How Navy Federal Credit Union Blunted an Unprecedented Fraud Attack

Fraud attacks against credit unions and banks have increased substantially, and no one knows that better than Garin Danielian, assistant vice president of fraud analytics at the $151 billion Navy Federal Credit Union in Vienna, Va.

“In the fall of 2020, we were hit with an attack that was unprecedented from our perspective. We had a seven-to-10-day period where we received as many as 2,000 fraudulent applications in an hour,” Danielian said during a Credit Union Fraud RoundTable sponsored by SentiLink last week. “We received, in that week period, an entire year’s worth of fraudulent applications compressed in seven days. As you can imagine, that put tremendous pressure on the detection analysts but also on everyone who was working on investigating cases and the people who then had to clean up 100,000 applications.”

Also participating in the roundtable was Max Blumenfeld, co-founder and COO of SentiLink in San Francisco, which specializes in ID theft and synthetic fraud solutions. Moderating the discussion was Susan Ehrlich, board member for the $30.1 billion BECU in Tukwila, Wash., who most recently served as CEO of fintech lender Earnest.

As this never-seen-before attack was occurring in 2020, Navy Federal was doing a proof-of-concept project with SentiLink and Danielian asked for their help.

“They essentially jumped right in with us and started looking at data on our behalf and sharing insights,” he recalled. “And together we were able to blunt the attack. But it was eye opening from our perspective because we’ve never seen something automated to that extent.”

Danielian indicated automated attacks have become more common because the fraudsters have advanced their computer scripting and algorithmic abilities.

“We don’t know if it was a very advanced, sophisticated [fraud] ring. The techniques were certainly extremely sophisticated, or whether we were hit by a nation state actor, we don’t know,” he noted. “But, if it happened once, I think it’s probably on the horizon for others.”

According to a recent executive report from the Chicago-based BAI Banking Strategies, identity fraud and its various forms increased a whopping 30% to 100% in 2020. Those numbers kept climbing in 2021, and similar trends occurred in COVID-19 relief fraud, social engineering, credit fraud and other scams.

“The heavy flow of government stimulus intended to mitigate COVID-19’s impact created a larger opportunity set for crime, while the many millions of digital-banking novices created new possibilities for both clever and workaday crooks,” noted the BAI report, which took an in-depth look at how financial institutions can stem the growth of fraud.

Garin pointed out legacy systems for Know Your Customer and CIP (Customer Identification Program) are no longer up to the task. Historically, Navy Federal looked at several points of information to validate if someone is who they say they are. But with so much Personal Identifying Information (PII) available – both real and synthetic – it compelled the credit union to leverage newer, more effective and more dynamic techniques.

“You have to use the information from each different control gate to make an informed decision in the end,” he explained. “And so we’re really focusing on bringing our systems together, using data to make a holistic decision so that everything isn’t a binary choice. By the time you get to that lending app, after you joined [and] after we’ve scrubbed you, we want to make sure that that’s the most important decision we can have.”

Fraudsters are aware that financial institutions typically rely on name, date of birth, Social Security number and address to secure accounts.

“That’s the biggest thing that we’ve seen – the rise in fraud that specifically checks the exact boxes that institutions have historically looked for,” Blumenfeld said. “There’s a lot more relevant context in phones or email addresses. It’s really just a function of how the institution contacts customers. That’s where all the valuable fraud data ends up being.”

Garin agreed, noting that the mobile phone is the new wallet.

“Gathering intelligence about the device, gathering intelligence about the email address used is critical to making an informed decision,” he said. “People aren’t going into branches as much to join, so [there are] a lot more digital only applications. So you’ve got to be able to evaluate the known points of data beyond just my PII. What’s my device’s reputation? What’s my email address’ reputation? Are they both brand new? Have they ever been seen in the ecosystem? These things feed into your decisioning and your models so that you have a much more robust pool to draw on when you want to score and decision things.”

Garin said Navy Federal has invested heavily in machine learning capabilities developed by the credit union and through vendors to identify suspicious applications, but it also has a remediation path for members to get through the process that had been initially flagged as suspicious.

Blumenfeld suggested credit unions can reduce friction in the process by sending a one-time passcode to the member’s phone number, and in high-risk instances, asking for a government issued ID seems appropriate.

“It helps in fraud reduction and is actually improving the member experience for onboarding where historically things have been heavy handed and don’t need to be nearly as heavy handed,” he said.

Over the last 120 days, Navy Federal has seen a ramp up of fraudsters who are deceiving and scamming members and it expects to see more of this fraud throughout 2022.

“The prototypical scheme is a combination of some PII – maybe an account takeover and some social engineering,” Danielian said. “I’m sure everyone has gotten messages from their institution saying, ‘Hey, don’t give your one-time password to anyone.’ And we do the same. But we’ve had a fairly significant increase in attempts and some success, unfortunately, in the fraudsters [social] engineering our members into approving transfers or moving money. And this is new.”

Another scam is when members think they are talking to someone on the phone from Amazon, Danielian said. But that someone is a fraudster telling the member there is a problem with their account and they are instructed to take certain steps to fix it.

“Next thing you know their account with us is missing money. And so we’re very much focused on how we detect these [scams] and it requires a new approach,” he said. “It requires behavioral analytics. Is the way the fraudster is conducting his transaction, does it match what my members are usually doing?” Danielian indicated Navy Federal is working on a solution to help detect this type of fraud.

Blumenfeld said he also expects to see a pretty big increase in ACH fraud.

“It’s all going to be tied back to all of these DDA accounts that had been tied to stealing unemployment benefits,” he said. “The government was the victim before, but that faucet has closed, and the financial institutions themselves are going to end up seeing the brunt of this because fraudsters still control millions of accounts in the names of victims.”