Why credit unions need to look at fraud differently

You know the expression “what goes around comes around” or “what was old is new again,” well the same holds true when it comes to criminal behavior and account take over fraud.  From a legal perspective ATO is the intentional deception to secure unlawful financial gain causing the loss of money or property; from your credit union members point of view it is a lack of trust and confidence in your ability to keep their personal banking information safe.

For years credit unions have relied on the face-to-face interactions with members intended to provide a world-class personal banking experience.  Historically this business model has been incredibly effective and often preferred by membership.  However, this approach may no longer hold true; we are seeing a shift in expectations and a demand for real-time convenience. Members are seeking an experience that allows them to conduct business when they want and how they want.  As the COVID 19 pandemic has played a factor in how members now interact with their credit union, the gap between traditional banks and many credit unions’ ability to provide a full suite of self-service options has become more apparent.

Does your credit union view “Fraud as a Service?”  If not, you should.  It is very important to take into consideration what your members think of when it comes to your credit union’s fraud prevention tactics? Is being a victim of fraud at your credit union an inconvenience, unpleasant, cumbersome or an unfortunate reactionary event?  What is your commitment with training your employees on fraud mitigation tactics, victim assistance, and remediation?  Are you using the latest authentication measures, are you conducting passive authentication unbeknownst to your members, are you using your data assets and transactional fraud scores powered by artificial intelligence to optimize approval rates while still detecting fraud?  What if I told you your competitors are taking advantage of your failure to improve fraud services?

Transactional fraud prevention and detection is certainly a critical tool in your arsenal designed to protect your members personal information, all data assets, your revenue and profit.  But do you have all the tools necessary to fight back against ATO attacks?  Account Takeover fraud schemes have morphed yet again into one of the greatest threats against credit unions.  Why?  Simply because large banks have invested in modern detection programs that are making it harder and more expensive for fraudsters to penetrate.

We are seeing a backwards evolution from 1.) humans to 2.) bots is once again 3.) using a hybrid of both humans and bots as part of the new ‘auto-manual’ way to conduct Account Takeover fraud. Account Takeover was either deployed manually or fraudsters used bot attacks in trying combinations of scripted username and passcodes to gain access to your members’ accounts and your profits. Once access is gained the magnitude of destruction can range from moderate to catastrophic.  As cybersecurity tools have become better at identifying bot attacks; fraudsters have been forced to re-posture attack methods which bring back the need for human involvement.  We know fraudsters gravitate towards the path of least resistance and they know that credit unions often rely on outdated prevention tactics, weak authentication measures and have a limited investment in fraud technology.  What adds to this parade of opportunity is the fact that credit unions are trying to keep up with the race to offer more robust online banking services and rolling out vulnerable digital banking mobile applications.  Taking short cuts or limiting investment in fraud business strategies, cyber technology and training has led to credit unions deploying vulnerable marketing strategies and business process flows.  The combination of human and bot style attacks has allowed fraudsters to move ten times faster with a much higher success rates to gaining account access.

So how do you protect your members and your credit union from the evolving threat of Account Takeover Fraud?  

• Understand how fraud recent attacks are evolving by staying connected to fraud forums
• Consider speaking to industry experts and consultants that specialize in fraud mitigation practices
• Know your business process end to end and know where your data resides
• Hold vendors accountable by establishing clear service level agreements that have accountability measures attached
• Consider using an outside firm to conduct a vulnerability assessment to stress test your controls
• Adopt industry best practices that allow for a well-balanced member experience
• Use data to your advantage; analytics are the telltale of your likelihood for success
• Be honest and take stock in what investments you have made in modernizing your fraud maneuvers
• Make employee training and education specific to fraud detection a priority
• Establish Key Performance Indicators (KPI’s) that will drive business decisions
• Conduct a talent assessment.  Do you have the right talent in this space available to your credit union? 
• Test the market.  When was the last time you spoke with a technology provider to shed awareness on some of the latest preventative solutions in the marketplace – this comes at no cost or commitment?
• Champion challenge your existing providers against the competition and determine if you are getting the best value for your dollar
• Don’t manage fraud at the line of business level rather take an enterprise-wide approach
• Stand up an enterprise-wide authentication strategy
• Do you have dedicated resources trained to monitor for a nefarious account take over large scale attacks; evaluating the risks associated with non-monetary transactions
• Do you know if you have “Mule” accounts in your portfolio dedicated to moving and cleaning dirty money through your credit union; ask the experts
• Have a plan and be ready to respond to emerging fraud threats like; Reward and Loyalty fraud, Chat fraud account takeover, synthetic and collusive members, prevent fraud at the relationship not account level
• Ask your members if they feel safe and if they have the confidence that you will protect their identity and finances; if not you need to act quickly
• Remain competitive by doing your best to be the best

Fraud prevention is so much more than a financial risk; it is about member trust and confidence, reputational risk, compliance risk, competitive advantage, and remaining profitable.  The one mistake that is the most common is the decision to act in response to an attack.  When it comes to fraud the best defense is offense.