Why Credit Unions Must Root Out Non-Monetary ATO Schemes at Three Levels

Fraudsters do not have discriminating tastes. When it comes to setting up their account takeover (ATO) schemes, they’ll try to hack into accounts at any institution, anywhere. Their tools are technologically robust; their obvious success is measurable in terms of victims, financial losses and reputational damage.

To launch a solid defense, credit unions must battle ATO on multiple fronts. Specifically, they must have controls and systems to detect common ATO schemes, variations on those schemes, and emerging threats from well-organized fraud rings.

Level #1: Common ATO Schemes

Amid the many complex ATO schemes, the classic scheme is still alive and well. Fraudsters use ill-gotten credentials to access members’ accounts and change the mailing addresses. Next, they order new debit and credit cards that will be used to drain the accounts and run up credit balances.

This scheme is relatively slow-moving but effective. Massive data breaches and credential spills have made it easier for fraudsters to sail past security questions and traditional ID verification solutions. If the credit union is manually reviewing address changes and mailing letters to verify, there’s a slim chance of stopping this common scheme before it’s too late.

Fortunately, many credit unions have adopted systems that combine predictive data, sophisticated analytics, the institution’s decisioning rules and risk tolerance to predict the likelihood of an ATO setup.

Consider this example: Your member John Smith changed his address from Littleton, Colo., to South Miami, Fla. He’s 70 years old – perhaps the lucky fellow is retiring to the sun and surf. John correctly answered the questions about his favorite teacher, pet and vacation spot, so nothing about the address change looks suspicious – until the fraud score is delivered.

The fraud-detection system identified the new address as a check-cashing facility. Since the system also accesses shared network data (e.g. ChexSystems), you see that there’s high velocity on the address as well. The same South Miami address appeared at five other financial institutions in the past three days.

Common ATO schemes like this one are expected to continue. To combat them, keep your strategy relevant by evaluating and updating any rules you use to supplement the fraud models. Additionally, keep your internal hot list of suspicious addresses up to date and fully integrated with your fraud-scoring solution.

Level #2: New ATO Variants

Fraudsters will make subtle changes to their schemes in order to avoid being detected by existing controls. For example, when digital banking adoption accelerated, ATO schemes began including additional communication channels.

These days, it’s not uncommon for a fraudster to change their victim’s contact information in quick succession, like changing the address on Sunday, email on Monday and phone number on Tuesday.

Having successfully made these changes, the fraudster gains full control of the victim’s account and uses a digital payment method to make a large withdrawal. This transaction will be flagged as suspicious by the credit union’s internal monetary controls, but when the investigator emails or calls to verify the legitimacy of the transaction, they don’t reach the member. Instead they reach the fraudster on the newly-changed phone number or email. And the fraudster responds, “Of course I meant to transfer that $40,000!”

To identify variants on the common ATO scheme, credit unions should have a method for screening every profile change (non-monetary event) singularly as well as in combination with other identity data to illuminate out-of-pattern behavior. Changes deemed suspicious should be automatically placed into the investigative queue.

Level #3: Emerging Fraud Rings and Schemes

To connect the dots that reveal fraud rings and complex ATO schemes, it takes a holistic data science approach based on a vast network of shared financial institution data.

In this approach, a fraud-detection platform applies sophisticated machine learning and analytical tools to draw inferences and deep connections among millions of seemingly unrelated data elements. Unsupervised anomaly detection is used to discover the emerging patterns and groupings of data that could represent ATO set-up activity.

Our own platform recently discovered that across multiple institutions, there were 17 unique individuals, with different names and former addresses, who had supposedly changed their addresses to the same apartment complex (but not the same unit number) in Los Angeles. They also changed their cell phone numbers, and about half of the new numbers were for the same burner phone. There were also 17 email address changes. Across all the datasets, none of the email addresses had ever been seen before.

All of these the individual cases were flagged as being highly suspicious and worthy of immediate investigation.

Why Everybody Wants – and Needs – a Fraud-Detection Platform

Credit unions have learned to appreciate platforms for the ease at which they allow the institution to roll out new services and solutions without requiring huge IT projects or dollars. Increasingly, financial institutions are looking for platform-based fraud-detection solutions that connect with their member database via API or a core processor relationship.

Platform-based solutions for ATO run silently behind the scenes, springing into action when there’s a change to a member address, email or phone number. The solution examines, analyzes and scores the change request and delivers it to a case-management system within seconds.

The most efficient and effective platform-based ATO solutions will be able to screen across:

• A shared network of FI data – to see velocity and fraud-ring behavior;
• Branch, call center and digital channels – to detect cross-channel attacks; and
• Large datasets of identity information – to reduce false positives that create member friction.

Credit unions should also have an ATO solution that is easily configurable to their specific situations. There shouldn’t be limits as to how or how often an institution can alter its decision rules or risk tolerance. Fraudsters are continuously evolving their ATO strategies. Credit unions must have the same flexibility to ensure that their detection approaches are evolving.

Fraudsters gravitate toward the path of least resistance – whether it’s a bank or a credit union. Institutions that are not rooting out non-monetary ATO schemes at three levels (common, variants and emerging) risk becoming the easy targets for criminal activity.

Jack Sundstrom is Chief Product and Marketing Officer for ID Insight in Minneapolis, Minn.