Where Do Fraudsters Start With Stolen Identities?

Say you're a fraudster and you've just acquired a stolen identity you'd like to use for maximum financial gain. What do you actually do? Where do you apply first? How long do you wait before submitting your next application?

At SentiLink, we're always interested in how fraudsters behave, and we have the data to look into and answer these questions. When we compared application behavior associated with exploited identities to the behavior of legitimate consumers, we found some significant differences both in terms of what type of institutions they target and in terms of the velocity with which they tend to apply.

How we investigated

To investigate this question, we looked at the first five applications on record for a total of 2,391,411 distinct identities that submitted applications between January 1, 2023, and April 28, 2026. These identities submitted a total of 11,239,356 applications over that period, each of which was scored using SentiLink's Identity Theft Score. Identities were split amongst two groups:

• Exploited identities — 285,236 identities that showed a consistent high-risk-score pattern indicating they had been stolen and were in active use by fraudsters.
• Control identities — 2,106,175 identities that showed a consistent low-risk-score pattern indicating a very low probability that the identity had been stolen.

While this is quite a large sample and all of the results that follow are statistically significant, it is important to note that this is based on a limited sample from SentiLink's data, so we only have visibility into applications that were submitted to SentiLink partners. SentiLink's partner list is large and has grown over time — we now serve 500+ partners, including 13 of the top 15 US banks — but in most cases, there are likely at least a few applications connected to many of these identities that were not included in this analysis because they were submitted to institutions we did not work with at the time. 

The results

What normal looks like

When we examine the behavior of the control identities — identities we have a high confidence were not stolen during the period — we find pretty much what you'd expect from a legitimate consumer, with applications focused primarily on banking and consumer lending (which includes Buy Now, Pay Later services consumers frequently use to finance small purchases).

For example, when we look at the first application submitted by a control identity, nearly 70% of them are banking, consumer lending, or credit union applications:

Similarly, if we look at the most common sequences of the first three applications associated with control identities, we can see that they tend to remain in this space:

None of this is surprising. But as we'll see, fraudsters who've stolen an identity behave differently.

Fraud looks different

While the most common first applications among exploited identities (i.e. stolen identities under the control of fraudsters) are still to consumer lenders and banks, when we look at the top five most common first applications among exploited identities we can see a significant difference:

While almost 70% of control identities submit their first application to a consumer lender, bank, or credit union, fewer than 40% of fraudster-exploited identities start there.

On the flip side, more than 40% of fraudsters submit their first application to a non-bank alternative finance (AltFi) lender, neobank, or telecom company, whereas just 10% of control identities submit their first applications in those categories.

When we investigate the first three applications associated with exploited identities in sequence, it appears that many fraudsters are choosing to specifically target AltFi lenders, telecom companies, and neobanks early in their exploitation of a stolen identity. The most common first-three-application sequence among exploited identities was AltFi → AltFi → AltFi, followed by Telecom → Telecom → Telecom.

(This pattern has not shifted much with time; when we broke the applications down by year, we found that in every year, fraudsters were more likely to start their exploitation of a new identity with AltFi, telecom, or neobank applications than legitimate consumers (control identities) were.)

Looking across the full list of applications associated with a given identity, we see the same pattern repeated again: legitimate consumers (control identities) tend to have more consumer lending and bank applications, whereas fraudsters are far more likely to apply to AltFi lenders, neobanks, and telecom companies.

To put it another way, fraudster-controlled identities were:

• 4.5x more likely to have an AltFi application.
• 2.6x more likely to have a telecom application.
• 2.4x more likely to have a neobank application.

Fraudsters apply faster

When we look at how fraudster identity exploitation differs from legitimate consumer behavior, there is another significant difference worth noting: fraudsters tend to submit applications at a much higher velocity. The average control identity had a median gap of more than 40 days between applications on average, whereas the median average gap for fraudsters was just 15 days.

Exploited identities were also more likely to be associated with multiple applications in short periods of time; for example, nearly 60% of exploited identities had submitted multiple applications within 2 hours of each other, compared with just 40% of control identities.

Conclusion

Clearly, the way that fraudsters tend to use stolen identities differs dramatically from the typical behavior of legitimate consumers. And fraud is endemic in every industry, it is clear from the data that specific types of lenders — AltFi lenders, neobanks, and telecom companies — may face an elevated level of risk due to the fact that fraudsters are more likely to apply to them, and more likely to apply to them early, before the victim has had any chance to notice and report the crime.

This underpins the importance of highly accurate fraud prevention. SentiLink's Identity Theft Score flagged these applications; other solutions might not.