Blog post
Tips from a Fraud Fighter for Spotting Assumed Identity Abuse
Karl Lubenow - Fraud Intelligence Team
Published
April 3, 2024
A fraud trend my colleagues and I are increasingly seeing is cases of assumed identity abuse.
What is assumed identity abuse?
Assumed identity abuse (AIA) involves fraudsters exploiting the identities of real people who entered the US months or years ago using nonimmigrant visas such as J-1 (exchange visitor) or F-1 (student) visas, but are no longer living in the United States.
The terms “J-1 fraud” and “F-1 fraud,” which are sometimes used to describe this, can imply that there’s something fraudulent about the visas or visa applicants themselves, but that’s not necessarily the case. We use the term “assumed identity abuse” because it more accurately describes what’s actually happening. While it is possible that the original and legitimate visa holder is complicit in the selling or sharing of their US identity and SSN after leaving the country, we suspect that in most cases they are wholly unaware of the fraudulent activity.
Why is assumed identity abuse on the rise?
From a fraudster’s perspective, there is a simple elegance to assumed identity abuse. Essentially, it’s traditional identity fraud, but without as much risk.
Assuming a real identity with a real SSN can make committing fraud simpler since fraudulent loan applications, for example, will be attached to a real person and credit history, and can therefore generally pass KYC checks or even eCBSV.
If a fraudster steals the identity of someone who’s currently living in the United States, there is a victim who is likely to notice and report the crime, often within a matter of days or weeks. Stealing the identity of, for example, an F-1 student who hasn’t lived in the US for several years, offers all of the same advantages of traditional identity theft without that extra risk.
Sometimes the visa recipient may be complicit in the crime, either selling or sharing their US identity with the fraudster. When they’re not complicit, they’re unlikely to notice when their US identity is being exploited because they are no longer living in the United States or using their US-specific PII. Either way, there’s little chance of the victim noticing and reporting a crime in the case of assumed identity abuse.
How to spot assumed identity abuse
First, we should acknowledge that spotting assumed identity abuse manually is difficult. This unique fraud pattern is relatively rare, so it’s a bit like finding a needle in a haystack. Identifying it often hinges on spotting patterns across a number of applications; it is very difficult to find in isolation.
While every case of assumed identity abuse is a little different, there are four places my Fraud Intelligence Team colleagues and I focus to look for red flags:
- Historical data
- Linkage analysis
- Social Media
- Email patterns
Let’s take a look at each of these in turn:
Historical data
Because this form of identity fraud is based on assuming the identity of a person who was temporarily in the United States but has since left, assumed identity abuse applications often include SSNs linked with address history in one specific area over a period of time, followed by a significant gap in their history.
For example, imagine that a person was issued a J-1 visa to work in Wisconsin Dells for the summer of 2005. That person would likely have an SSN that was assigned in Wisconsin in 2005. Their historical data would likely show an address history in Wisconsin Dells in 2005, and tie them to a Wisconsin phone number from around the same time. They might also have a Wisconsin driver's license and vehicle registration issued around that same time.
Since this person left the US at the end of their 2005 work, that should be the end of their history. In a case of assumed identity abuse, however, what we typically see is a lengthy gap (at least several years) where there is no address history, and then the identity resurfaces in a completely different location. In this second location, we will not see signs like a local driver's license or vehicle registration.
Typically, a financial institution would see nothing beyond a basic address history on the credit report, nor any other evidence suggesting the person has actually returned to the US. That’s because they haven’t returned to the US. Their reappearance at this second location after a years-long history gap is because their identity has been assumed by a fraudster.
There are also specific signs to look for in the locations themselves.
The first location with an address history – the legitimate one – tends to be somewhere that it would make sense for J-1 visa holders to work and/or F-1 visa holders to attend school: Wisconsin Dells, Myrtle Beach, resort towns in general, university towns, major urban centers, and agricultural areas.
When the identity resurfaces, the address often used on applications is typically somewhere else.
Linkage analysis
Looking for linked applications can be a powerful tool for spotting assumed identity abuse.
First, we typically look for applications with other identities that are using some of the same PII as the first application we reviewed. Often, we’ll find that these applications have similar patterns – the most common being the unusual, multi-year gap in address history. Other patterns may emerge here too, so it pays to look closely.
