Fraud is getting worse. How can credit unions fight back against a nightmare scenario?
The stand-off between credit unions and fraudsters is no longer a stand-off. The fraudsters are winning. “Fraud is growing rapidly,” reports Al Pascual, senior principal and enterprise solutions lead at credit reporting agency TransUnion, Chicago. “The situation is unstable. Financial institutions are always on their back foot, reacting to the new threats that keep coming.”
Those threats are growing. Card fraud in the U.S. was up 35% in 2022, reports Nicole Reyes, director of fraud prevention at CUES Supplier member Co-op Solutions, Rancho Cucamonga, California.
“There’s been a real shift to digitization in the landscape post-pandemic,” Reyes notes. “We’re moving to digital payment operations, and so are the fraudsters. They’re usually a step ahead of everyone, so the industry is often playing catch-up.”
There are plenty of horror stories in the person-to-person payments world, for example, where fraud losses run five to eight times higher than credit card losses, according to FrankonFraud.
“Fraudsters love P2P,” Pascual notes. When conning victims, “they once used gift cards to monetize their scam, but merchants got wise, so now they’re using P2P payments.”
Adding fuel to the fraud, cyberattacks occur every 39 seconds, reports Robyn Marsi, former director of risk services and technology at CUES Supplier member Lynx Technology Partners, New York. Humans are usually the weak link. And according to a study by Black Kite, she notes, 86% of CUs have at least one employee with credentials for sale on the dark web. (Editor's note: Marsi left her role at Lynx Technology Partners after this interview was conducted.)
But such statistics are unreliable because so much fraud goes unreported. FIs are very sensitive about their reputations. “It’s definitely an iceberg situation,” Marsi says. “The problem almost certainly is larger than we know.”
That may be about to change. Starting in September, the National Credit Union Administration will require all CUs to report fraud loss incidents within 72 hours.
Why CUs Are Losing
Why are credit unions and banks losing the fraud battle?
- Technology, especially generative AI, has handed fraudsters powerful new tools. Artificial intelligence has transformed phishing attempts, for example, from crude to sophisticated, notes Karen Postma, managing VP/risk analytics and fraud services at CUESolutions provider PSCU, St. Petersburg, Florida. “They can be a lot more personalized and credible.” Trusted voices can be used during phone scams, for instance.
- Consumer demand for convenience is shifting payments to less secure networks. P2P fraud is up because FIs lack visibility into both parties, notes Kimberly Sutherland, VP/fraud and identity strategy at LexisNexis Risk Solutions. Consumers love P2P because it’s quick and cheap, but fraudsters see it as an easy way to sweep up a lot of small-dollar transactions.
- Consumer protection regulation is shifting liability from consumers to financial institutions. Regulations like CC—the Expedited Funds Availability Act and Check 21—are increasing risk on the receiving end, Pascual points out. Traditionally, CUs worried about fraudsters taking money out of their members’ accounts. Incoming deposits were mostly not a potential liability and thus not a priority. Reg CC, since 2019, has put more fraud-prevention responsibility and liability on the receiving FI.
- Ransomware attacks are real and underreported. They are growing with generative AI, says Patti Reid, VP/fraud product strategy at CUES Supplier member Fiserv, Brookfield, Wisconsin. “It’s scary and hard to gauge because many of the attacks are not reported.” But regardless of the lack of reporting, she knows of CUs that have been hit with ransomware attacks.
One of credit unions’ most important fraud-fighting tools has been time—time between when the fraud was initiated and when the fraudster got the money and was gone. Now time is running out.
As more real-time or near-real-time payment networks gain share, fraud risk goes up—a lot, Reyes says. “The faster the money moves, the harder it is to stop fraud.”
That’s particularly bad news for financial institutions, Pascual explains, because courts and regulators are stepping up efforts to force FIs to make consumers whole. “Educating members is not nearly enough now,” he notes. “The owners of Zelle see what’s coming,” he says.
“We haven’t seen anything like this in quite a while,” Pascual reports. Smaller CUs might want to be prepared for the risks before deciding to offer Zelle or Venmo, he suggests.
P2P networks are a weak link, Marsi agrees. “I would never join one,” she adds.
Nevertheless, P2P payments have become so popular that CUs have to accommodate members, Postma says. P2P fraud is growing, but FIs have otherwise had brakes to tap—time delays as the payments clear over debit and credit card rails.
