and it’s easier to do it than most people would imagine. They’re creating a person financially or digitally that doesn’t exist, new identities using a combination of real data and fabricated information.

  • Social security numbers are easy for people who know what they’re doing. Prior to 2008 social security numbers weren’t randomized, and there’s still an algorithm used to create these numbers.
  • Social security numbers that get targeted most are ones infrequently used — those of children and the elderly — he recommends freezing the credit file of your children.
  • Everyone’s data is out there. Using social security numbers, dates of birth, and mother’s middle name for validation has become worthless, after the Equifax breach but even before.

Here’s how a phantom borrower is born. The scammer creates their fake identity, gets a fake ID and decides what social security number to use. They go into a store, say Target, and they’re offered a credit card at checkout. The clerk at the store isn’t looking for fraud, they’re incentivized for getting the application.

  • Applying creates a credit file.
  • They’re probably turned down for credit.
  • They go back 2 or 3 times to different issuers and do that again. Now there’s more data in the file.
  • Eventually a bank will approve with a small limit. That bank has a limited risk (because of the small limit) but the ‘person’ now exists.

There are super easy cards to get with $500 limits. Then that person gets marketed to for more cards.
The identity itself is worth more than the credit lines, so they don’t go spend the $500. Their credit lines increase as bills get paid.

The ‘person’ is able to apply for credit, open deposit accounts, purchase insurance policies, enroll in medical benefits, and obtain drivers licenses and passports.

  • The process gets sped up through authorized users. They’ll pay to be added to an existing real account as an authorized user. They use credit repair services which are viewed as ‘legalized brokers’.

  • When these new authorized user accounts report to credit bureau, they can improve the FICO score. It’s not uncommon to see accounts with 70 or more authorized users because people are selling their authorized user additions.

  • Every 10-21 days (depending on the speed of reporting) FICO scores will jump 30-60 points. So they sit on it for six months and they’ve got a 750 score. Then the authorized users start to become primary cardholders. Someone that’s an authorized user on 70-80 accounts is a future credit risk, having 10 or more authorized users on your own cards is a fraud flag.

Large banks are bigger targets than small credit unions, it’s easier to hide within millions of customers. 85% of identity theft is tied to synthetics. There’s $355 million in outstanding credit card balances owed by people that don’t exist (and this is up eight-fold over the last 5 years).

There are 6 million new credit files each year with little or no data/history. There are 20 million valid identities with overlapping social security numbers. There is no person victim to report the fraud, no real person to inquire of for collections. Most of this is treated as a credit loss and charged off.

These synthetic identities apply to rewards accounts, too. They stick it to the bank for the transactions and earn rewards doing it.

Customers do payment kiting between accounts. They take their $10,000 card, buy $10,000 worth of stuff at Macy’s, and send in a $20k payment from a checking account with $50 in it. Now they have more credit to spend at the store the next day, before the $20,000 payment bounces. This is one reason banks may flag mid-cycle payments.

There are also merchant rings that ‘cut out the middle man’ of Macy’s or Best Buy. The merchant runs a $10,000 charge and writes a check back to the cardholder for the net (mins merchant fees). Or they use fictitious merchants — it’s easy to become a small merchant with credit card processing.

Credit repair services can be used to preserve synthetic identities taking advantage of the ability to dispute inaccuracies on a credit bureau. Some institutions can’t manage to complete their investigation and respond within 30 days and so negative items come off a report. People will dispute the same items over and over until the institution fails to respond in time.

