Vigilance wins the day

Tracking ever-evolving fraud threats is the secret to staying ahead of them.

August 27, 2021

Even credit unions that have made recent investments in preventive technologies and offer robust fraud education for members and employees can benefit from learning what risks other financial institutions face.

Doing so informs credit unions about the defenses they should employ, says Idrees Rafiq Jr., vice president, IT consulting, for Cornerstone Resources.


  • Identify and understand emerging fraud trends to understand scammers’ priorities.
  • Work with law enforcement to identify scams in your area.
  • Board focus: Maintain up-to-date policies and procedures that address the current fraud climate.

If, for example, area institutions report “vishing” scams, whereby fraudsters make random calls to consumers with caller ID showing the name of a particular credit union to elicit login credentials or other personal information, you may want to post a warning on your own website, Rafiq says.

Michigan State University Federal Credit Union in East Lansing embraces this approach. It’s part of a local group of financial institutions and law enforcement agencies that aims to reduce fraud, says Deidre Davis, chief marketing officer at the $6.3 billion asset credit union.

“It’s great to see the collaboration,” she says. “Together we all become more effective at preventing fraud.”

Core processing vendors also provide a window into trends, says Sheilah Montgomery, CEO of $26 million asset FAMU Federal Credit Union in Tallahassee, Fla. Although vendors can’t share specifics about other institutions, “they communicate to us if there are threats out there,” she says.

It’s also important to monitor member transactions, Davis says. For example, if the credit union’s call center receives two calls within hours from members saying their credit card has a charge they didn’t make, that will be reported to the credit union’s card department to quickly investigate.

The call center is the first line of defense at $227 million asset Texoma Community Credit Union in Wichita Falls, Texas, says Chris Hansard, information technology manager. “Our call center is trained to be on the lookout for anything unusual.”

One truth holds true when it comes to fraud: Scammers seize on every available opportunity. For instance, while the pandemic accelerated credit union digital offerings and adoption, it created just as many opportunities for fraudsters, according to the Financial Crimes Enforcement Network (FinCEN). 

The agency reports a jump in “Suspicious Receipt of Government Payments/Benefits” from 380 in 2019 to 14,509 in 2020.

The increase in the adoption of mobile and online services during the past 18 months is likely to continue, and digital channels “increase the inherent risk by way of increasing the attack surface,” says Miguel Hablutzel, vice president of strategy at SilverSky, a CUNA Strategic Services alliance provider.

‘Our call center is trained to be on the lookout for anything unusual.’
Chris Hansard

Today’s top scams

Some members will always be vulnerable to romance, and the sense of detachment the pandemic has created for many has fed a new fraud trend as well, according to Michael Barry, chief information officer at $1.2 billion asset Gulf Coast Educators Federal Credit Union in Pasadena, Texas.

Barry provides an example where the victim fell to someone’s profession of love and responded to pleas to send money. “Unfortunately, there are always people who are vulnerable to this,” he says.

Another threat that arose during the pandemic were “money mule” scams. Members received messages that they won money or landed a job but had to transfer some of the prize money or salary that landed in their account erroneously. Barry says these scams may abate as the economy strengthens.

A major threat enabled by digital infrastructure is account takeover, says Andrew Corbett, senior presales consultant at NICE Actimize. As the name implies, an account takeover involves crooks obtaining login credentials through various means and then taking control of the member’s account.

With such access, they can transfer funds to themselves, gain access to additional accounts, and even open new accounts.

Corbett estimates the 2,978 reports of account takeovers at credit unions in 2020 represent just 10% of the actual total. 

“By its very nature, account takeover isn’t seen in real time, and institutions often don’t have all the information needed to file a report after its discovery,” he says.

Click to enlarge.  

One longtime concern, credit and debit card fraud, has grown even more insidious, with a vast underground network of websites offering card numbers for sale, according to Rafiq.

He says an army of crooks exists who supply these sites with valid card numbers by skimming ATMs or embedding malware within online shopping sites.

Another type of fraud garnering headlines is ransomware, a malicious software that prevents organizations from accessing their data. As the name implies, scammers then demand a ransom to unlock the data.

“No type of business can ignore ransomware,” says Hansard, noting that while many of these attacks draw media coverage, many go unreported.

If crooks gain entry into a credit union, they could wreak two types of damage: shutting down operations and seizing member information, he adds.

Scammers also steal identities in multiple ways, from scraping identifying information people unwittingly leave on social media to phishing and vishing scams. They use that false identification to commit account takeovers and other fraud.

NEXT: Defensive measures

Defensive measures

Education is key to preventing members and employees from placing personal information on social media or falling for phishing and vishing scams, experts say.

Technology also serves a purpose. Third-party providers, for example, offer services that allow credit unions to monitor networks and spot suspicious activity, such as an employee copying an unusually large number of files, an indication of malware being installed.

Corbett believes artificial intelligence (AI) tools, which learn members’ habits, is now essential for thwarting account takeover.

AI can detect anomalies, such as a transaction initiated at 1 a.m. when a member previously only logs in during the daytime. It can also determine if a request comes from an Android device when the member has previously used an iPhone.

Whatever its components, defense starts with a recognition of the risks, Montgomery says. “We have been here for 86 years, and we want to be here another 86. Any information that comes out that we are lax about security could shut us down.”

Additionally, even being temporarily unable to access funds could be “devastating” to members, she says, adding that FAMU Federal’s board is aware of the consequences and supports fraud protections.

‘Together we all become more effective at preventing fraud.’
Deidre Davis

The right balance

“I don’t want to throw a tool at a problem that isn’t there,” says Barry, describing the delicate balance of fraud protection versus service “friction,” whereby constructing layers of defense are more irksome and inconvenient for members than the fraud threat.

For instance, requiring a member to answer security questions and input a code they receive via text or email may be unnecessary for commonplace transactions such as transferring a small sum from savings to checking. This would be necessary for an unusual wire transfer.

In the end, fraud is always under watch, and measures must be appropriate to the situation.

In the call center example Davis provided, receiving two calls within hours on suspicious card charges, Michigan State University Federal may respond by communicating with the affected members and watching the situation rather than immediately blocking all transactions from a particular retailer.

The credit union weighs the need to prevent undue panic or widespread inconvenience for members against further fraud, Davis says. “We are careful about the balance.”

This article appeared in the Summer 2021 issue of Credit Union Magazine. Subscribe here.