As online commerce evolves into a more-robotic proposition, with fewer humans involved, the issue of online identity – and the potential for more automated fraud – gains new importance for merchants. 

This future marketplace also raises the risks of synthetic identity fraud, according to Bolt Financial, a fintech that sells checkout software for online commerce.

Synthetic identity fraud involves criminals stealing or purchasing pieces of individuals’ personal information, including Social Security numbers, driver’s licenses, addresses or checking accounts, and stitching these together to construct false identities to commit fraud.

Synthetic fraud accounts for $35 billion in annual losses for card issuers, with an average loss of $3,000 per account, according to a 2024 synthetic fraud report by Boston-based FiVerity, an anti-fraud software company. 

Earlier this month, Bolt rolled out a new network identity system it calls Bolt ID. The company has data on about 84 million shoppers across its network of retailers and other merchants, President Justin Grooms said in a Dec. 16 interview.

The large network “allows the company to observe signals that would otherwise appear unrelated” as fraudsters assemble data “across retailers that indicate the formation of synthetic profiles,” San Francisco-based Bolt said in a Dec. 1 press release.

When it spots a potentially fraudulent transaction, the system uses a one-time password to confirm the purchaser has access to a device connected with a known email address, under the notion that while fraudsters may have personal data, legitimate consumers usually control their own phone, laptop or tablet. That allows Bolt’s system to contact them via email or text message about a transaction, Grooms said.

Editor’s note: This interview has been edited for clarity and brevity.

PAYMENTS DIVE: At a basic level, how does synthetic ID fraud work?

JUSTIN GROOMS: They might have your email address and they might have your shipping information – payment information that they’ve slowly acquired over time through data leaks or from public information that’s available. It is enough of your identity that fraud-prevention systems generally will recognize it as an acceptable transaction. 

What’s different about Bolt’s approach with this ID product?

What we’re taking a position on is that if we have known good contact information – I know your phone number, I know your email address from past trusted transactions – then I should alert you, as the human, that pieces of your data are being used in a transaction but maybe part of it changed. Which you might look at and say, ‘Yeah, that’s my brother’s address. That makes a lot of sense.’ Or you might say, ‘No, I absolutely did not just do that purchase at Best Buy.’

How do these notifications work?

There’s the opportunity to send it through text messaging if I have high confidence that the phone number associated with your identity is you. I can do things like query the phone carriers, and they’ll return back and say that SIM card, [or] that phone number, has been associated with the same physical phone for a year. That’s high trust. However, if I ping that phone carrier and they come back and they say this SIM card or phone number has been associated with the new phone or physical device for only four hours, that’s low trust data. OK, maybe I’m not going to reach out to that cell phone number and tell them that their data is being used, because that might be in the loop of a bad actor. The industry norm, historically, has been we do all this stuff in the background. 

The sharing of information is something that we should overtly involve the consumer with. It’s good for the consumer and it’s also good for those of us that are trying to fight fraud on a systemic level. These are real-time notifications that give someone the opportunity to opt in and raise a flag.

Do we need notifications about how our personal data is flowing digitally? Does fraud need greater transparency?

It should be at the optimal times. It’s essentially just-in-time notifications awareness, because that’s when it’s the lowest mental strain for us to understand. Like, I’m on my phone right now placing an order. It makes sense that someone is looking at my identity.  We’re used to this from a latency perspective: If you ping your credit [report] you’ll get something in the mail five days later saying that Bank of America looked at your credit. The thing that we’re fundamentally doubling down on is saying that in the event that a consumer’s data is being used, they have the right to know that pieces of their data are being used and which pieces of their data. This structure allows us to view identification more as a presentation of a credential or trusted information.

To make a system of trusted credentials work across the entire retail and payments ecosystem, will it take all the device makers to buy in and marry identity with your device? 

The device and operating system players are sort of ahead of the game on this. I would even tie that to the carriers, too, the T-Mobiles, the AT&Ts and the Verizons. They have pretty significant infrastructure in place. Apple can confidently say that you’ve had your device for a year. They’ve Face IDed you in 5,000 times. And there are digital identities. You’ve uploaded your passport, or other things, into the device you’re holding. The carrier can say that’s the device we’ve seen for a long time, or it is in the places we expect it to be. The SIM card has not moved. They do a pretty good job. Where there’s a lot of opportunity for improvement is in the e-commerce and the finance part of the space. How are we tying real identities and awareness by the consumer of how their identity is being used into financial and retail transactions? 

Premium card users are generally insulated from harm as their bank covers fraud. Is a lack of consumer investment, to a certain degree, problematic?

It definitely is. This is a gradual evolution for folks over time. Those costs for fraud are just absorbed by the market. We all sort of pay for it.

By Justin Bachman on Dec 22, 2025
Original link