Those brakes came off this summer with the introduction of FedNow, which put P2P payments on real-time rails and giving financial institutions virtually no time to detect and block fraudulent transactions, she reports.
“It will be instant, and it will be new, with no history, no knowledge base of fraud activity,” she points out. And the transaction limits will be higher. The FedNow Service, launched in July, could carry transactions up to $100,000.
So, what playbook will CUs use to connect to FedNow? “I think a lot will start by electing to receive only, not send and receive,” Postma predicts. “Credit unions will start with receiving, which carries less risk, before opening the floodgates. That way CUs can watch, see what to expect and learn before they take the plunge.”
When Fraud Is a Business
That sounds relatively easy. What’s hard is that credit unions are welterweights fighting a determined heavyweight adversary that thinks like a businessman instead of a criminal. “Cybercrime is a sophisticated business,” Marsi explains. “The criminals are rational and very ROI-driven.
“They’ll spend money to make money. They don’t give up easily. They’ll attack where their success rate is low if just a few big scores will make it profitable.”
Fraudsters now are sophisticated and interconnected, Sutherland agrees, and once a vulnerability is found, word spreads quickly and attacks mount, sometimes within hours. That creates waves that may target certain geographies, certain industries or particular financial institutions.
What has happened to brute force attacks is revealing. They have become intelligent, Postma explains. Ten years ago, they would come in as massive waves that were fairly easy to detect and head off with thresholds and triggers, she explains. Now fraudsters can employ differentiating data like card issuance and expiration dates to craft attacks that come in as ripples that are hard to detect and prevent, she illustrates.
By combining human and artificial intelligence, fraudsters are also finding leaks in financial institutions’ authentication programs. As FIs step up authentication with one-time passcodes, fraudsters have learned that they can trick consumers with fake authentication messages, intercept passcodes or hack into the online exchange of messages to get access to accounts, Reyes explains.
Generative AI is having a huge impact on member authentication as well, Reid notes. Fraudsters now are using it to clone biometric data and pass authentication tests, she reports. “It has surged in the past six months. We’re seeing deepfake attacks that use voices and images as well as text. The avatars are becoming real.”
Generative AI like ChatGPT can make phishing very convincing. ChatGPT can now help fraudsters create individualized messages that look just like legitimate messages a credit union might use, she adds. Fraudsters are leveraging AI and bots quicker than credit unions are, and that gives them one big phishing license.
When members get a phone call from their credit unions about an account and the voice sounds familiar thanks to generative AI tools, their impulse is to cooperate, Reid says. “We see it every day. It’s a natural reaction.”
Or there’s the old “Grandma, I’m in trouble and need money” scam, which used to work once in a while. Now the phone caller can know the grandson’s name and circumstances and actually replicate his voice.
That sounds like a lot of work to con one grandma out of $1,000, but it really isn’t, Postma says. “Our voices are in a lot of databases due to voice biometrics. They’re on the dark web. It’s not hard to link data to include voice. Then tying it to family members is not a huge leap.”
Account takeovers using synthetic ID are a major headache for financial institutions, Marsi reports. For example, fraudsters can collect enough legitimate information to populate a credit card application. They succeed often.
Criminal access to a mobile banking app, Marsi points out, can allow the fraudster to change a phone number, ask for a travel exception or change a debit PIN. “None of those activities will look suspicious in itself,” she says, but if there’s a combination, look out.
A Darker Dark Web
The dark web is loaded with personal, confidential information, Marsi says. Credit unions have started hiring firms to search the dark web to find what confidential data there applies to their CU and members. Finding out what data has been compromised has some value, but it’s hard to trace where the data came from.
The exercise could be futile. “The dark web is so deep,” notes David Glaneman, Lynx manager of risk services, “that you probably won’t find what you’re looking for.”
All of this increasingly intelligent fraud is spurring account takeovers, which now don’t stop with the takeover of one account but could include all of a member’s accounts.
A card compromise, for example, could lead to a home equity line of credit takeover, Marsi notes. The HELOC could have a zero balance, but the fraudster could tap it and drain away the funds. Or they could intercept a mortgage closing wire, she illustrates. “Those things are happening a lot,” she observes.
Ransomware attacks are a huge threat but one that many small organizations think they will avoid by flying under the radar. Unfortunately, easy access to technology for fraudsters means ransomware is a threat for every organization, Marsi insists, and small CUs are wrong to think that size makes them immune.
Furthermore, many credit unions that do protect against ransomware attacks are less prepared than they think. “We do ransomware tabletop exercises,” Marsi reports, “and their defenses fall apart in a real test.”
