Unmasking a Synthetic Fraud Family in Detroit

The steady stream of nearly 200 financial applications from a single Detroit address revealed an unsettling truth: a real estate agent and her siblings had quietly built a shadow family of synthetic identities, complete with stolen and deceased Social Security numbers and a curious preference for Christmas Eve birthdays.

Read on as we dive into five fraud patterns that tell the story of how these real-world fraudsters manipulated identities to exploit financial systems.

The Fraud Family: A Closer Look

The Socure team recently uncovered a fraud ring that revolves around real individuals that are part of the same family. However, since 2021, nearly 200 applications have been filed from their home address that include over 30 different fake identities — an overwhelming majority requesting new bank accounts and payment processing services.

Before 2021, the number of applications from this address was minimal. The persistent flow strongly suggests that these accounts are being used to launder money and perpetrate scams.

The Anatomy of Deception: Five Telltale Patterns of Synthetic Identity Fraud

Fraud Pattern #1 | Two Synthetic Identity Types

Most applications used completely made up identities — known as “fabricated” synthetic identities. However, Socure also detected “manipulated” versions of one of the sibling’s personal details. These manipulated identities had altered Social Security Numbers (SSNs) and Dates of Birth (DOBs).

A strange pattern emerged:

• While birth years varied, the month and day remained consistent (12/24) — which happens to be Christmas Eve and matches one of the family member’s real birthdays.
• The fraud operation became more sophisticated over time, with the highest percentage of manipulated identities appearing in 2024.

Fraud Pattern #2 | The Rising Exploitation of Deceased Identities

Another trend we observed was the calculated shift toward exploiting the identities of the deceased through stolen SSNs.

• Before 2021, no fraudulent applications used deceased SSNs.
• By 2025, nearly 15% of fraudulent identities contained SSNs from the deceased.
• The steady rise suggests a growing reliance on the use of SSNs stolen from deceased people to evade detection.

Fraud Pattern #3 | Shifting Contact Methods: Prepaid Phones versus VoIP

The fraudsters exhibited an interesting back-and-forth pattern in their choice of phone numbers:

• Early on, the fraud ring relied heavily on prepaid cell phones for contact numbers.
• Then, they shifted toward VoIP (internet-based) phone numbers before moving back to using pre-paid accounts at a higher rate, likely to adapt to stricter fraud checks against VoIP phone numbers at their target institutions.
• More recently, they’ve moved back to VoIP numbers — indicating possible attempts to evade detection.

(light blue line is use of VOIP, dark line is prepaid cell phones)

Fraud Pattern #4 | Geographic Clues and a Shift in IP Locations

Most applications originated from a tight geographical radius around Detroit. However, we recently detected a shift in IP locations:

• Some of the latest applications originated from Texas and California.
• This could be due to personal/business travel or a new fraud tactic to hide their local IPs — we’ll keep monitoring for further changes.

Fraud Pattern #5 | Email Patterns and the Gmail Connection

• Gmail was the fraud family’s go-to provider for creating new email addresses.
• They followed a standard pattern: [consumer name] + random numbers (e.g., JohnDoe1234@gmail.com).

The Bigger Picture

Because this is an ongoing fraud attack where we have seen new application attempts within the last 30 days, we will continue to monitor the “Detroit Family Synthetics” and update the industry with any interesting patterns changes.

Socure can efficiently monitor differing fraud behaviors using our Graph Intelligence technology, which draws from the industry’s largest cross-industry network, including more than 2,800 organizations across industries such as financial services, gaming, and eCommerce.

Drawing from a diverse dataset, Socure can better understand cross-industry patterns, enabling the detection of various fraud types — including third-party, first-party and synthetic identity fraud — along with their underlying and dynamic fraud behaviors.

The Detroit Family Synthetics case highlights how synthetic fraudsters constantly adapt and refine their methods, making detection more challenging.

However, with advanced machine learning and graph technology, we are spotting these evolving fraud patterns in real time — helping businesses stay one step ahead before significant financial damage occurs.