Article

New Tools for New Fraud

young woman working on laptop across table from a hacker wearing a dark hoodie
Contributing Writer
member of Bellco Credit Union

11 minutes

As opportunistic fraud evolves, credit unions fight back in a battle that keeps accelerating.

The contest between fraudsters trying to steal money and credit unions trying to stop them never pauses and never slows down.

“You just try to be a moving target, keeping a couple of steps ahead of the crooks,” notes Chris Guard, VP/compliance and fraud at $40 billion North Carolina State Employees’ Credit Union, Raleigh. “But these days everything is moving faster, so you can’t let up.” When fraud innovations work, they spread, and they often surface first at the largest financial institutions. So if you’re plugged into intelligence about the latest scams, you may have time to make a defensive move before you get hit, he explains.

Technology keeps changing the terrain and the weapons in the fight against fraud. If Willie Sutton once robbed banks because “that’s where the money is,” he’d need to adjust his approach today because now the money is data in databases. That’s where today’s robbers are turning and where today’s security guardians are primarily focused. 

“The world made a gigantic leap from paper money to digital money, so that’s where the war is being fought,” says Karl Kaluza, VP/marketing and communications at CUES Supplier member Member Access Processing LLC, Kent, Washington.

Information is as priceless to credit unions as it is to fraudsters, and information is still processed by people as well as systems. “Financial institutions talk,” Kaluza notes. They do it in forums and on websites hosted by vendors or card brands, and sometimes over the phone among informal peer groups. “If something new surfaces in one location or with one merchant, credit unions spread the word so that others get early warnings,” he explains.

“We’re usually not the first to feel a new type of fraud,” notes CUES member Jeffrey Pascoe, VP/digital services and payments at $912 million Vibe Credit Union, Novi, Michigan, so it pays to maintain a high level of market intelligence, to learn what your processors are seeing in other markets and to participate with peers in networking sites and events. “Through networking, we can see fraud trends so when they appear, we are able to more quickly respond to minimize impact to the credit union and our members.” 

Areas of Attack

What Pascoe was seeing last summer was an uptick in internet-based fraud using fake merchants and fake medical facilities. “Merchant and other data breaches continue to be a large vulnerability,” he says. “Even though the data is stolen online, we’re seeing a large number of these fraudsters use fake cards in person.”

Guard has seen a resurgence of check fraud. “With Check 21 and faster settlement, fraudsters moved on to greener pastures. But now that financial institutions have focused on other, newer forms of fraud, fraudsters are going after checks again because they are getting less attention.” 

Another area to monitor closely is international travel—fraudsters submitting fake travel notifications to increase the chances of accepting irregular transactions, Pascoe points out. And, of course, “we continue to monitor for fraudulent membership and loan applications.”

Chris Guard
VP/Compliance and Fraud
North Carolina State Employees’ Credit Union
You just try to be a moving target, keeping a couple of steps ahead of the crooks.

Payment card fraud is no longer the most serious exposure, reports John Buzzard, industry fraud specialist at CUES Supplier member CO-OP Financial Services, Rancho Cucamonga, California, and previously principal of the counterfeit ATM fraud operation at FICO (formerly Fair Isaac), San Jose, California. Card fraud can sometimes fall into third place on the threat meter when large-scale data breaches flood the dark web with valuable personally identifiable information, he notes. 

“Card-present fraud was extremely strong between 2016 and 2017, but this has dissipated significantly as more card fraud shifts into the card-not-present category due to the presence of chip-enabled payments. We do still see a plethora of issues at gas pumps where the liability shift doesn’t occur until next year,” he notes. But overall, there has been a slight decline in card fraud and “no financial institution is really hemorrhaging, due in part to ongoing fraud prevention strategy.” Analyzing card fraud by merchant category type is important, he adds. 

There is a good bit of deposit fraud occurring today, Buzzard says, where fraudsters prey on naïve and greedy or needy people with offers that “pay” the victim with a tempting check or deposit into their account in exchange for something of value. The fraudster is long gone when the check or deposit bounces. 

“It’s sad,” he observes. “Some victims think they have been hired for work-at-home jobs.” It most cases, it’s the person, not the financial institution, that bears those losses, he adds.

Guard also reports an industry uptick in deposit fraud targeting older members. It’s hard to know how much members are losing because only about 20% of them report it, he estimates, citing similar figures reported by American Association of Retired People, the Federal Bureau of Investigation, the Federal Trade Commission and other agencies ranging from 10-25% based on their research. 

When members give out their credentials, often in response to an attractive offer, they are the ones defrauded and bear the loss, Guard explains. In contrast, there are rules around card and ACH transactions that sometimes require CUs to make members whole when fraud occurs, depending on the circumstances.

Along with low-tech trend, online fraudulent activity continues to evolve and flourish. Now that fraud is being perpetrated using big data, the risk is far greater than breaking into bank accounts. “There’s an active market on the dark web for data acquired from hacking,” Buzzard points out. “Criminals now have unprecedented potential access to things that can deliver value.” 

It’s not just traditional money held by financial institutions, he points out. “It is often just as valuable for fraudsters to steal a Netflix login or get into someone’s Uber or Lyft account. Reselling stolen logins is a lucrative way for fraudsters to monetize stolen information either by using the services directly or by selling the data to other criminals who simply want a free ride.”

Data breaches make authentication tougher due to exposed health records and information colleges and universities collect as well as financial data, Buzzard reports. “The LabCorp and Quest Diagnostics breaches exposed the data of 20 million people,” he observes. “Healthcare organizations and universities have delivered a ton of personal data to fraudsters for the last several years.”

