Account takeover fraud, which occurs when a criminal gains unauthorized access to an account via identity theft, is growing by leap and bounds.

It's a type of identity theft where a fraudster uses parts of the victim's identity, such as an email address, to gain access to financial accounts. The perpetrator often reroutes communication about the account, keeping the victim in the dark so the thievery can continue longer. Affected accounts can include credit cards, checking and savings accounts, brokerage accounts and store loyalty rewards accounts.

At least partially explaining its growth, the adoption of EMV is leading to account takeover fraud growing even faster than payment card fraud. In addition, greater access to credit, an abundance of information, faster electronic communications and intense competition among financial institutions make it easier than ever for criminals to steal identities and falsify information.

Much like a virus reacts to a vaccine, hackers develop new ways to penetrate security systems as the old methods become ineffective. For credit unions, then, constant vigilance and intelligent surveillance are key to preventing and detecting account takeover fraud.

Reviewing and Evaluating Internal Controls

Fighting this type of fraud begins with a thorough review and evaluation of a credit union's own internal controls. A sampling – but not an exhaustive list – of important steps in maintaining top-notch internal controls are:

  • Conduct periodic surprise audits and annual reviews of procedures.

  • Provide for the physical security of all checks, including cashier checks, branch checks and deposited checks.

  • Provide for the temporary physical security of electronically deposited checks, including storage in a secure facility along with secured shredding.

  • Ensure appropriate security is in place over signature plates, cards and software.

  • Require an additional review process for all checks over a specified amount.

  • Remove individuals from financial institution transaction authority immediately upon resignation or termination.

  • Ensure that controls exist for the storage and destruction of all documents that contain account and other related information.

  • Determine that appropriate controls are present if employees access financial and banking systems from remote sites.

  • On an annual basis, request a legal review of all changes in laws regarding liability as it relates to fraudulent transactions.

Best Practices for Preventing Fraud Losses

Some best practices for fighting account takeover and other forms of fraud include:

  1. Strengthening verification procedures for new accounts. This should include incorporating more information into the decision process, especially for high-dollar unsecured transactions; breaking away from conventional thinking (traditional credit scoring and underwriting procedures do not identify fraudulent applications); digging deeper to verify identify beyond using Social Security numbers or other single pieces of data; and looking for and assessing the fraud potential of inconsistency among all data available, not just in address and credit bureau information (Does the phone number go with the address? Do the age and Social Security number match?)

  2. Strengthening verification procedures for existing accounts in online or call center transactions. Positive verification calls for comparing information provided by the consumer with a trusted third-party source, such as a consumer reporting agency.

  3. Using credit report data to verify name, address, phone number, Social Security number, date of birth and driver's license number. This includes both logical verification (using commercially available analysis tools to determine the consistency of information from various sources) and negative verification (checking information provided by the consumer against databases of known fraud, bad checks and government lists).

  4. Strengthening the notification process to the consumer for changes made to the consumers' existing accounts. Any changes made to a member's account need to be verified with the member. This can be accomplished by sending a confirmation email to the original email provided by the consumer, a follow-up letter to the original address of the consumer and a phone call to the original phone number on file.

  5. Establish limits on withdrawal frequency. Limits should also be established on amounts to minimize a member's exposure to skimming and card theft.

Fighting fraud requires a true partnership between credit unions, core processors and payment services providers. By following the steps above, you have key safeguards that will help protect your credit union and your members in this atmosphere of enhanced technology – and criminality.

Join us at Credit Union Times' Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.

cybersecurity fraud preventions tipsCaroline Willard is EVP, markets and strategy for CO-OP Financial Services. She can be reached at 800-782-9042, Ext. 5934 or [email protected].

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.