As an industry, we’ve made significant strides to reduce fraud and minimize the financial impact to consumers and businesses. Despite our efforts, criminals have continued to explore alternative avenues, new and old, to steal member information and use it for nefarious purposes.

It’s a constant search for the vulnerabilities within every credit union’s defenses. With so many technological advancements, many criminals have identified humans as the weakest link.

No matter how informed we are or how cautious we tend to be, we are all susceptible to fraud attacks—specifically phishing scams. As many of these scams become more sophisticated, it becomes difficult for members to differentiate legitimate communications from fraudulent ones.

While many credit unions have taken steps to educate members and employees on the telltale signs and pitfalls of phishing scams, education isn’t enough. People tend to re-use the same usernames and passwords so they have fewer to remember.

This means the credentials needed to access a credit union account might be stolen from somewhere else. According to Experian’s 2019 Global Identity and Fraud Report, more than two in five consumers worldwide have already experienced a fraudulent event online during some point in their lives.

Consider a credit union member who belongs to any online group—like a community organization, charity group, athletic association, or the parent organization for their child’s school. Now consider the high likelihood that the member uses the same credentials for those online relationships that they use to access their credit union accounts.

The point is, a phishing attempt doesn’t have to impersonate the credit union to steal the account credentials. The member might be phished by a criminal impersonating any of those other entities.

Once the information is phished, the criminal only needs to know which credit union to access. This is where breached data and social media vulnerability come into play.

The “dark web” isn’t just a scary idea, it’s a real place where that information is for sale.

Credit unions cannot control a member who uses the same credentials with other online accounts, nor can they protect members everywhere they go. If credit unions rely solely on their members to protect their systems from phishing attacks, it may only be a matter of time before they are infiltrated.

It falls on credit unions to protect themselves, as well as their members’ information and accounts. And in fact, more businesses recognize this.

Our research also shows that nearly 75% of businesses globally reported an improvement in online security. A multi-layered approach that relies on data and intelligence to passively authenticate individuals and challenge them for additional verification when appropriate is the best way to minimize the fraud threat.

Advanced analytics enable machine learning with innovative data to detect anomalies that indicate fraudulent behavior. More secure verification processes that leverage physical and behavioral biometrics and document verification allow good members to continue online activity with little or no friction.

If an individual’s credentials are compromised, these barriers prevent the real damage that results from unauthorized access to a member’s account information.

Ultimately, it is important to educate members and employees on how to avoid falling victim to phishing scams. But credit unions need to take more aggressive action to protect their systems and members.

While a silver bullet for fraud detection does not exist, the data and technology are available to help credit unions make the right fraud decisions and protect members’ identities and accounts. We all need to stay ahead of the criminals, and the technologies that enable credit unions to do this are available.

CHRIS RYAN is Experian’s senior fraud solutions consultant.