Digital growth and geopolitical events make it more urgent than ever to address cyber threats.
The risk of fraud in the financial services sector has never been higher. The dramatic transition from in-person to digital transactions, accelerated over the past two years by the COVID-19 pandemic, has increased vulnerability. Geopolitical events, most notably the Russian invasion of Ukraine, have also heightened the threat, prompting the National Credit Union Administration to issue an alert encouraging credit unions to take steps to reduce the likelihood and impact of a potentially damaging compromise.
Overcoming fraud was no easy feat even before these major events. The current environment makes it even more urgent for credit unions to redouble their cybersecurity efforts.
“We’re seeing an exponential increase in cyberattacks of all kinds,” says Chris Sachse, CIE, CEO of CUES Supplier member Think|Stack, a Baltimore-based cybersecurity and IT management company for credit unions. “In the fourth quarter of 2021 alone, there were more cyberattacks than there were for all of the prior year throughout the entire industry.”
Some threats, like ransomware, are rising rapidly. “But the most consistent threat continues to be theft of information,” says Sachse, “whether that’s card data, ATM data or personal information that can be sold on the dark web.”
The evolution of fraud tactics means that CUs have to stay on their toes to thwart the latest schemes, some of which unfold in a slow but insidious manner. “For credit unions, it’s important to realize that sophisticated fraud schemes often take time, and fraudsters can take a variety of pathways to achieve their end goal,” says Kathleen Peters, chief innovation officer/decision analytics North America for CUESolutions provider Experian, Costa Mesa, California.
For instance, Peters reports that some fraudsters will initiate a relationship with a CU by becoming a member and opening a checking account to facilitate fraud in the future. “A key takeaway for credit unions is to have a holistic fraud detection strategy across your portfolio, even on accounts that might not seem that risky, such as checking accounts,” she says.
The increasing risk of fraud demands a correspondingly heightened emphasis on risk mitigation. “Most financial institutions are reporting at least a 10% increase of fraud attacks, and that certainly requires a much more comprehensive view of identity risks for their customers,” says Kimberly Sutherland, VP/fraud and identity strategy for LexisNexis Risk Solutions, Atlanta. “We highly recommend using a combination of physical and digital identity access to make those risk determinations.”
As an example, Sutherland points to the importance of confirming consumers’ email addresses. “Verifying the association and usage of an email address is as important as understanding someone’s phone number or physical address, especially if it’s an address that has been used by multiple devices and multiple identities,” she says.
In addition, Sutherland stresses the urgency of knowing the origin of a digital transaction, whether it’s coming from inside the U.S. or elsewhere. “You also need to assess the risk of the device the consumer is using,” she advises. “Is there malware on the device? Is it associated with more than one account? We think looking at consumer identity from a broad perspective is important. A multilayered solution works best for authenticating that the information provided by an individual actually belongs to them.”
Taking a proactive approach against fraud is vital to the bottom line of financial services entities. “We’re seeing in our reporting that the cost of fraud continues to increase year over year,” Sutherland says. “As we report in the 2021 edition of the LexisNexis True Cost of Fraud [study], every dollar of fraud loss costs U.S. financial services companies $4. That’s why being able to detect fraud and … reducing fraud losses have become so imperative for businesses.”
Types of Attacks
Making fraud prevention all the more challenging is the fact that fraudsters are continually coming up with new scams. Among the most pervasive are such social engineering attacks as phishing, which tricks the victim into sharing personal information, and spoofing, which entails a fraudster creating a falsified website, social media account, email address or mobile app to convince a victim they are interacting with a legitimate business.
“The most important thing that credit unions can do is educate their members about these scams,” says CUES member Shawn Gaffney, fraud prevention supervisor at $1.2 billion The Summit Federal Credit Union in Rochester, New York. For example, “let them know that ‘we’re not going to be calling or emailing you to provide us with any information regarding your debit card or login information.’ That was a big strategy for us in mitigating the uptick in fraud attempts during the pandemic.”
Gaffney notes that there has also been a sharp acceleration in debit and credit card fraud. “Over the last five years, we’ve seen an annual increase of about 15% in debit card fraud each year. To thwart that, we recommend using data analytics—for instance, looking to see if there are common merchants, if there are certain merchant category codes that are more susceptible to fraud, if there are certain transactions originating out of certain countries, and developing robust BIN (bank identification number) restriction rules to stop fraud in its tracks. We also ask members to respond to whether an unusual transaction was authorized or unauthorized so that we can quickly identify a fraud attempt.”
