Credit unions learn cybercrime prevention strategies that will protect them beyond the pandemic.
The COVID-19 pandemic has triggered a wave of financial fraud that could continue long after the virus is under control. Fortunately, the reverse of that situation may also be true: Credit unions are learning fraud-fighting techniques that can protect them and their members far beyond this crisis.
The abrupt, massive shift from in-person to online transactions has been a catalyst for crime. Identity theft reports to the Federal Trade Commission in 2020 were about double the total from 2019. As ID theft drives many types of fraud, it follows that the overall consumer losses from fraud jumped to $3.3 billion in 2020 from $1.8 billion in 2019.
We asked experts from three companies that provide security services to credit unions about which types of fraud they’ve seen on the rise and what seems to be working best to combat it.
Convergence of Factors
The combination of increasing remote transactions and widespread financial hardship is a perfect storm for fraud, says Chris Ryan, who leads fraud and identity product marketing for CUESolutions Silver provider Experian North America, Costa Mesa, California. “It’s harder now to weed out people with bad intent from good members facing difficult circumstances,” Ryan says. “It’s not as clear who to challenge and who to help.”
Before the lockdown, most CUs could count on a certain flow of in-branch transactions where staff can easily ask to see a driver’s license or other documentation to keep a transaction moving with high confidence that it is legitimate, notes Ryan.
When online users are asked for documentation, however, it creates “friction.” Consumers are accustomed now to virtually frictionless fintech transactions.
This is why, even before the pandemic, it was becoming a greater priority for CUs to improve remote transaction protections while providing a smooth user experience, Ryan points out. Experian has been working with CUs on using data analytics to balance safety and convenience.
The Power of Analytics
The problem with fraud detection for remote services isn’t that humans can’t see red flags when looking at facts about a consumer’s life and finances. The problem is that humans don’t have the time or access to review enough data—in a broad enough context—to make adequately informed decisions.
That’s what data analytics tools do for financial institutions, Ryan says.
He offers the example of loan applicants who have a new address and a somewhat high level of financial activity on their credit reports. That’s not necessarily a red flag. Moving isn’t uncommon, nor is an increase in short-term spending in the process.
But what if the phone number on the application doesn’t match what you have on record for that member? What if the new address is connected to multiple people with different surnames?
Criminals could be using the address to generate multiple fraudulent loans and redirecting phone calls to their own phones instead of the victims’.
“If people could see all this information, we would see these patterns and know when a new address might indicate a fraud attempt,” Ryan says. “The challenge is that this is a really simple example, and in real life, a person might have to see thousands of pieces of data and understand how they all fit together to predict risk. Analytics can do this work reliably and consistently in a fraction of a second.”
Ryan says a strong, basic data analytics solution should be able to analyze transactions for at least these three types of fraud:
- First-party fraud: People applying for credit cards or loans with no intent to repay.
- Third-party fraud: Criminals using victims’ stolen credentials to impersonate them.
- Synthetic identity: Melding real and fabricated data to create false identities, sometimes used for lengthy schemes.
Use Employees’ Expertise
Ryan says a data analytics solution doesn’t remove CU employees from the process of detecting identity fraud. “An analytics platform can take care of most transactions and flag only those that require personal attention,” he says. “That frees your best employees to handle more complex transactions.”
Some turnkey data analytics products are designed for smaller financial institutions today, Ryan says. “Instead of simply saying a case is ‘risky,’ these tools tell a credit union exactly why and what needs to be done next,” he adds.
Beyond flagging individual risks, data analytics help assess fraud prevention. Ryan recalls a client telling him why the CU’s management switched to a data analytics approach.
“They couldn’t make positive changes because it was impossible to review fraud cases and figure out what they did or didn’t do that resulted in the loss. But when they started taking action based on analytics, the data showed what they’d done in each case and why,” Ryan says. “That made changing processes to protect themselves very simple.”
One-Time Passcode Scams Target Seniors
Card-not-present fraud had already been increasing before the pandemic, and now conditions are even better for that type of scam.
People who rarely or never made purchases online are doing so regularly, which makes them easier marks, says Karen Postma, VP/risk analytics for CUESolutions Bronze provider PSCU, a credit union service organization in St. Petersburg, Florida. Older members, in particular, are CNP targets now, she adds.
The most alarming trend in CNP fraud is a combination of social engineering and targeting transactions that have extra security, Postma says.
“This type of fraud has been on the rise since EMV (smart chip technology) was introduced,” she explains. “Fraudsters have developed new ways to bypass advanced security mechanisms that credit unions put in place, such as one-time passcodes.”
Cyber thieves gather personal information about members, much of it easily available online, and use it to convince members they are co-workers, friends, merchants—or your credit union. The fraudsters initiate a transaction that generates an OTP request, then use “phishing” calls, emails or texts to ask members for the password.
“We’ve been seeing this occur frequently in mobile wallet provisioning, as more consumers are embracing that technology,” says Postma.
MultiChannel member Education
Postma lauds CU clients that have response plans in place to address outbreaks of such schemes as OTP phishing. The best response plans include:
- Fast internal communications. Establish a way for employees to relay to leadership members’ reports of suspected fraud, so you can spot potential fraud campaigns targeting your CU. In turn, leaders should quickly relay new fraud threats to all employees who could be helping members deal with a scam.
- Multichannel external communications. A tested, rapid push-notification system should be in place to alert targeted members. Communicate fraud threats to members via web branch notices, mobile apps, email, newsletters and all the other ways you reach out to them. This is especially important for staying in touch with older members or others who may not regularly use digital channels.
“Emphasize in your external messages that your credit union will never ask members to disclose any type of personal information, including OTPs,” says Postma.
Train staff Frequently, Interactively
Your fraud response program will be more effective if employees are frequently trained on spotting emerging fraud trends, says Jay Bowden, CFO of TRC Interactive, Harrisburg, Pennsylvania, which partners with CUES in offering First Line of Defense™. The company offers online fraud detection and prevention training, using input from financial institutions and other sources to customize courses for the latest threats.
Bowden says the pandemic-fueled fraud surge has increased the overall need for training, including in wire transfer, PPP loan and tax-related fraud.
To train your employees to spot these and other crimes, look for relatively brief online courses—30 to 45 minutes or so—that minimize work disruptions. Bowden recommends courses that have a mix of interactive elements to keep employees involved, such as fraud simulations and game-like exercises.
Annual fraud training probably isn’t frequent enough to keep pace with fraud innovations—TRC Interactive has found that quarterly training is generally more effective, Bowden says.
In addition to training employees, Bowden suggests educating your board about interpreting fraud loss results. “Some boards are satisfied with being given a fraud loss number through regular reporting. But they should realize it’s a number that can be influenced with effort,” he says. Boards should ask what’s being done to monitor and minimize fraud losses and whether these efforts have shown measurable results.
Establishing accountability for fraud prevention isn’t just a good practice during a pandemic. It can yield results as long as cybercrime continues to adapt and innovate—in other words, forever. cues icon
Glenn Harrison writes for Credit Union Management from Stoughton, Wisconsin.