Seven years ago, two twentysomething data scientists spotted a novel phenomenon: synthetic identity fraud. They turned that discovery into fast-growing SentiLink, a member of the Fintech 50 for 2023.
During the summer and fall of 2018, Hasan Hakim Brown, a Floridian in his early 40s, was applying online for loans—for the fake companies and bogus identities he’d set up. He had mixed success. He swindled more than $1 million from a Texas bank. But a few of his other targets, using software from San Francisco–based startup SentiLink, flagged his applications as suspicious because too many Social Security numbers were associated with the same address.
Brown, it turned out, had started manufacturing “synthetic identities”—stolen (but real) Social Security numbers merged with made-up names. He later refined his technique, buying a rig from an Atlanta computer consultant that let him simultaneously manage multiple virtual desktops from different IP addresses, thereby evading certain fraud-detection screens.
When Covid-19 hit in early 2020 and Congress appropriated hundreds of billions in forgivable Payroll Protection Program loans for hurting businesses, Brown was ready. Ultimately, according to federal court records, including guilty pleas, Brown and his half-dozen criminal associates controlled 700 synthetic identities and dozens of shell businesses and related bank accounts. Overall, the gang defrauded the Small Business Administration and various banks out of more than $20 million. Brown was sentenced to 60 months.
While Brown was busy thieving, SentiLink cofounders Naftali Harris and Maxwell Blumenfeld, both now 31, were also thinking about synthetic ID fraud, turning their early insights into a nicely growing niche business. “Everyone initially told us that this type of fraud was impossible, and that we must have misunderstood something,” says CEO Harris.
Last year, Harris and Blumenfeld’s six-year-old startup had about $25 million in revenue, more than double that of the year before, Forbes estimates. It counts seven of the U.S.’ 15 biggest banks and six of its 10 largest credit unions, as well as major fintechs like Ramp and Plaid, among its 300-plus customers. SentiLink raised $70 million in July 2021 at a $430 million valuation, according to PitchBook. Harris says it’s burning only $1 million a month and has enough cash to keep operating without additional funding for more than five years. He and Blumenfeld are veterans of the 2020 Forbes 30 Under 30 list, and this year SentiLink makes its debut on the Fintech 50, our annual list of the most innovative private fintech startups.
Artificial intelligence is, of course, a key part of SentiLink’s business. But Harris and Blumenfeld took a crucial lesson from how they first recognized synthetic fraud: A human, not a computer, made the key connection. In August 2016, the college buddies were both data scientists at buy-now, pay-later startup Affirm. Harris’ team was building the models for approving or declining borrowers. Blumenfeld’s job was to look for fraud. One day Blumenfeld noticed two applicants had the same name and date of birth but different Social Security numbers. He ran that name through the computer and found 12 people had applied for loans with the same name and birthdate but different Social Security numbers. More shocking, all 12 had credit bureau histories and good FICO credit scores above 700. One had a credit card with a $20,000 limit. Another got a $35,000 personal loan. A third had secured a loan for an $80,000 BMW.
“This is crazy,” Harris recalls thinking. “These people don’t exist, but they tricked the bureaus into getting a credit report.” Using the same name and birthdate was stupid. But the underlying strategy was clever and patient: Scammers were stealing Social Security numbers from folks who weren’t likely to be actively shopping for credit, such as kids, prisoners and nursing home residents. They paired those numbers with fictitious names and real addresses. Then they built up credit records for their creations by opening checking accounts and making timely payments on loans and credit cards. Eventually, they could use those credit histories to qualify for big loans they wouldn’t repay—an event that’s now known as a “bust-out.”
But this type of fraud was little known, even to experts, when Harris and Blumenfeld first came upon it. “They told us that the bureaus had accurate records of all credit-active Americans and that as long as you checked that the identity had a bureau record, this wouldn’t be possible,’’ Harris recalls. But it was. And it still is, despite the launch last year of a somewhat clunky federal database (which SentiLink uses) that enables authorized users to cross-check Social Security numbers and names.
Today, 78-person SentiLink has eight full-time employees dedicated to manually reviewing potential fraud attempts and requires others to spend at least an hour a week eyeballing cases to spot emergent patterns—new fraud angles or even legitimate applicants who may be unfairly rejected by the algorithm. “There’s a big misconception with AI that it discovers these things in and of itself,” says Blumenfeld, who is chief operating officer and leads research and development at SentiLink. “The [AI] model in our case is literally trying to mimic what the human would do. It can just scale really quickly.”
