A multifaceted approach is needed to keep members — and credit unions — safe
By M. Diane McCormick
Fraud against financial institutions today is so all-encompassing that credit unions trying to strengthen their shields must take a holistic approach, merging fraud prevention with risk management, IT, HR and all other operations. Breaking down a siloed environment “is the future,” says Ann Davidson, risk control expert and vice president of risk consulting for Allied Solutions.
“You have this huge credit union house and all its rooms, and they have to connect,” says Davidson. “The bad guys are out there searching 24/7. They find the weakest link, and they jump on it.”
Bits of Information
For James E. Santos, vice president of account services for Randolph-Brooks Federal Credit Union (RBFCU) in Texas, servicing accounts is “the overarching thread” in a department overseeing deposit services, corporate fraud, overdraft protection and account-level asset protection.
“We have a lot of systems that run pretty much in harmony, and sometimes a transaction will jump onto the fraud rail,” Santos says. In many cases, the credit union steps in to protect members from losses, because “if they’re subject to a scam, they’re really on the hook for that.”
If the credit union reimburses members for losses due to fraud, then the institution is a victim as well. And while members can be victims, they also can be perpetrators, or a little of both — not the instigator, but perhaps a willing participant who passes a bad check as a favor to a friend, he says.
Even the constant stream of data breaches at national chains and institutions ripples back to credit unions.
“In all of those situations, you know your members’ information has been compromised, which means bad actors are going to try to use that information to take over your members’ accounts,” says Jacqueline M. Jackson, vice president of risk and compliance for Cleveland, Ohio-based Century Federal Credit Union.
The growth in digital wallets, such as Venmo and Square Cash, will help make 2020 “the year of non-face-to-face fraud,” Davidson says.
Fraudsters are adept at piecing together full portraits from tiny details about credit union members or officials. The tactic bolsters two emerging fraud schemes — business email compromise and synthetic identities — and gives new life to fraudsters’ tried-and-true phishing tactics.
Business Email Compromise (BEC): An employee opens an email from a credit union official loaded with details confirming that the official is the real thing. The official requests that money be wired to an account, and the employee complies — except that the money is going to an organized crime ring’s account.
In a variation, fraudsters call or text members from credit union call center numbers, pretending to be fraud teams sending “alerts” that, when responded to, provide access to accounts.
Bad actors can find personal and organizational details almost anywhere. Credit union websites offer “a treasure trove” of information that fraudsters use, Davidson says. She advises weighing “need to know” versus “nice to know” when deciding what to post.
Synthetic IDs: Fraud perpetrators create a fictional person using slight changes to a real person’s name, Social Security number and date of birth. Accounts are opened, and loans are taken out using the fake person’s information. When loanees default, they are nowhere to be found.
“It’s what they call a ‘Frankenstein,’” says Santos. “That ‘person’ isn’t a person, really.” Monitoring transactional behavior for abnormal patterns and using verification technology can help weed out synthetic identities, he says. It’s also important to double-check loan application information using other sources.
Phishing: The practice of phishing, or sending legitimate-appearing emails that lure targets into sharing information or clicking malicious links, is “always a concern,” Santos says. RBFCU’s IT system rejects emails demonstrating certain parameters, such as suspicious domains and servers.
One sophisticated phishing scheme started when perpetrators collected enough bits of information from a credit union call center to “alter accounts as an authoritative source,” says Alex Hernandez, vice president of emerging technology at cybersecurity, cybercompliance and cyber fraud specialist DefenseStorm. “They got money transferred out through multiple attempts of leveraging multichannel attacks.”
Low-tech and paper check fraud continue, and it’s not only new members who are the perpetrators. Existing members encountering hardship might try to kite a check — when, for example, John Smith Jr. will falsify his identification to draw money from John Smith Sr.’s account.
Prevention Mindset
All fraud schemes exploit an institution’s weakest link, and many credit unions don’t deploy available protections or preventive policies to strengthen their defenses, Davidson says. Many still allow “chip-magstripe fallback,” allowing bad actors to pretend that a fake chip is malfunctioning and complete transactions with the magnetic stripe. Others don’t use Positive Pay to confirm clearance of their own business checks.
Still others allow lax authentication procedures in their shared branching networks. In one case, a fraudster used his credit union HELOC to withdraw $168,000 from another credit union in the network.
“Would you, as a network member, allow someone to take out $168,000 by just showing their driver’s license?” Davidson says. “I don’t think so. For 2020, it’s all about authentication, authentication, authentication.”
Fraud detection tools that focus on single channels have blind spots, so Hernandez’s DefenseStorm analyzes patterns of behavior and relationships across channels “to provide predictive power where fraud may be occurring, and a much faster reaction when fraud is seen, because all that data is consolidated in one place.”
At the convergence of cybersecurity and fraud, cross-training and improved collaboration allow teams to leverage shared information and understand each other’s worlds, “so if and when something does happen, they have already spent some time together and already understand each other,” Hernandez says.
The holistic approach often reveals storylines across departments, Davidson says. If different sections are investigating ACH, wire, card and paper check fraud, “you’re never going to catch the bad guy who’s the same perpetrator hitting all those different transaction risks.”
RBFCU convenes a multidisciplinary fraud team quarterly. “It’s been all hands on deck,” says Santos. “The fraud department is not going to solve all the problems. We need everybody working together.”
