Criminals With Stolen PII Can Do Major Harm to Credit Unions

While the majority of fraud incidents occur outside of banks and credit unions, financial institutions bear the brunt of the negative impacts of fraud – including a decline in lending opportunities and member loyalty.

That was one of the key takeaways from a Wednesday webinar, “Mitigating Fraud & Protecting Account Holders,” presented by partner fraud detection and prevention companies Sontiq and Breach Clarity. Less than 5% of all breaches occur at a bank or credit union, but over 50% of all fraud losses are incurred by banks and credit unions, according to the two organizations.

Fraud can lead to lower credit scores and other hits to targeted consumers’ financial health, which in turn can hurt credit unions’ chances of providing them with loans and other services, the organizations emphasized. And, since consumers tend to count on their financial institutions to keep their assets secure, they’re likely to blame the institution for any personal financial losses even if the fraud did not originate at the institution. Citing Carnegie Mellon University, Sontiq and Breach Clarity said 28% of account holders leave their financial institution within six months of a fraud incident.

The fastest-growing type of financial crime in the U.S. – and hardest to detect among vulnerable groups like children and seniors because of a lack of credit report and identity risk monitoring – is synthetic fraud, the companies said. This involves criminals combining real elements of an individual’s personal identifiable information with made-up PII to create a new, false identity and use it to open accounts. Jim Van Dyke, CEO and co-founder for Breach Clarity, said it’s important to remember that although fake PII and sometimes PII belonging to deceased individuals is used in synthetic fraud, “it’s still about real, alive people and their ID credentials.”

Other types of fraud that are causing alarm include remote access, a social engineering attack in which criminals convince device users to give them remote access to the device; installation of malware, malicious software designed to damage a device, network or server; and credential stuffing, an automated attack in which the same email and password combination is entered on thousands of sites.

Of all the types of identity crimes that can be committed using stolen data, existing card fraud and existing non-card fraud (account takeovers) make up the majority of identity fraud and are most likely to lead to the victim leaving their financial institution, Van Dyke said. He also noted that the commonly-shared notion that everyone’s data is already “out there” in the hands of criminals is “absolutely not true.” “Criminals have plenty of data left to steal,” he said.

Small businesses continue to be prime targets for data thieves, Sontiq and Breach Clarity said, with attacks costing small businesses over $200,000 per incident. “Fraud can put small businesses out of business,” Van Dyke said. “They’re viewed as easy targets.”

In a December 2020 Sontiq white paper shared with webinar attendees, “The Impact of Data Breaches & Cyber Threats on Banks and Credit Unions,” the company shared five ways for financial institutions to protect their consumer and business customers and members:

1. Encourage individuals to request a free annual credit report and monitor their credit card activity and bank statements to ensure their personal information is not being used. Business owners should monitor their business credit profiles to see that no unexpected business loans or lines of credit have been opened in their name.
2. Refer victims of identity theft to the Federal Trade Commission to create an Identity Theft Report (individuals) or to Dun & Bradstreet and the IRS to report fraudulent activity (businesses).
3. Prevent criminal activity by activating an extended fraud alert on a person or business’s credit file, which requires verification before credit can be extended, or a credit freeze, which prevents creditors from accessing the credit file.
4. Recommend individuals and businesses file their taxes early, which protects them from identity thieves who may attempt to file for them and collect their tax refunds.
5. Help customers or members verify that their Social Security number is not being used fraudulently in regard to their earnings, which could result in them being responsible for taxes on wages they did not earn, by requesting a copy of their wage-earning report from the Social Security Administration.