Credit Unions Face Uphill Cyber Battle

Despite constant efforts by credit unions to warn and educate their members about online and mobile fraud, there are some members who are fooled by fear into a scam every day.

While the crooks know consumers are the weakest link in the cybersecurity chain, some of the technology-savvy criminals are getting in through the proverbial credit union back door. According to a study conducted by the Boston-based cybersecurity firm Black Kite, which evaluated critical security controls of 250 credit unions from all asset categories identified by the NCUA and 150 associated vendors, 86% of credit unions and 76% of vendors that serve them have breached employee credentials available on the Dark Web, and 66% of credit unions and 88% of vendors have not deployed the necessary cybersecurity configurations that can protect against attacks.

These issues create two serious challenges for credit unions.

First, in addition to suffering huge monetary losses, victimized members may be more likely to move their money elsewhere if they perceive that their ­accounts are not secure and safe, according to two recent studies.

Second, tackling consumer digital fraud and credit union technology vulnerabilities are, of course, easier-said-than-done challenges because the fraudsters are not going away and the attacks are bound to get worse, experts warned.

IT consulting firm Accenture reported in April that consumer fraud tripled in 2020 and 2021 from prior years. The report, which forecast consumer fraud rates over the next five years, showed under a best-case scenario, consumer fraud could fall to an annual growth rate of 6.8%, the pre-pandemic level. But the report’s most pessimistic scenario showed the annual growth rate of consumer fraud could be more than 22%.

Moreover, recently released reports from digital and strategy consultant Javelin, the Federal Trade Administration and technology consultant Point Predictive said consumer digital fraud spiked at alarming rates soon after the pandemic began. At that time, billions of government economic stimulus funds, unemployment insurance checks and PPP loans began to be disbursed and more consumers – many of whom were digital banking neophytes – were essentially forced to sign up for online and mobile banking to access their funds, becoming easy marks for fraudsters.

In March, Javelin reported that criminals who used victims’ information to steal money exploded in 2021 to $24 billion, a 79% increase over 2020. What’s more, the number of adults in the U.S. impacted by traditional identity fraud grew more than 50%, affecting 15 million victims. The Javelin study also found that losses from identity fraud scams, in which a fraud operator influences a victim to divulge or expose their personal information, added another $28 billion in impact, victimizing an additional 27 million U.S. adults. Taken together, identity fraud losses totaled $52 billion and affected 42 million U.S. adults.

Last year, the thieves focused on virtual attack vectors such as bots, malware and a variety of identity fraud scams, according to Javelin’s research.

And in the auto loan field, where many credit unions make their revenue, fraud increased 5% year over year to $7.7 billion in 2021, according to Point Predictive. To steal auto loans, criminals are increasingly using synthetic identity fraud – the combination of using real and phony identity information, and false employment and income information – making it far more challenging for financial institutions to detect or prevent the scheme.

Perhaps the most challenging problem relating to consumer digital scams is that they usually take busy members by surprise, filling them with panic and fear, and making them vulnerable to being victimized.

These schemes are commonly called imposter scams.

In February, the FTC released new data that showed consumers reported losing more than $5.8 billion to fraud in 2021, a whopping increase of more than 70% over the previous years. Nearly three million consumers last year reported fraud to the FTC, with imposter scams leading the way as the most commonly reported fraud.

The fraud generally begins when a member’s cell phone rings. The number that pops up on the member’s screen is their credit union’s, making them think it is an important call.

The voice on the other end sounds professional but comes with bad news: “Unfortunately, we believe your account might have been compromised by fraud and we need you to confirm your account information to stop it.”

After a rush of fear, panic and confusion from the bad news, the member nervously asks what the issue is, and before hanging up, the thief has enough of the member’s account information to steal his funds.

Similar scams are sent by thieves via texts or emails.

In March, an elaborate ruse was uncovered by the security team at the $6.4 billion Hudson Valley Credit Union in Poughkeepsie, N.Y. It immediately warned its members and alerted local media outlets, which posted articles about the scam’s details to inform their readers, listeners and viewers.

