NEW YORK (CNNMoney) -- Grisha Stpanov opened a credit card, charged up $20,000, but never paid it back.
That's because Stpanov doesn't exist.
Stpanov, or at least his credit profile, was the creation of Arman and Wachagan Hovhannisyan, two brothers from California who were accused of scamming 21 banks and the three major credit reporting bureaus by inventing hundreds -- possibly thousands -- of fake identities, and charging $500,000 on fraudulent credit cards.
While it may sound like the plot of a Hollywood heist movie, anyone who understands how credit works can easily game the system.
Even after the worst financial crisis since the Great Depression, banks are still doling out credit cards to any borrowers who look good on paper -- even when that's the only place they exist.
And the Hovhannisyan brothers are proof positive that most banks are still very susceptible to fraud.
How they did it
It all started when the Hovhannisyan brothers joined forces with a man named Jamal Hyde, who worked in a dentist's office extending loans to patients and then reporting payments to Experian, one of the three major credit bureaus.
According to the government complaint filed in California federal court, which summarized the investigation, the brothers, along with Hyde, made up hundreds of fake social security numbers to establish false identities. The men then began reporting loan information and on-time payments for fictitious dental services to Experian.
Once the fake credit profiles had high credit scores, the men opened credit cards and took out loans, fooling issuers like Bank of America (BAC, Fortune 500), Capital One (COF, Fortune 500), Wells Fargo (WFC, Fortune 500), US Bank (USB, Fortune 500), Chase (JPM, Fortune 500) and Discover (DFS, Fortune 500). In all, the government estimated that the men duped at least 21 financial institutions.
At first, they paid off the balances on time to improve the fake scores. Eventually, they ended up with hundreds of cards with a combined $500,000 credit limit, which they used to pay their own bills and purchase two luxury automobiles, federal documents show.
The Hovhannisyans were eventually caught by the FBI. After pleading guilty to lesser charges, they were both sentenced to more than 20 months in prison for bank fraud and must each pay restitution of $486,143. They entered prison in March.
Hyde is scheduled to appear at his sentencing in May.
How they got caught
About a year into the scheme, Experian flagged the fake accounts, saying the loan amounts seemed unusually high for dental services and that the geographic distribution of the patients was also unusual.
A spokesman for Experian said the company did carefully vet the dental practice involved in the case, and worked with law enforcement as soon as Experian became aware of the scam.
"In [this case], the dentist's office involved was a legitimate business, which hired a rogue employee who reported the account data in question," he said.
The three men likely picked the social security numbers at random and simply made up names, addresses and dates of birth, according to the case documents.
(Even if a social security number is already in use, if the name and other information doesn't correspond when a credit bureau receives it, a new profile can be created.)
When government agents received a search warrant to check the homes of the three men, they found hundreds of documents with account numbers, drivers licenses, social security numbers and other personal information relating to the many identities they created.
The fact that the scheme went on for a year means that it probably could have continued a lot longer if the men had been a little more careful, said John Ulzheimer, personal finance expert at SmartCredit.com.
"They got greedy," he said. "They were smart, but not smart enough -- if they used modest credit lines and were more geographically sensitive, they could have kept it going."
Why it could happen again
While this is considered a "victimless crime" since most of the "individuals" defrauded didn't exist, (though the government believes several of the identities did belong to real people), the banks ultimately recoup fraud losses from their customers, said Ulzheimer.
"The takeaway from this case is that the system isn't fool proof," said Ulzheimer. "It can be manipulated. So it's crucial that the credit bureaus do a good job making sure that folks who have credit profiles and access to reporting information are legitimate."
But the job of the credit bureaus is to report the information given, not necessarily to take additional measures to determine its accuracy, said Jay Foley, founder of the Identity Theft Resource Center.
"The credit reporting agency may or may not realize there's fraud, but they usually won't do anything about it. Why would they? That's not their job," said Foley.
The banks disagree.
"Banks rely on the credit reporting, so they need to count on it being reliable," said John Hall, spokesman for the American Bankers Association. "The weakest link in this case seems to be the credit reporting folks, because the product we get from them is only as good as it is accurate."
While Experian said it typically alerts lenders to potential fraud, a spokeswoman from Wells Fargo said the bank doesn't receive proactive alerts from credit bureaus. Instead, fraud risks are flagged through internal tools, network providers like Visa and MasterCard, merchants and customers.
A spokeswoman for Discover said the company advises merchants to use security processes to prevent fraud.
Capital One and US Bank could not be reached for comment, and the other major banks named in the complaint declined to comment.
"Our country still has no method of defining exactly who the customer is, how honorable the business reporting information is, or how accurate the information on the report is," Foley said.
Creating better fraud prevention systems would be expensive, and consumers would likely end up paying, he added.
Experian said cases like this are rare. But if a more secure system isn't developed, similar schemes could easily happen, Ulzheimer warned.
|Overnight Avg Rate||Latest||Change||Last Week|
|30 yr fixed||4.24%||4.20%|
|15 yr fixed||3.30%||3.18%|
|30 yr refi||4.22%||4.16%|
|15 yr refi||3.29%||3.17%|
Today's featured rates:
The Radisson hotel chain has suspended its sponsorship of the Minnesota Vikings in the wake of child abuse allegations against Adrian Peterson. More
First official government report shows big decrease in uninsured after Obamacare kicks in and more Americans gain health insurance. More
AT&T has developed a software platform that can transcribe and offer near-real-time analysis on customer service calls. More
What do all 401K millionaires have in common? Christine Romans explains what it takes to be a member of the club. More