uring the summer and fall of 2018, Hasan Hakim Brown, a Floridian in his early 40s, was applying online for loans—for the fake companies and bogus identities he’d set up. He had mixed success. He swindled more than $1 million from a Texas bank. But a few of his other targets, using software from San Francisco–based startup SentiLink, flagged his applications as suspicious because too many Social Security numbers were associated with the same address.
Brown, it turned out, had started manufacturing “synthetic identities”—stolen (but real) Social Security numbers merged with made-up names. He later refined his technique, buying a rig from an Atlanta computer consultant that let him simultaneously manage multiple virtual desktops from different IP addresses, thereby evading certain fraud-detection screens.
When Covid-19 hit in early 2020 and Congress appropriated hundreds of billions in forgivable Payroll Protection Program loans for hurting businesses, Brown was ready. Ultimately, according to federal court records, including guilty pleas, Brown and his half-dozen criminal associates controlled 700 synthetic identities and dozens of shell businesses and related bank accounts. Overall, the gang defrauded the Small Business Administration and various banks out of more than $20 million. Brown was sentenced to 60 months.
While Brown was busy thieving, SentiLink cofounders Naftali Harris and Maxwell Blumenfeld, both now 31, were also thinking about synthetic ID fraud, turning their early insights into a nicely growing niche business. “Everyone initially told us that this type of fraud was impossible, and that we must have misunderstood something,” says CEO Harris.
Last year, Harris and Blumenfeld’s six-year-old startup had about $25 million in revenue, more than double that of the year before, Forbes estimates. It counts seven of the U.S.’ 15 biggest banks and six of its 10 largest credit unions, as well as major fintechs like Ramp and Plaid, among its 300-plus customers. SentiLink raised $70 million in July 2021 at a $430 million valuation, according to PitchBook. Harris says it’s burning only $1 million a month and has enough cash to keep operating without additional funding for more than five years. He and Blumenfeld are veterans of the 2020 Forbes 30 Under 30 list, and this year SentiLink makes its debut on the Fintech 50, our annual list of the most innovative private fintech startups.
Artificial intelligence is, of course, a key part of SentiLink’s business. But Harris and Blumenfeld took a crucial lesson from how they first recognized synthetic fraud: A human, not a computer, made the key connection. In August 2016, the college buddies were both data scientists at buy-now, pay-later startup Affirm. Harris’ team was building the models for approving or declining borrowers. Blumenfeld’s job was to look for fraud. One day Blumenfeld noticed two applicants had the same name and date of birth but different Social Security numbers. He ran that name through the computer and found 12 people had applied for loans with the same name and birthdate but different Social Security numbers. More shocking, all 12 had credit bureau histories and good FICO credit scores above 700. One had a credit card with a $20,000 limit. Another got a $35,000 personal loan. A third had secured a loan for an $80,000 BMW.
“This is crazy,” Harris recalls thinking. “These people don’t exist, but they tricked the bureaus into getting a credit report.” Using the same name and birthdate was stupid. But the underlying strategy was clever and patient: Scammers were stealing Social Security numbers from folks who weren’t likely to be actively shopping for credit, such as kids, prisoners and nursing home residents. They paired those numbers with fictitious names and real addresses. Then they built up credit records for their creations by opening checking accounts and making timely payments on loans and credit cards. Eventually, they could use those credit histories to qualify for big loans they wouldn’t repay—an event that’s now known as a “bust-out.”
But this type of fraud was little known, even to experts, when Harris and Blumenfeld first came upon it. “They told us that the bureaus had accurate records of all credit-active Americans and that as long as you checked that the identity had a bureau record, this wouldn’t be possible,’’ Harris recalls. But it was. And it still is, despite the launch last year of a somewhat clunky federal database (which SentiLink uses) that enables authorized users to cross-check Social Security numbers and names.