Second, we look for addresses to the applicant has been linked to since “resurfacing” in the United States, but that were not the listed address on the application. If those addresses have ties to other suspected instances of assumed identity abuse, or to identities known to be associated with assumed identity abuse, that’s a signal that the application we’re assessing might be AIA as well.
Social media
While our products don’t use social media data, social media – particularly Facebook and LinkedIn – can be a source of important evidence in cases where we suspect assumed identity abuse. While not everyone is on social media, when our manual reviews can find a profile that is linked to the “true” identity (i.e. the original J-1 or F-1 recipient), we can also often find evidence of their movements over time.
To continue with our example from earlier, if we find a Facebook account for our applicant with photos from Wisconsin Dells from around 2005, but all subsequent photos are of locations outside the US, that provides us with additional evidence that the new application using the resurfaced identity is fraudulent.
Email patterns
Beyond the SSN and address history, another signal of assumed identity abuse can be uncovered through an analysis of emails. Fraudsters often create new emails for multiple assumed identities at or around the same time, and thus patterns are often evident in the email handles and creation dates.
For example, if we see a cluster of applications around a certain time, all with other signs of assumed identity abuse, we might also see that the emails associated with each application were created or first seen around the same time and follow a similar naming convention. For example, the email handles might all look like firstnamelastname1234
, with the names and digits changing on each application but the format remaining the same.
This type of pattern can give us additional evidence to conclude that we're seeing a case of assumed identity abuse.
A textbook example of assumed identity fraud
To illustrate what AIA looks like in practice, consider the case of Andrei, a Romanian whose identity was used for assumed identity abuse in a credit application received by one of SentiLink’s partners in 2023.
(Note: While this is a true story, we have changed the name and some of the other details to ensure the privacy of the individual in question).
The real Andrei came to the US sometime around 2009, and was issued a social security number in Alaska in 2009. His address history, social media, and other information suggest that he was in the US between 2009 and 2011, in vacation destinations in Alaska and Massachusetts. “Real Andrei” has no history tying him to the US after 2011.
In 2023, an application using Andrei’s real name, date of birth, and SSN was submitted to one of SentiLink’s partners. The application lists a California address and phone number, and an email address that has never previously been associated with Andrei. The mailing address and email address on the application are tied to a California-based business that was opened in Andrei’s name in 2021.
In total, over a dozen other applications for financial products were submitted using Andrei’s identity between 2021 and 2024, including applications for DDA accounts, SMB loans, credit cards, and consumer loans.
Had Andrei really returned to the United States and submitted these applications? No. Andrei’s story fits the classic pattern of assumed identity abuse:
- Address history in locations that suggest a J-1 or F-1 visa – in this case, vacation destinations in Denali National Park, Alaska and Martha’s Vineyard, Massachusetts.
- A years-long gap with no history, suggesting that Andrei has left the United States, followed by an application listing a US address in a state to which Andrei has no previous ties.
- A high velocity of applications over a relatively short period of time.
Furthermore, a LinkedIn account with Andrei’s name shows work history in Alaska and Massachusetts from 2009 to 2011, but also shows that he has been and remains employed in Romania ever since.
The clear explanation is that the real Andrei worked in the US, likely on a J-1 visa, between 2009 and 2011, and then left the country and has not returned. The cluster of financial applications associated with his name in the 2020s are assumed identity abuse.
Augmenting ID verification systems to catch assumed identity fraud
Identifying assumed identity abuse manually is possible but very difficult. Working through the process described above case-by-case takes time, and often the linkage analysis will likely only be effective with access to application data from a variety of organizations. Financial institutions – who typically aim to verify identities within a matter of seconds and who only have access to their own data – need a much faster and more accurate solution.
SentiLink partners can make catching assumed identity abuse simpler and quicker by implementing our Assumed Identity Abuse flag as part of their fraud detection capabilities. This flag checks applications for some of the red flags discussed in the previous section, and also checks applications against SentiLink’s list of identities known to be associated with assumed identity abuse.
When identity fraud is suspected at the time of application, treatment options should hinge on verifying additional documentation that a fraudster is unlikely to have, such as tax transcripts, driver licenses, and other government IDs. If possible, verifying those documents against trusted data sources such as the AAMVA database can help to protect against the possibility that the fraudster furnishes fake documents to pass these additional verifications.
For more detail on recommended treatments for this problem, check out the article written by my colleague John Chang: "The Complicated Landscape of Assumed Identity Fraud."
Or, see our Assumed Identity Abuse flag in action for yourself by booking a demo today.