At The Summit FCU, Gaffney leads a fraud-prevention team of four staff members who spend much of their time fortifying the vulnerable areas that fraudsters typically exploit to gain access to members’ personal information. “We focus on the touchpoints for processes where fraudsters hang out, whether it’s the login process or someone having their email hacked,” he says. “We look at areas where the exposure is and ask, ‘Do we have the right controls for online password resets, or do we need something a bit more robust?’ We want to be proactive rather than reactive by having the right controls in place.”
In addition to warning members against giving out personal information to entities that could be masquerading as their CU, another way to thwart fraudsters is to take advantage of tools that monitor the web for these types of attacks, Sachse says. “For instance, one of the products we use in delivery of our services to our clients is ZeroFox, which uses proactive intelligence to disrupt spoofing and other impersonation schemes,” he reports.
In addition to phishing and spoofing, ransomware is another major cyber threat. In its 2022 Future of Fraud Forecast, Experian identifies ransomware as one of five key threats, citing statistics that put ransomware-related costs at $590 million for the first six months of 2021, exceeding the $416 million reported for the entirety of 2020.
Ransomware is a type of malicious software that blocks a company’s access to its own information, controls and data. “Fraudsters request money to give access back, causing businesses to lose money from not only being unable to operate but having to pay out the unexpected ransom expense,” Peters reports. “Not only does an attack like this halt a business’s ability to operate, but often their employees’ and customers’ information is also compromised, setting off a chain of possible fraudulent activity that extends beyond the business.”
Sachse stresses the importance of being prepared for the possibility of ransomware attacks. “We have an educational program that we offer at credit unions, which describes the journey of a ransomware attack,” he says. “How well you’ve protected yourself determines how quickly you can respond and recover from the event. We’ve seen organizations down for weeks and even months because they were not well-prepared. Conversely, those who are prepared can be back up and running very quickly.”
Building Your Cybersecurity Response
While fraud is evolving faster than ever, so too are the tools that have been created to fight it. “By combining data, innovative technology and advanced analytics, credit unions can combat fraud before it happens,” Peters says. “Implementing a multilayered approach allows credit unions to be flexible and apply just the right amount of fraud detection techniques at the right time based on the level of risk.”
Many components go into building an effective cybersecurity strategy. “It’s like building a football team of sorts, where you go out and buy a variety of cybersecurity tools and put them all together,” Sachse says. “You have antivirus protection, firewalls and login monitoring, but in order to be effective—in order to win the game—you have to be able to work together as a team and execute your plan in a collaborative and coordinated way. This means having not only the tools but also the services, whether that comes internally from a team that’s large enough to coordinate the effort and has the expertise to do so or by finding partner that can spearhead that effort for you.”
If possible, CUs should have a dedicated team whose full-time responsibility is fraud prevention, Sachse advises, because “otherwise it often becomes an afterthought.”
At $850 million Christian Financial Credit Union in the Detroit metro area, an internal IT security team of six professionals is responsible for spearheading the organization’s preparedness and incident response plans that outline a playbook in the event of fraud.
“The team includes people from our risk department, information technology department and audit department whose full-time job is the safety and security of our members’ data,” says CUES member Patty Campbell, president/CEO. “All of the team members have received or continue to receive training in the latest developments in the cybersecurity environment.”
In this atmosphere of heightened vulnerability, Campbell reports that Christian Financial CU has committed to allocating more resources toward cybersecurity and fraud prevention. “It’s part of our business model,” she says. “Safety and security are a strategic pillar for our organization, and we’re engaging with our members to help in that regard as well. So, for instance, we ask our members to use credit card controls, we ask them to engage in online banking and set up alerts so that they know what’s happening with their accounts, and we’re constantly monitoring all of our systems to ensure that we’re doing what we need to do to protect their assets.”
As part of its anti-fraud effort, Christian Financial CU engages the services of third-party vendors to complement the expertise of its internal team. “One of the companies we work with is Think|Stack,” Campbell reports. “Using third parties is key, because you’ve built the controls, but you want to have third parties who can test them for you.”
Peters stresses the importance of working with a trusted partner who can help implement the right tools and solutions. “At Experian, we are constantly innovating and finding new ways to harness the power of data to help fight fraud for both consumers and businesses,” she says.