Finding the Right Balance

The goal of fraud-fighting is not total prevention but keeping fraud within an acceptable range. “Credit unions have to continually ask the question, ‘How would our members be affected if we took a more aggressive position on declining irregular transactions to reduce fraud?’” Buzzard points out. “Everyone is striving for a frictionless member experience whenever possible,” so overly rigorous fraud control can be detrimental.

How aggressively a credit union uses fraud prevention tools is a strategic decision that requires weighing how much risk the institution feels comfortable with against how much convenience it wants to offer members, Buzzard says. When fraud losses fall outside the target range, financial institutions tighten or loosen their approval rates, Pascoe explains. If the fraud losses are too low, it may be a sign that they are denying too many transactions and causing friction for members, blocking some of their legitimate purchases. If the losses are too high, it’s a sign that financial institutions are tolerating too many borderline situations and causing too much loss, he points out. 

The target range for card fraud is typically 12-14 basis points of total transaction value, Pascoe reports. “That’s what the card brands report, and it’s the primary fraud metric.” Card losses now come primarily from card-not-present transactions and fuel dispensers that do not use chip technology, he says. “Fraudsters go after the weak spots, and gas stations are one of today’s weak spots.”

To the extent that fighting financial fraud relies on good tools, CUs are pretty well armed, Buzzard says. “The available tools are good; they work,” he notes. Both sides draw from a powerful technology arsenal. “There are good products out there that credit unions can use in a layered approach. There are ways to authenticate a user’s mobile device. There are biometrics. These do a lot to strengthen authentication in addition to the efforts put forth by credit union personnel.”“There are a plethora of tools,” Kaluza agrees. “We use neural networks. We can look across a million data points and create profiles of how members use their cards and scores for the degree of risk in a transaction that falls outside the profile so credit unions can decide when to decline a transaction and contact the member. Member spending behavior turns out to be pretty predictable. You can often recognize a member from the way he or she uses a card.” If a charge in Bucharest pops up for a member living in Sioux City, that’s suspicious—but less so if the card was used previously to charge an airline ticket and make a deposit on a hotel in Bucharest, he illustrates.

Karl Kaluza
VP/Marketing and Communications
Member Access Processing LLC
Member spending behavior turns out to be pretty predictable. You can often recognize a member from the way he or she uses a card.

Tools for Members and CUs

Increasingly, CUs are placing fraud prevention tools in the hands of members. “Personalization is big now,” says Kaluza. CUs are personalizing fraud controls by providing tools, such as through mobile apps, and educating members. Members can turn cards on and off at quite a few CUs, he reports. They can block certain categories of spend by merchant code—prevent any charges at casinos, liquor stores, airlines, jewelry stores or porn sites, for example. They can even block transactions over a certain amount or more than three transactions within an hour, for example, he says. And members can change the controls almost instantly. If a wallet is lost or stolen, an alert member can turn off the cards quicker than the CU could, he points out. The rules and practices concerning cardholder liability for fraud losses have not changed, he adds.

Some CUs offer concierge services that let a member report online when and where they will be traveling so that transactions far from home won’t be declined, Kaluza reports. This can be particularly helpful when travel plans change, saving the member a long-distance or international call to card services.

Credit unions can follow several best practices to stay on top of fraud management. Pay close attention and keep tweaking your protections as you see trends develop, Buzzard recommends. Be flexible, and keep considering the member experience. And educate members. “Warn them about scams,” he advises. “Have a statement ready about the importance of credit freezes.” 

CUs should also keep up with the latest technology and products for authentication, he adds. Such vendors as Jumio, with U.S. offices in Palo Alto, California and New York, offer identity verification and authentication solutions aimed at fighting fraud.

A final cybersecurity tool to consider is penetration testing. There is value in seeking out a dark web monitoring vendor that offers such ethical hacking services, Buzzard suggests.

Denver-based Lares LLC, for example, offers penetration testing, dark web monitoring and cybersecurity outsourcing for over 400 government and business entities, including between six and 12 CUs, reports Andrew Hay, COO.

There is cybersecurity and the illusion of cybersecurity, Hay warns. “A lot of vendors promise CU clients ‘penetration testing,’ but what they offer is just poking around to see what’s out there,” he notes. They don’t spend the time using those observations to see if they can get into secure systems or databases, he cautions.

Dark web monitoring also requires expertise, Hay explains. The dark web consists largely of forums where people buy, sell and trade information that usually is not available from public sources. You have to know where to look and how to gain access. Because these forums are trying to attract business, they usually aren’t too hard to enter, but some try to exclude parties that are just monitoring, not trading.

Hay once found a seller on the dark web offering confidential information on 15 Northeastern credit unions. He asked for names and was given just three. Anything more he’d have to pay for, he recounts.Effective dark web monitoring can be partly automated with search technology but remains partly manual as cagey monitors do their dances with the traders they are investigating.

Despite—or rather, because of—evolving technology, today’s fraud is fought by armies, and CUs need allies. Fraud is increasingly perpetrated by criminals with access to big data, powerful systems and smart software. “As fraudsters have become more sophisticated, so have fraud prevention measures,” Pascoe points out. “You have to rely on a vendor or combination of vendors.” The front line now is primarily a clash between the fraudsters’ systems and vendors’ systems. “You can’t rely on the vendor to do it all,” he notes, “but you certainly can’t do it alone.”  cues icon

Richard H. Gamble writes from Grand Junction, Colorado.

Compass Subscription