Recommit to these eight fraud security measures as your credit union’s operations shift to remote delivery.
Here’s a scenario that may become more common as credit unions deploy remote workers as part of their COVID-19 pandemic response: A scammer looks up CU employees on LinkedIn and then calls the IT help desk using their name and title with a request. “I’m working from home,” says the scammer, “but I don’t have my work computer, and I need to log in to the network.”
“Typically the IT person would say no, but in this time of stress, they’re trying to help people move quickly,” says Paul Love, chief information security and privacy officer with CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, California. “Now is the time to emphasize to tech staff the critical importance of following procedures in authenticating users. That extra minute they take, while it doesn’t allow them to move to the next caller quickly, will protect their organization from an attack.”
Even as credit unions take steps to keep members and employees safe by adhering to pandemic directives, the bad guys continue to test fraud defenses. Revisit these best practices with staff across the organization to underscore the need to stay vigilant:
1. Be alert to phishing attacks.
In response to a high uptick in increasingly subtle email incursions, educating members and employees on how to steer clear is a top priority, says Jack Lynch, chief risk officer for CUES Supplier member PSCU, St. Petersburg, Florida, and president of its CU Recovery division. “It only takes one click to change the game.”
“Criminals are getting so much better at mimicking credit union branding in messages. It’s much harder to look at them and realize something doesn’t look or sound right,” Lynch cautions. “They’re getting more sophisticated in producing messages that look like legitimate communications or in getting information when they call in.”
These scams are timed to take advantage of fraught times, Love reflects. “The attackers know that at this time of crisis, companies—as they are moving employees to remote workplaces—are in a highly stressed situation, trying to move very fast. And employees are stressed as they work hard to help members, so their defenses may not be on like they normally are.”
Some attackers and fraudsters are even using the coronavirus outbreak as their cover, sending emails with subjects like “Update on COVID-19 safety measures for employees,” he says. “Every phishing email wants you just to open up the attachment quickly or click on the link and put in information without thinking it through.”
IT help centers are also inundated with calls right now. To ensure that member service centers and IT support centers are adhering strictly to user authentication processes, managers should reinforce with employees the need to stay on high alert.
Credit unions can share information with employees and members on emerging schemes, such as malware-rigged phone apps masquerading as consumer pandemic support and fraudsters pretending to promote charitable causes or sell fake coronavirus protective gear, cures and vaccines. Both the FBI and Financial Crimes Enforcement Network have issued alerts on such scams.
2. Work together.
At many organizations, IT and fraud are often separate departments. Ensuring that they work together on threats like phishing attacks will result in a more comprehensive approach to fraud prevention and detection, Love suggests.
3. Drill staff on branch security.
With smaller teams staffing branches, now is a good time to review the standard aspects of physical security, technology and processes, Lynch recommends. Are exterior lights all working? Are there any obstructed views? Have you tested alarms and surveillance systems?
“And with the staff who are left, make sure they understand procedures and do some drills,” he suggests. “People can get into a routine around opening and closing procedures, but that can sometimes get lost as staffing dwindles.”
Many thieves who try to gain access to branches are less interested in breaking into the vault than trying to infiltrate data systems, Love says.
“It’s about rewards and gains. Unsophisticated attackers will try to drive off with an ATM and break into it. The amount of money they’d be getting is limited, and the risks are high,” he notes. “More sophisticated attackers will try to access your network through phishing or entering the building to gain access to computers.”
4. Equip all remote staff with work computers.
“Sending someone home to log in from a home computer is never a good practice,” Lynch says. “It could have malware on it, presenting a breach opportunity. Make sure they are using credit union-issued computers or laptops with security measures such as two-factor authentication, virtual desktops and VPNs.”
5. Consider workforce tracking technology.
Especially for credit unions studying telecommuting as a long-term option, this software monitors whether “employees are looking at and taking action on things they’re supposed to be working on,” Lynch says. These systems ensure that employees are adhering to standard fraud prevention procedures to protect members’ personal and account information and can restrict the use of the credit union’s computers to work functions only. When employees want to check social media and shop online, they can do so from their personal devices and laptops, which are disconnected from the credit union’s network.
If this evokes George Orwell’s Big Brother, “it’s no different than security in place in branches to protect our members,” he says. “They want to know that when they’re working with us, their money and their information are safe. The more security we put around what our employees are doing, the more peace of mind we have that we’re protecting members.”
6. Check your call center capacity.
A key aspect of business continuity planning is to create a protocol for ensuring that call center system bandwidth is adequate to handle increased volume, Lynch advises.
“If you’re going to move frontline member service representatives into a remote environment, you have to make sure they have the ability to access those systems as well,” he notes. “No one ever expects something of this magnitude, but that’s when we really get to test our [business continuity] plans.”
7. Step up monitoring and employee support.
In these uncertain times, some members will be dealing with financial setbacks. Others may be pushed outside their comfort zones, needing support to set their logins and passwords as they sign on to remote channels for the first time. They may become upset, even aggressive, in their interactions with member service staff.
This is a good time to offer refresher training on dealing with difficult situations and to provide extra supervisory support, Lynch suggests. It’s also useful to remind call center staff to take extra care in vetting calls from people requesting sign-in support to distinguish between confused members and criminals.
“When members get upset, they may threaten to close their accounts if they don’t get immediate assistance. That can frazzle people,” he notes. “Fraudsters sense an opportunity at this point, thinking that the increase in volume and stress is a good time to slip in under the radar.”
Branch staff making the temporary transition to the call center also need training support, not just in systems but in working with members through this delivery channel. “You can’t just say ‘Grab a headset and get going,’ because there are unique variations as it pertains to what’s coming in and how to handle members on a phone,” Lynch says. “It’s a different environment with different types of access and different security threats.”
PSCU followed this approach of additional training and support when moving some of its employees at its fraud and risk call centers in Phoenix and St. Petersburg to remote workstations. Thus far, it’s been business as usual, with no uptick in call volume, though there has been a shift in emphasis to card-not-present fraud due to an increased volume of online shopping as people shelter in place, he says.
8. Watch the data.
Fraud prevention is an ever-evolving battlefield as scammers and attackers shift tactics relentlessly in search of openings to exploit. Credit unions of all sizes need to monitor their data systems continually for novel attacks by fraudsters seeking to take advantage of pandemic-related operational changes, notes Lynch.
A threat intelligence program can shift the response of credit unions from reacting when fraud occurs to proactively monitoring reports from other organizations, which they can apply to their own prevention and detection efforts. For credit unions that don’t subscribe to preemptive capabilities through third-party services or use a tool like FS-ISAC, the Financial Services Information Sharing and Analysis Center, their best defense is the monitor their own data closely in order to react quickly to emerging threats, Lynch advises.
“When it comes down to safeguards in implementing the [business continuity plan], the focus is really on educating your people and making them aware of security protocols, especially in branches where staffing is more limited,” he concludes. “And double-down on communications to make sure members know that their credit union is there to support them.”
Karen Bankston is a long-time contributor to Credit Union Management and writes about membership growth, operations, technology and governance. She is the proprietor of Precision Prose, Eugene, Oregon.