Worried about how not to become the next victim of bust-out fraud? This article covers everything you need to know about this kind of cyber attack!


What is Bust-Out Fraud?

Bust-out fraud occurs when fraudsters build up normal credit card usage and repayment practices and then “Bust Out”, maxing out the credit line with no intention of paying back the balance. This behavior, when paired with Synthetic Identity Fraud (using a hybrid of real and fake identity information to open synthetic accounts), results in more than $6 billion in annual loss for issuers and banks, though some put the price tag as high as $20 billion


How Does Bust-Out Fraud Work?

Bust-out fraud typically starts with the perpetrator(s) opening up credit card accounts or multiple lines of credit with different financial institutions. But it’s a growing danger for any organization that conducts business through digital channels and extends credit. 

Sometimes these fraudsters use stolen identity information and strike fast before the scheme is uncovered, usually by the victim months after the fact, but increasingly, they’re using synthetic identities to do the dirty work with less risk of getting discovered before it’s too late.  

Thanks to billions of personal identity files set loose through data breaches in recent years, fraudsters can easily get their fingers on everything from social security numbers to “fullz,” or complete identity information on the dark web. Especially appealing: the social security number of young children who won’t be applying for credit for years—and thus won’t raise any flags over misappropriated identity information. Studies show that 10.2% of children under age 18 have had their social security numbers swiped. In 2021, 1.25 million US children were known to be victims of identity fraud. 

By combining a few pieces of legitimate personal information with phony addresses, contact information, and other data points, cyber thieves can forge numerous synthetic IDs at the same time. They’ll even set up or make use of sham businesses to establish credit for these fabricated personas through “piggybacking” on legitimate credit card accounts. Even a declined account will automatically create a credit profile—further legitimizing the identities. 

Once the lines of credit are established, perpetrators will patiently nurture the accounts, demonstrating normal usage patterns and making timely payments. This establishes them as low-risk borrowers, making them more likely to be approved for additional lines of credit. Once they have built up enough lines of credit, they max out the limits and default on the loans as they vanish into thin air.

Cultivating Frankenstein-ed identities takes time, patience and attention to detail. But according to Banking Journal, individuals and crime rings can get away with between $81,000 and $97,000 per synthetic identity. No wonder the FBI calls the synthetic identity fraud that drives bust-out schemes the fastest-growing forms of financial crime today. 


How Does Automation Help Bust-Out Fraudsters?

Bust-out fraudsters are always searching for opportunities to exploit, and with the ever-increasing use of automation in the financial industry, they are finding more and more ways to do so. Bots and other devices can now easily create fake IDs, making it easier for fraudsters to open multiple lines of credit simultaneously, minimizing the chances the lines will show up with each separate issuer or bank running credit checks. With painfully few exceptions, most bust-out scammers get away scot-free.


How to Detect Bust-Out Fraud

Bust-out fraud can be challenging to detect, as the perpetrators often take great care to establish themselves as low-risk borrowers before starting their schemes.

It is almost impossible to detect the fraudster from credit history or financial behavior. Many fraudsters maintain excellent credit history over multiple years before they finally bust-out, knowing full well that the average debtor who is late on making payments, even for a few months, would not typically be assumed to be a fraudster—especially lately.  

Consequently, the best warnings for bust-out fraud are unusually large numbers of credit applications and invalid personal data.


Large Numbers of Credit Applications

Credit cards are the bust-out fraudsters’ favorite tools. Therefore, if the same cardholder applies for a new credit line with a credit card over and over again, this should send warning signals. 

Fifteen months before the bust-out fraud, a perpetrator has two credit applications on average. Three months before the fraud, bankcard inquiries can suddenly grow to up to 10.


Mismatched Personal Data

Even with many of the identity verification systems used by some of today’s most sophisticated businesses, the task of detecting stolen or stitched-together identities can be formidable. Sure, checking public databases and cross-referencing with other data sources can spot inconsistencies that could signal fraud. Quickly and confidently confirming whether those inconsistencies evolved naturally or not is key.


Maxed Out With Minimum Payments

Put any of two or three of these factors into play, and there’s a good chance you could be staring down a bust-out in motion:

– A large number of credit applications in a short period of time

– Invalid, inconsistent, or missing personal data on applications

– Sudden increases in credit limits

– Maxing out on credit limits and making only minimum payments

– Defaulting on payments

– Lack of availability through given contact information for long periods of time

Still, for most organizations, accurately detecting any of these factors can be a tall order. When it comes to bust-out fraud, prevention is worth a pound of detection.  


How to Prevent Bust-Out Fraud 

Banks, credit card issuers, and other organizations looking to protect against bust-out schemes are advised to deploy solutions that recognize when synthetic identity information is being used in the account enrollment process—before credit is tapped. 

Today’s most effective solutions leverage machine learning, data science, globally-shared identity and transaction data, and validation of a live human face against a government-issued ID, along with document verification against third-party databases.


Telling Friend From Faux 

Bust-out fraud will only grow worse. By 2023, the synthetic identity information used in this these attacks could account for $635 billion in losses. And according to ABA Banking Journal, financial institutions operating without proper fraud prevention defenses in place miss 85% to 95% of synthetic identity-based fraud. 

Thankfully, solutions exist to help detect and block bust-out fraudsters at the door—before they can cause financial carnage.  

If you’re unsure where to start, request a demo with Outseer’s team of cybersecurity professionals—and discover how modern fraud prevention can help your business bust bust-out fraud for good.

Armen Najarian

CMO + Chief Identity Officer

Armen is a 15-year Silicon Valley veteran with deep experience leading the marketing function for fast-growing fraud prevention, predictive analytics, and cybersecurity companies. His most recent leadership roles include CMO positions at Agari and ThreatMetrix, the latter of which he established as the definitive category leader for digital identity solutions.