Ultimately credit reports that look like reports which have been used for fraud in the past get flagged.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. […] How People Commit Credit Card Fraud (And Why You Accidentally Trigger Alerts). – Excellent article by my friend Gary about how your credit card behaviors can trigger alerts and make the bank think that you’re committing fraud. It’s interesting to see how some criminals are playing the “long game” with these fake credit cards/profiles to build up credibility so that they can create a bigger scam. Definitely worth a read. […]

  2. […] Most credit card fraud doesn’t happen the old fashioned way, with one person stealing another person’s card number directly (or even really knowing whose card it is). Most of the time there’s a massive data breach (millions of card numbers!), there’s a number generator being used to come up with card numbers and this works especially well with brand new types of cards (so there’s a limited number of expirations to try), or through creation of synthetic identities that get approved for cards. […]


  1. I love how detailed and informative this article is. I might have picked a lesson or two from it.

  2. I was an online baby products retailer at before their site was hacked some years back. All credit card data was apparently stolen from the site and traced to a hacker in Yugoslavia and my details appeared to be amongst them. It was crazy because these hackers purchased all sorts of things with my card, they sent me a spam message with an email and I clicked their links. These guys hacked the living shit out of my phone, I’m talking about cloning it an exact copy getting access to my emails, social media, social security number, It was a pretty devastating situation, turns out they were targeting my husbands construction company through me, I’m an accountant officer in his company. I reported the case to police but they couldn’t go far with the it but they were able to uncover that they are a multi national hacking syndicate employed by elites and so on. I had a few suspects I won’t lie but sadly it all came to nothing.

  3. The failure in chief administration recently added credit card fraudsters to its list of jobs created.

  4. So if you keep your authorized users to a reasonable 1-3 persons and allow your mid-cycle payments a couple days to clear the chances of your credit card issuer considering you a fraudster decreases dramatically, to perhaps non-existent?

  5. Is it really true that making mid-month payments is a “red flag”? After a large purchase has posted to the CC, I transfer funds from my bank to cover it. I do this because it seemed to me that I was “protecting” my credit score by not having too high a percentage balance against my credit limit….

  6. Scott,

    Mid-month payments are only a problem if they are accompanied by the other things noted here. At first they will seem a little questionable, but if you have a pattern of making them it won’t matter.

  7. I normally just pay the balance a couple of days before the closing/statement date. But some banks will report a balance mid-cycle and depending on the amount, it can drop the score. Just recently I had a mid-cycle report from the verizon visa card and my score took a 6 point hit as the balance was a decent amount. I always have that at zero by the closing date, but the jerks decided to report mid-cycle. (Needless to say the card has been put back in the vault and not getting used anymore.) Me personally when I see any balance that is too high for my own comfort, I zero it out. I do that with Citi, Chase, and Barclay. AmEx (charge card) I sometimes let roll as it’s no pre-set limit regardless.

    It never dawned on me that the action of paying mid-cycle might be a data point for fraudulent activities. Interesting read.

  8. My wife bought 3 things via Etsy within the span of an hour and that triggered an Amex alert and temporary shutdown. A second authorization at a gas pump is often rejected as well.

    But somebody can steal a card and use it 20 minutes later to charge hundreds at Best Buy, Home Depot, Target and Nordstrom and nothing is flagged.

    It seems to me issuers need to tweak their fraud programs behind what some nerd formula.

  9. This is precisely what happened to me. I had an Authorized User added to a Wells Fargo administered credit card without my knowledge or consent. This was done to create a synthetic identity and is the latest Wells Fargo Bank fraud scheme. It was implemented in 2016 after the OCC Consent Orders were handed down. In part, those consent orders required Wells Fargo to notify consumers if another account was opened in their name and to obtain informed consent for any credit inquiries.

    Oddly, the OCC consent orders left untouched any verification from the consumer if an authorized user is added to their account. Thus, the new scheme is born.

    I will add this as I do not recall seeing it in the article. Quite often the authorized user, who added themself to the account will change the address of the account. This is done to establish residency for the synthetic identity. Usually it will take a few months, but Wells Fargo will create enough delay to establish residency before changing the address back to the account holder. WF reps will make contact during this time to prevent any late payments which would affect credit reporting and create unnecessary attention to the scheme.

    It is a brilliant scheme designed to go completely undetected since it should not cause any harm to the consumer. Only the good credit history is hijacked for use by the fake user..

Leave a Reply

Your email address will not be published. Required fields are marked *