As fraud increases, there is growing demand for sharing risk intelligence, which requires the assistance of cybersecurity experts, Sutherland notes. “At LexisNexis Risk Solutions, we have built networks that allow businesses to share information about known fraud attempts and get more insight around the risk of a device or a particular identity,” she reports. “We also work with financial institutions to help reduce the fraud risks associated with new account opening, logins and payment transactions.”
Ways to Combat Fraud
Vendors and credit unions alike agree that a proactive approach is needed to effectively combat fraud. Our industry experts discuss six best practices below.
1. Use two-factor or multifactor authentication. “We put multifactor authentication processes in place where applicable,” Gaffney says. “For instance, when somebody is trying to log in from an unrecognized device, they may have to answer a security question or use a one-time passcode that is sent to their email address.”
Sutherland observes that adding another form of authentication to the login process may be seen as adding friction, which is contrary to many financial institutions’ focus on creating a positive customer experience. “But there is such a thing as eliminating too much friction, especially in this increasingly digital environment,” she says. “Is two-factor authentication a reasonable tradeoff as a safeguard against fraud? That is something that all financial institutions need to consider as they try to figure out the balance in the risk-to-friction equation.”
2. Look for common points of compromise. A common POC is typically a merchant or website that has suffered a security breach resulting in multiple cards or accounts being at risk. To identify these risks, Christian Financial CU monitors its members’ accounts for anything outside the norm. “We then do outreach with the member,” Campbell reports. “If they confirm it was an unauthorized transaction, we use the data in our system to see where their credit card was used and if there are other members that used their card at that same place.”
The CU can then reissue cards to all individuals who used that establishment during the same time period, Campbell explains.
3. Educate your members. Christian Financial CU regularly reaches out to members via email and social media to advise them on how to protect their identity. “It’s similar to how, in the old days, … somebody would protect their wallet by keeping it in their front pocket,” Campbell says. “Now we’re telling people to protect themselves by being careful with their personal information and using tools we have built internally for that purpose.”
The Summit FCU provides fraud-prevention education to its members in a variety of ways, such as blog posts and identifying potential scams in a special Fraud Prevention Center on its website. “We also have a business development representative who goes to member companies (select employee groups) to provide lunch-and-learns, with one of the topics being identity theft and fraud,” Gaffney reports.
4. Do your research. Gaffney recommends that CUs stay abreast of the latest fraud schemes by looking at trade group discussions, participating in vendor webinars and checking such sites as the Federal Trade Commission, Internet Crime Complaint Center, and U.S. Postal Inspection Service, as well as fraud alerts from CUNA and NCUA.
“My motto is ‘fraud never sleeps,’” Gaffney says. “It’s a matter of staying on top of it and knowing what’s happening out there, because the best way to combat fraud is to know what your exposure is.”
5. Conduct tabletop exercises. Sachse recommends conducting disaster recovery tabletop exercises for such threats as ransomware, malware and denial-of-service attacks. “Running through these exercises will help ensure that the systems you have in place will work if and when you have a breach,” Sachse says. “You can do what is called threat hunting, which involves having somebody external to the credit union try to break in and see if there are weaknesses.”
It’s best to do these exercises at least quarterly, Sachse adds. “We’ll teach a credit union how to do them, but once they’ve done them a couple times, they can generally do these exercises themselves.”
6. Regularly review. “Credit unions should review their fraud-prevention processes to ensure they follow a specific string of pass-and-fail actions that help them detect risks, verify identities, flag potentially fraudulent activity and, if a fraud gets through, see how the attacker beat their defenses,” Peters advises. Monitoring systems should be regularly watching for abnormalities and spikes in fraud that may signal an attack. “Barring any major concerns, a comprehensive fraud analysis should be conducted at least annually.” Then CUs can begin forensic reviews on specific fraud cases that may indicate worrisome trends that require attention.
Peters acknowledges that the potential for fraud can never be eliminated. “Some level of risk has to be tolerated in order to provide members with positive experiences. Setting goals and objectives tied to fraud will help mitigate the impact when fraud occurs. If a credit union does not have that goal defined, they can start with current benchmarks and find ways to trim losses.” cues icon
Based in Missouri, Diane Franklin is a longtime contributor to Credit Union Management magazine.