Richard had spent thirty years in the fraud space. He’d worked investigations for a regional bank, consulted for credit bureaus, sat on panels about synthetic identity detection. He knew how the system worked. He knew what fraudsters were after.
He had never frozen his grandson’s credit.
It wasn’t that he didn’t know credit freezes existed. He’d recommended them to clients for years. He’d explained the mechanism to anyone who would listen: freeze your file at all three bureaus, lock the door before anyone tries to open it. Good advice. Sound advice.
The threat model he carried was just the wrong one.
Richard’s threat model was about Richard. Someone stealing his information. Someone impersonating him. Someone filing a fraudulent return in his name or opening a Visa card with his Social Security number. The consumer protection playbook he’d absorbed over three decades was designed exactly for that — for an adult with an existing credit history, a detectable breach, and a paper trail to dispute.
His grandson was seven years old. He had no credit cards. No bank accounts. Nothing to steal.
That’s the product.
The story everyone is telling
The consensus model of identity theft protection is basically correct. Get breached — and you will — someone might try to file a fraudulent tax return with your Social Security number, or open a credit card in your name. Your defense layer: a credit freeze at all three bureaus (Equifax, Experian, TransUnion) prevents new accounts from being opened in your name; an IRS Identity Protection PIN, a six-digit code that changes annually, means no one can e-file a return with your SSN without it. These tools work. The credit freeze is federally guaranteed and free. The IP PIN program is open to all taxpayers. The defense isn’t perfect, but it has teeth.
This model assumes the fraudster wants to be you.
A different and faster-growing category of fraud doesn’t want your identity at all. It wants one ingredient from you — typically a Social Security number — and it constructs a completely new person around it. Not a copy of you. A ghost.
This is synthetic identity fraud. And the legal and consumer infrastructure built to protect you was not built to stop it.
How a ghost gets built
The mechanics are worth understanding because they explain why the standard defense fails.
A fraudster obtains a Social Security number. Not through impersonation — they’re not pretending to be you. They attach that SSN to a fabricated name, a fake birthdate, a generated address. They apply for a secured credit card with a small limit. They make payments. On time, every month. They wait.
Over twelve to twenty-four months, the synthetic persona builds a real credit profile. The bureaus record the payment history. Lenders see a thin but clean file. The synthetic person becomes, in the eyes of the credit system, creditworthy.
Then comes the bust-out. Every available credit line gets maxed simultaneously. The synthetic person disappears. The lender writes off the loss as bad debt.
Nobody files a fraud report. Because the “victim” — the fabricated person — was never real. The actual victim, the person whose SSN was borrowed to anchor the ghost, often doesn’t know anything happened.
Federal Reserve–aligned industry studies summarized in a Fed-led synthetic identity fraud background paper put early lender-loss estimates in the single-digit billions per year at one mid-decade snapshot — and emphasized why much of this lands as ordinary credit losses rather than neatly labeled “fraud.” The Boston Fed still treats synthetic identity fraud as among the fastest-moving threats precisely because accounting masks it.
The working hypothesis: Synthetic identity fraud has grown this large not just because fraudsters got more sophisticated, but because a 2011 regulatory decision quietly removed the most scalable structural mismatch signal in many lenders’ workflows — and the population bearing the cost is disproportionately children who won’t discover the damage until they’re old enough to apply for their first loan.
The 2011 decision nobody explained to parents
For most of the Social Security program’s history, SSNs were not random. The first three digits — called the area number — corresponded to the state where the number was issued. The next two digits, the group number, followed a known issuance sequence. This meant a Social Security number carried embedded information: it implied a geography, a rough era, a life history that should be consistent with the applicant presenting it.
For lenders and fraud examiners, this wasn’t a foolproof check. But it was a structural one. An SSN with a New Jersey area number attached to someone claiming to have grown up in Nevada, with a birthdate inconsistent with the issuance window, was detectable as wrong. The mismatch created friction. Friction creates cost for fraudsters. Cost reduces volume.
In June 2011, the Social Security Administration randomized SSN issuance. The geographic encoding disappeared. The sequential group patterns stopped carrying the same meaning. Every SSN issued under the randomized rules carries far less public structural information about issuance geography than the legacy scheme did.
The SSA had legitimate reasons. The legacy assignment design created predictable patterns that supported fraud. Randomization closed that vulnerability.
What it opened was larger.
After 2011, attaching an arbitrary SSN to a fabricated persona often removes the simple geography mismatch signal lenders once leaned on in automated screening. There is less mismatch to detect. Less issuance-window signal to cross-reference at the margin.
The Federal Reserve launched its synthetic identity fraud awareness initiative in 2018 — seven years after randomization. Industry alignment on definitions alone took years — exactly what you expect when the crime hides inside credit losses.
Why children
Here is the part Richard hadn’t put together.
