We have all heard the saying, “An ounce of prevention is worth a pound of cure.” Still, there will be occasions when – despite everyone’s best proactive efforts – trouble arises. The ongoing war against cyber crime is no exception: Setbacks are inevitable. Fortunately, there are ways to mitigate damages and ensure fraudulent activity is not as lucrative as the scammers and thieves had intended.
Breaches are getting larger. Notably, breaches of payment card data at restaurants and fast food establishments are on the rise. However, the most alarming security failures have taken place at organizations that have complete identity profiles encompassing all of an individual’s personal information identity. The Equifax and Yahoo incursions were game changers, because they gave the fraudsters access to the complete identity profiles of millions of Americans. The stolen data included addresses, dates of birth, social security numbers, genders, phone numbers, driver’s license numbers (with issuing-state information), credit card numbers and tax IDs.
Following a data breach, the all-too common reaction might be a mad scramble of panicked activity that wastes time while losses continue to mount. A more effective response to such an event requires immediate and deliberate steps based on an understanding of the forces at work.
What should a credit union do if there has been a breach of sensitive data involving members’ cards or personal information? Here are five steps to help your credit union be prepared:
1. Ask your processor about dark web monitoring.
The dark web is often used by criminals to buy and sell stolen payment and personal information, because it is not easily accessible through a traditional web browser like Internet Explorer.
This allows the fraudsters to operate their illicit businesses with a degree of anonymity from law enforcement. A dark web monitoring service scans the many online shops set up by fraudsters to find stolen payment information before it can be used by a fraudster to commit fraud on a member’s account. This proactive approach can save your credit union much of the time and effort required to resolve and protect members from a breach.
2. Enlist members in the battle.
On a regular basis – and not just after a breach – utilize channels like your website, online banking, mobile app, statements and on-hold messages to encourage members to monitor their accounts regularly. Credit unions should promote solutions that help members be proactive in account monitoring, and they should encourage members to sign up for transaction or account activity alerts in order to help them spot suspicious activity. Mobile apps are great for this type of monitoring. In a very visible place on all channels, indicate what number to call or what to do if they feel there have been suspicious transactions involving their cards. Educating members will help them identify and report suspicious activity on their accounts in a more timely fashion which, in turn, helps your credit union mitigate losses.
3. Determine if reissue is necessary.
There is no one-size-fits-all answer to the question of reissuance, but it is a good idea to create a plan in advance to help determine when to reissue based on the severity of the compromise. During the event, credit unions should be prepared to monitor reporting, assess the number of accounts that have been breached and evaluate the demographic information of the accountholders to fully understand exposure and determine what percentage of the accounts affected by the breach are currently active. Identifying and striking a balance between the cost of reissuance versus the gross/net fraud will be important in making the decision to reissue. The chargeback process can be costly; it is sometimes more prudent to just replace a card than rely on the fact that you may be entitled to recovery. Reach out to your payments processor to utilize dedicated resources that will analyze this data for you and provide you with consultative recommendations for the best decision.
4. Notify your members.
It is important to make sure your members are aware of the breach and the possible impact on them, as well as to share what the credit union is doing to mitigate damage and keep the event from impacting their accounts. Timely communication is essential, as it will positively impact your brand image in the long term, rather than the negative implications of delayed member engagement. Utilize channels like email, online banking, your mobile app and social media to make members aware of the breach. This will also let them know what types of suspicious activity they might encounter due to the breach. Remember to be mindful of PCI-compliance regulations.
5. Educate your staff.
Your team has to know the plays! Document your breach process and ensure your staff is aware of the proper procedures so the plan will be carried out consistently and efficiently when a breach occurs. Holding a mock breach scenario for your team is recommended. Make sure key fraud-fighting personnel are continuously learning about current fraud trends and data compromises in order to have a pulse on what is happening in the world. Encourage all employees to leverage websites dedicated to fraud insights and subscribe to security-related e-newsletters. In addition, consider sending a weekly fraud trends email to staff to increase awareness of current breaches and fraud trends.
When it comes to protecting your members’ most sensitive information and your credit union’s assets, you can never be too prepared.