Synthetic Identity Fraud: How Cybercriminals Are Building Fake Personas to Exploit UK Digital Ecosystems
How do you spot a threat actor that doesn’t exist?
In today’s digital-first world, identity is no longer just a name and date of birth — it’s a dynamic web of data points, built over time, that shapes how we interact with financial services, mobile networks, online communities and government platforms, as well as how these firms view us. Increasingly, cybercriminals and fraudsters are manipulating these data points to create synthetic identities: entirely fabricated personas that look real and behave like real users — but are used to commit large-scale fraud across sectors.
Synthetic identity fraud involves creating a new, fictitious identity by combining genuine personal data (often stolen) with invented details. Unlike traditional identity theft which hijacks an existing person’s identity, synthetic fraud creates a “ghost” identity that doesn’t belong to any one individual. This makes it harder to detect and trace — and often invisible to conventional fraud prevention systems.
How Synthetic Fraud Starts Can Vary
Cybercriminals may begin by collecting authentic data from breaches affecting banks, telcos, retailers, gaming platforms and even government services. And with the Cyber security breaches survey 2025 noting approximately 612,000 UK businesses and 61,000 UK charities identified a cyber breach or attack in the past year, there’s certainly plenty of data available for fraudsters to compromise. This data can include: names, dates of birth, addresses, mobile numbers, email accounts and biometric data. These details are sold on the dark web or shared in criminal forums, often bundled into “fullz” (full identity kits).
Other methods include scraping publicly available personal data, as well as scams like phishing, smishing, social engineering and fake engagements where unsuspecting victims are tricked into sharing sensitive information via conversations or malicious digital links. These tactics can be conducted manually by individuals or criminal rings, or automated using bot farms. Indicating how prevalent these schemes are, TransUnion’s Q2 2025 Consumer Pulse Survey revealed 47% of consumer respondents experienced email, phone call or text message fraud attempts.
Once fraudsters have this data, it’s combined with fabricated elements: invented names, social media profiles, fraudulent bank account details, disposable email accounts, burner mobile numbers and AI-generated profile photos. This creates a new identity that appears legitimate to systems relying on data matching.
Bot farms — networks of automated scripts — are also used to scale the creation and management of synthetic identities. These bots can digest genuine information and generate thousands of fake profiles at the click of a button, in addition to simulating ‘human’ behaviour when the identity is used to interact with an application process.
Over time, by repeatedly applying for services or products and exhibiting genuine behaviour on accounts they’re able to open, a synthetic identity can gradually build a positive credit score and profile. As its reputation grows, the identity can gain access to a wider range of financial products — just like a legitimate identity would.
Synthetic identity fraud is a cross-sector threat that’s growing more sophisticated and costly every day. Whether you're in FinTech, Insurance, Telecom, Gaming or Government, the risk is real — and so is the impact. By understanding how these identities are created and taking proactive steps to detect and prevent them, UK organisations can more effectively defend their platforms, customers and reputations in an increasingly digital world.
Find out more about synthetic fraud and proven strategies for protecting your organisation and consumers in our new guide — Hiding in Plain Sight: Uncovering Hidden Synthetic Identity Risks.
Contact Us
We're sorry, your request failed. Please try again in a little while.