Ingenuity and speed have been key to the pair’s success so far. Harris grew up in Los Angeles (his father is a finance professor at the University of Southern California) and sped through four years of high school math, English and Spanish in three years at the Milken Community School, a Jewish day school named after billionaire donor Michael Milken. Without finishing high school, he applied to a dozen top colleges. The University of Chicago was one of five that accepted him. During his first few days there, he met Blumenfeld, the son of an art teacher and a tax lawyer.
Harris graduated in three years from Chicago with a degree in statistics and started a Ph.D. at Stanford—but found it too theoretical and earned a master’s in statistics instead. In June 2014, Affirm cofounder Max Levchin persuaded him to become the company’s first data scientist. Harris, Levchin says, is a “very first-principles thinker. He didn’t take anything for granted, evaluated things from scratch and was very, very mathematically competent.” Blumenfeld joined Affirm six months later.
Little Big Picture
GONE PHISHING
Americans lose nearly $40 billion every year from phone scams, per 2022 estimates by spam-blocking app Truecaller. Phony calls peaked in 2019, as regulators and carriers cracked down and people stopped picking up, leading scammers to do what everyone else already does—send a text instead.
MONTHLY SPAM RECEIVED
In March 2017, just seven months after their first encounter with synthetic ID fraud, Harris and Blumenfeld decided to build their own company around it. They got $575,000 in seed funding—$300,000 from Dallas venture capital firm Goldcrest and most of the rest from Levchin. They started working out of a windowless basement office in a seedy part of San Francisco. “It was the cheapest office we could find at the time. And it felt like a company that was fighting fraud should be in a basement office,” Blumenfeld muses.
To build a useful fraud-scoring model, you need customer data, and lots of it. They used a clever shortcut to get started, buying millions of dollars’ worth of written-off bad debt from lenders for about $10,000. That entitled them to pull credit reports on the defaulted borrowers and look for telltale patterns. They also started coding specific behaviors into their algorithm. If someone was applying with an email address created just a month before or using an IP address from a different location than their physical address, those counted as red flags.
As they scrambled to build their model, the need for it was growing. Research firm Aite-Novarica estimates that U.S. financial institutions’ losses from synthetic ID fraud tripled from $800 million in 2017 to at least $2.4 billion last year. But the firm notes that losses could be more than twice its estimate because some lenders still write off bad debt without knowing whether the deadbeat is synthetic or real. (Aite-Novarica doesn’t estimate losses sustained by the government, telecoms or online gambling sites, which are also big victims.)
In 2019, Harris and Blumenfeld finally got their first big bank customer: Synchrony, the consumer lending specialist behind the retail credit cards offered by Amazon and JCPenney. That year SentiLink also raised its first substantial funding—$14 million from Andreessen Horowitz and Felicis Ventures, among others. Hans Morris, managing partner of venture capital firm NYCA, one of the investors, says the boyish, geeky-looking pair have a way with financial services execs. “They’re so nerdy that they’re trusted and charming.”
Charming or not, it helps that the duo had targeted the right sort of wonky fraud problem—growing as a threat but not yet so significant that there were already lots of big competitors in the space fielding good models. Then came the pandemic. The surge in e-commerce and the flood of federal money were a boon to both fraudsters and SentiLink, which grew from 12 customers in December 2019 to 45 by the end of 2020. Last year, it processed 323 million identity checks for customers, up from 148 million in 2021. The more data it processes, the better its models are trained—and the more revenue it makes, since many clients pay both a fixed licensing fee and a usage fee for each identity check.
SentiLink has expanded beyond synthetic fraud to old-fashioned identity theft and first-party fraud, in which people use their real identities to steal money or goods, often by disputing legitimate charges. Harris says they’ve been able to cross-sell more than half of their synthetic-fraud customers on a second or third product, and about 60% of revenue now comes from new areas.
Yet despite such traction, SentiLink has only a tiny sliver of the fraud-prevention market, which totals $15 billion a year, estimates credit bureau (and competitor) Experian. In fact, some banks work with as many as 10 fraud-prevention firms at a time. Companies like Experian, Lexis-Nexis and fintech unicorn Socure all offer a broader set of services than SentiLink.
Another challenge: The business moves fast. Crooks continuously come up with new schemes and variations as fraud-prevention models proliferate. “I have 1,000 companies a year saying, ‘I’m better at this than everybody else,’ ” says Max Axler, chief credit officer at Synchrony. Harris and Blumenfeld will need to keep grinding if they want to keep up—with competitors and criminals alike.
MORE FROM FORBES
Read the full article here