Employee Compliance
While much of the fraud suffered by credit unions is from outside the institution, officials must also look internally, assuring that every employee follows policies, procedures and regulatory requirements.
“If you are a teller, you work for the federal government,” Jackson says. “The Patriot Act is part of that.”
Century Federal’s board leverages compliance for added strength in addressing fraud and risk mitigation, Jackson says. Working with its own risk committee, the board adopts policies and procedures regarding acceptable forms of identification — no exceptions allowed.
“You have to have a reasonable agreement that the person in front of you is who they say they are,” she says.
Within strict verification parameters, frontline employees must be empowered to trust their guts and hit the pause button. At Century Federal, they call it “going up the ladder” when a transaction is paused because something, or someone, seems suspicious or could trigger a loss to the credit union.
“That can be enough to deter a bad actor,” Jackson says. “That person has [headed] out the door, because someone has referred it up the ladder.”
Century Federal’s “go up the ladder” mindset played a role in halting a case of elder financial abuse, which is a type of fraud on the rise. Tellers sounded the alarm when an older member came in on a cold day, wearing a windbreaker and no socks, with her granddaughter. Because of their alertness, law enforcement uncovered the granddaughter’s physical and financial abuse of her grandmother.
Santos’ department alerts staff, via intranet, to potential threats and instills a “trust, but verify” mindset.
“I say I have 2,000 employees in the fraud department,” Santos says. “It’s every person’s job to look for fraud and report that. There’s no ‘somebody else will get that.’ I tell them not to rely on decisions I have made in order for them to make decisions regarding this member.”
Employee training should offer a clear understanding of why controls are in place and need to be followed. “Everybody wants to be helpful. We’ve all done it,” Hernandez says. “These bad actors take advantage of it.”
The Bottom Line
Closing the door to fraud is the first and best line of defense. Without the right parameters and layers of risk prevention tools in place, Davidson says, credit unions with self-retention provisions in their insurance policies could absorb huge losses. Plus, insurance policies might not cover every instance of fraud.
Credit union executives must read insurance policies from top to bottom before signing, says Jackson. Her CEO reads all insurance policies and convenes her team to scrutinize the contents and their match with credit union policies and procedures.
Vendor management is another important plank in fraud detection and prevention. At RBFCU, products are reviewed regularly for performance, and vendors are “kind of on notice” to share their latest and best products, Santos says. “We want those vendors walking hand in hand with us.”
Although fraud may be on the agenda, the questions boil down to managing risk. “What are we willing to take on, what are we not willing to take on, and what tools and solutions are out there to help us manage?” Davidson says.
Law Enforcement and Networking
Credit union officials agree: Strong, two-way relationships with law enforcement are crucial in the battle against fraud. Through open communication and joint training, credit unions have partners who can investigate fraud and alert them to emerging schemes.
With branches on U.S. government property, Century Federal has learned that visible relationships with law enforcement can be a deterrent to would-be fraud perpetrators. There, officers can respond to calls within 20 seconds, and the credit union makes a point of having the officers come by even without emergencies at hand.
“Outside actors do see us having that relationship with law enforcement,” Jackson says. “I do believe that has actually made a difference.”
RBFCU belongs to intelligence groups and casts law enforcement relations in a big-picture light, encompassing federal, state and local officials.
“We cooperate to the fullest extent of whatever we can,” Santos says. “Sometimes, our hands are tied. We may need a subpoena or court order. We want to make that crystal clear and tell them exactly how to do that.”
Established contact, he says, creates a professional relationship with mutual understanding. “You’re seen as a partner.
You don’t have to pick up the yellow pages and call the FBI. You don’t have to start at square one.”
Networking with other financial institutions, being involved in NAFCU and reading emails from cybersecurity groups also help keep credit unions informed about new tools, products and services meant to keep pace with the ever-churning minds of fraudsters.
“You sit here and think we’re all alone,” Santos says. “In the big picture, you reach out to everybody else, and they say, ‘We see this every day.’”
Protecting Your Reputation
When it comes to fraud against credit unions, reputational risk and the risk of financial losses run hand in hand, Santos says. “If your reputation is damaged, people aren’t going to want to become members, or they’ll be a bit reluctant to apply for products and services.”
How a credit union balances security with member convenience is different for each one. “What makes a credit union’s personality is the services they offer the members, and the services they’re offering are going to dictate the controls they have and how they service customers,” Hernandez says. “Th at’s a big part of knowing their customer footprint and understanding their customer interaction.”
Compared to larger financial institutions, credit unions have two powerful weapons in the fight against fraud — personal interaction and relationships with members. When something seems wrong, “we have the time to find out and take the next steps, if necessary,” Jackson says.
“We know that member, and we’re not overstepping our boundaries if we want to protect them,” she says. “It may never go any further, but we can say we did our part. If you’re protecting your credit union, you’re protecting your members.”
M. Diane McCormick is a freelance journalist and a frequent contributor to The NAFCU Journal.
This article was published in the March-April 2020 edition of The NAFCU Journal magazine.
Want to receive The NAFCU Journal in your inbox? Update your email preferences.
Related Content:
- The NAFCU Journal: Newer technologies to meet member needs require credit unions to adapt
- News Room: FinCEN, data security orgs warn against new coronavirus-related scams
- Webinar: Review best practices for reducing fraud at your credit union
- Compliance Blog: Check fraud and imposters
- The CU Lab Podcast: Fighting fraud with data