There are rumors that some financial institutions keep cryptocurrency accounts so they can pay ransoms quickly if attacked. Glaneman hasn’t see that in his practice. “They never mention it,” he says of his clients. Besides, crypto holdings would be one of the first assets hackers would be likely to grab, he warns.
Increased regulation isn’t necessarily helping, since financial institutions have to comply but the criminals do not. The Consumer Financial Protection Bureau is preparing to shift liability for fraud losses from consumers to financial institutions—even when the victims are negligent or complicit. Fraudsters know that as consumers learn they are less liable, they likely will be less diligent, Reyes suggests.
That’s the bad news. But credit unions are resilient, highly intelligent and equipped with sophisticated prevention strategies. So what’s happening with the counterpunches?
Credit unions are fighting back with training and testing—and consequences, Marsi says. Fraud preventers are being held to a higher level of accountability. “Some credit unions are testing employees with robust phishing mock attacks, and those who fail face discipline and punishment, up to being discharged,” she reports. Several FI executives have been fired after ransomware attacks, she notes, and it’s becoming more common to deny bonuses due to lax security practices.
“No credit union can be 100% secure,” Marsi concludes, “but if a CU is not up to speed, responsible parties will discover job insecurity.”
Such behavioral biometrics as keystroke dynamics still work, Sutherland notes. The big shift to mobile banking has put a premium on data around device-centric behavior.
Among fraud-prevention weapons, financial institutions now rank behavioral biometrics second only to risk engines and ahead of third-party identity verification, credit bureau scoring, device ownership and history verification, she reports.
Behavioral biometrics involve looking at how a person interacts with his or her device—when and where they use it, how they hold it, speed of entry, number and type of keying errors, etc. Users have a pretty reliable “fingerprint,” Sutherland says. And, of course, behavioral biometrics test for whether it’s a human or a bot interacting with an app, she adds.
One notable behavior: When a member applies for a mortgage, Sutherland explains, he or she is typically inexperienced and navigates the different fields slowly, sometimes pausing and coming back. A fraudster is experienced, efficient and likely to zip through the process quickly.
Stopping fraud, of course, requires layered security. “It has to be multifactor,” Marsi insists, as no single factor—thumb prints, iris scans, voice identification—is reliable on its own.
“You need knowledge-based authentication on top of biometrics on top of behavior identification, and you need it across all accounts.” Unusual behavior on a debit card needs to put all accounts on alert, and that has to happen quickly, she explains.
“Connected intel across all channels is critical, especially when facing generative AI,” Reid adds. It’s member surveillance, seeing every one thing a member does, seeing every two things, then three things, and evaluating the connection and identifying anything suspicious, she explains, and doing it in almost real time through a fraud detection system.
Little things also count, like capturing license plate images at drive-up lanes. Whenever a fraudulent transaction is connected to a particular license plate, that plate is entered into a data base and other branches can be on the lookout for it, Pascual explains. Such information could be shared with collaborating financial institutions, especially those in the same area.
High-tech detection is transforming fraud prevention, but physical, in-person detection still matters. LexisNexis Risk Solutions helped block one large fraudulent mortgage settlement transaction for hundreds of thousands of dollars, Sutherland recounts.
It occurred when the fraudster finally had to walk into a bank branch and present physical identification. He used a fraudulent driver’s license, and a branch employee using the company’s TrueID authentication solution detected the fraud, called police, and the perp was arrested.
Fraudsters have embraced AI—but now maybe financial institutions are preparing to strike back. There are rumors that leading FIs, law enforcement and fraud-prevention vendors are experimenting with “shift-left” strategies to head off fraud attacks, Pascual explains. This means they're “evolving from a more reactive to proactive stance by looking for indicators of suspicious activity or fraud before an adverse event can or does occur.”
Criminals in the digital world are building networks, planting malware, lining up resources and planning attacks, Pascual continues. It’s not easy or cheap, but there are ways to anticipate attacks before they occur. The criminals are dissecting their targets. There are efforts now by major players (the good guys) to dissect their dissecting and get ahead of the fraud instead of being reactive, he reports.
“The good guys could use intel to find out who will be targeted. They could see what information has been compromised. They could detect criminal probing. When the first attempt is made on a particular target, they might know immediately whether it’s a good or a bad actor.” cues icon
Richard H. Gamble writes from Grand Junction, Colorado.