“This type of [fraud] activity we’ve seen prior to the pandemic. And we saw a little bit of an uptick in it recently, which is why we put the messages out there,” HVCU EVP and COO Tony Rohrmeier said. “The people who do this are very convincing and they are able to get the member to give up information that would alarm the average person – information like their username, their password for internet banking, their email address, their email password, their debit card number and their debit card pin. It’s amazing how these people are able to convince the member that they need this information to help them.”

Renee Hunsader, vice president of payments and controls for the $3.4 billion Elevations Credit Union in Boulder, Colo., has seen a marked increase in fraud attempts from imposter scams. But she also has seen an increase in phony romance and work-at-home schemes. Some of them are quite elaborate, presumably to build “confidence” in the victim.

“We had one person who went through several rounds of interviews with different people over Zoom,” Hunsader said. “After being offered the job, the ‘employer’ said he was going to send money so that this new hire could buy a computer and other supplies at a specific website.”

After receiving a check, the person visited the website to make the purchases, but the site was not working. The fraudster told her to Venmo money to him and he would buy the supplies and to deposit the check she received. After she sent the Venmo money, she deposited the check and it bounced.”

The member lost several thousands of dollars.

While large credit unions like HVCU and Elevations have the staff and resources to maintain and upgrade technology solutions that can thwart fraud attacks, the Black Kite report revealed troubling issues that are making credit unions vulnerable to fraudulent attacks.

Although the report said the average credit union security score equaled a “B” grade, which is a relatively good standing, the industry faces critical and highly severe issues that could lead to significant cyber and financial risk, according to Black Kite.

For example, because of outdated systems, 77% of credit unions potentially have high-severity vulnerabilities while 44% potentially have critical vulnerabilities. These antiquated systems enable attackers to compromise the system itself or associated applications.

The study’s analysis also found 66% of credit unions lack DMARC policy records, leaving the door open to spam and phishing campaigns. DMARC stands for Domain-based Message Authentication Reporting Conformance, which is used to authenticate emails and protect them from compromise.

In addition, SSL protocol ensures user information travels securely through the internet. However, for 75% of credit unions, at least one SSL certificate is invalid, incorrect, expired or self-signed. According to Black Kite, these deficiencies put the credit union and members’ credentials, financial information and other sensitive data at risk.

These digital security issues and others can have serious implications for credit unions, according to two reports.

The Consumer Banking Preferences & Behavior Report from WebStrategies, a Midlothian, Va.-based credit union marketing agency, which surveyed 500 credit union members and 500 non-credit union members, found that regardless of good rates, 60% of non-credit union member consumers under 45 will not use a financial institution with security issues.

Moreover, Entrust, a Minneapolis-based firm that delivers identities, payments and data protection solutions, conducted a survey of 1,350 consumers.

The survey showed six out of 10 consumers who were notified of fraud changed their credit union or bank.

Entrust’s survey also showed that 90% of consumers are concerned about the potential of banking and credit card fraud, according to Jenn Markey, vice president of product marketing for payments and identity at Entrust.

Of those 90% who are concerned about banking fraud, 42% of them had been notified of personal banking or credit card fraud within the past 12 months.

“The surprise was 67% of the people that had been notified of fraud changed their banking institutions as a result,” Markey said. “That is very high. That is a shock. So clearly, they were directly blaming the institution for the breach regardless of whether they had any culpability or not.”

Markey said the biggest vulnerability for credit unions and banks is that 80% are still using usernames, passwords and nearly 60% are asking security questions for account access.

The problem is that many usernames and passwords can be bought on the Dark Web; they are also stolen through various types of malware, phishing, and phone or text scams.

Implementing multifactor authentication can effectively prevent fraud, but she noted that credit unions and banks have historically been resistant to introducing multifactor authentication because of pushback from consumers who do not want to take the extra steps to gain access to their accounts.

“But what I have seen over the course of the pandemic, because more and more transactions have gone online, a lot of new accounts have been opened, new cards have been opened and the amount of fraud has gone up exponentially, banks are starting to take multifactor authentication more seriously,” Markey said.

She noted implementing two-factor authentication could enhance the financial institution’s brand and its trust among members and non-members.