An adult’s SSN comes attached to a life. Credit history, employment records, addresses, accounts. When a fraudster tries to attach an adult’s SSN to a synthetic persona with a different name and birthdate, there are data points that conflict. The adult’s existing credit file creates noise. The mismatch is harder to conceal.
A child’s SSN comes attached to nothing.
No credit history. No existing accounts. No addresses in any financial database. The SSN was issued, and then the child went home and learned to walk and talk and ask for snacks. From the financial system’s perspective, that number is a clean slate.
A clean slate is exactly what synthetic identity fraud requires.
The fraudster takes the child’s SSN, attaches an adult identity to it, and begins building. The bureaus have no prior file to conflict with. There’s no noise. The synthetic persona grows undisturbed.
The child turns eight. Twelve. Fifteen. Nothing in their life intersects with the financial system in a way that would surface the problem. They’re not applying for credit. No one is checking their SSN against a credit report.
They turn eighteen and apply for their first credit card or student loan. The credit system returns a file that belongs to a ghost with a different name, a different birthdate, and defaulted debt.
The cleanup takes years. Documentation. Dispute letters. Calls to bureaus. Calls to creditors. Affidavits. Attempts to prove, bureaucratically, that you are not a person who never existed.
TransUnion data summarized in trade reporting found synthetic-related bankcard credit inquiries surpassing 1% for the first time in its tracking window — a sharp jump from prior rates described on the order of tens of basis points. That is not proof every application succeeded — it is proof the channel is no longer niche.
There is one more layer to this. A whistleblower complaint now under review by SSA’s Office of Inspector General alleges that a former DOGE software engineer claimed to have retained copies of highly restricted databases on a personal thumb drive—including NUMIDENT, the master enumeration file behind Social Security numbers—and discussed sharing them with a private employer. The engineer denied wrongdoing to the Post. No court has found the allegation true; treat it as contested—but live—infrastructure risk layered on top of the structural child-SSN problem.
The legal gap (and why it matters)
The core federal identity theft statute is 18 U.S.C. § 1028, last substantially updated in 2004. It makes it a federal crime to use another person’s identifying information without authorization.
Synthetic identity fraud doesn’t use another person’s identity. It constructs a new one. There’s no other person to be the victim in the way the statute imagines. The statute fits impersonation better than fabrication.
Prosecutors can charge synthetic fraudsters under wire fraud or bank fraud theories. But there is no clean federal “synthetic identity construction” offense mapped to the fabrication pattern. Indiana created a dedicated synthetic identity offense in 2021 (state criminal code art. 43, ch. 5) — an exception, not the federal baseline.
This matters because enforcement shapes deterrence. The regulatory infrastructure — the credit freeze right, the IP PIN system, the FCRA dispute process — was built around the impersonation model. Each tool assumes a real victim who can identify harm and file a claim. Synthetic fraud produces a victim who is a child with no credit file who doesn’t know they’ve been used. The defense was designed for someone who can see the attack coming.
The attack on your child is silent until it isn’t.
What you can actually do
The credit freeze works on this problem. It just has to be applied to your child, not only yourself.
When you place a credit freeze on a minor’s file, the bureau is prevented from creating a credit file for that SSN at all. No file means no synthetic persona can be anchored to it. The fraudster needs a clean SSN to build on. A frozen file isn’t clean.
The process for a minor is more manual than an adult freeze. Because children don’t have existing credit files, you can’t do it through the bureaus’ standard online portals in every case. You’ll need to contact each bureau with documentation: proof of your identity, proof of the child’s identity (birth certificate, Social Security card), and proof of your relationship to the child. Each bureau publishes instructions on its site.
It’s a form and an envelope. It takes an afternoon.
For adults: start with the FTC’s credit freeze page and the IRS IP PIN program. Both are free when used as intended.
Richard froze his grandson’s credit the week he finally put the pieces together. He closed a loop he’d left open for years — not because he was careless, but because the threat he’d spent his career watching didn’t look like this.
Neither did yours, until just now.
What would change my mind
-
Substitution controls: credible evidence that major issuers replaced geography-based SSN checks with equally scalable automated inconsistency detection before synthetic volumes exploded — weakening the causal story tied to randomization timing.
-
Measured bust-out absence: if TransUnion-style inquiry-share metrics and lender charge-off attribution show synthetic-driven bust-outs not rising into the early 2030s as post-2011 issuance cohorts age into prime borrowing years, the demographic timing arm of this thesis weakens.
-
Legal closure: a federal statute or sustained prosecution pattern that treats synthetic fabrication as a first-order offense with investigative default pathways — changing deterrence the way §1028 did for classic impersonation.
Related: Your Data Left the Building — the DOGE-era SSA court record on verification gaps sits upstream of any synthetic-fraud discussion tied to federal data handling.
If you found this useful, the best thing you can do is forward it to one person who would push back on it. I’d rather be wrong in public than right in private.