Separating the ‘Cyber’ From Cybersecurity

Are CUs so focused on cybersecurity that they’re taking their eyes off the ball when it comes to new fraud trends?

Credit/AdobeStock

It’s no surprise that placing the word “cyber” ahead of words like “security,” “attack” and “crime” often elicits a response of increased alarm. Sure, an in-person attack can be violent and gruesome, but a cyberattack is initiated by a person or group of people you can’t see and can wipe away scores of personal data, potentially leaving victims to pay the price financially and emotionally for years to come. And while there are physical limitations to crimes that occur offline, cybercriminals are only limited by the scope of cyberspace. They’re constantly inventing new, sophisticated ways to gain entry to systems and staying one step ahead of even the most experienced technology professionals.

So it’s no surprise that credit unions would want to direct an ample amount of resources toward things like firewalls, anti-virus software, and teaching employees how to spot suspicious links and avoid falling for social engineering schemes. With all the success cybercriminals have been enjoying lately hacking into the systems of seemingly secure organizations, credit unions shouldn’t have to worry about people hunting through their members’ snail mail with the goal of stealing money, right?

Maybe not so much. Some old fashioned forms of fraud seem to be making a comeback, and it’s raised a question: Are credit unions so focused on cybersecurity that they’re taking their eyes off the ball when it comes to keeping their members, their employees and their own institution safe?

Comments made by two sources I spoke to for the cybersecurity feature story in the June print issue led this question to pop into my head. When asked if his credit union had experienced any major cyberattacks in recent years, David Green, president/CEO for 1st Northern California Credit Union ($861 million, Martinez, Calif.), he said it had not, but shared that the contents of his supervisory committee’s mailbox at the local post office were stolen last year. And an interview with Alan Ropes, president/CEO of the information security CUSO VyFi, which I set up with the intention of focusing fully on cybersecurity, steered toward the general concept of “security” when he framed cybersecurity as part of a security continuum. Ropes acknowledged that the use of the word “cyber” can encourage credit union leaders to take much-needed action, however. “If the NCUA says it has a new cyber policy, every CEO will pay attention to that and ask their IT guy, ‘Are we covered? Are we taking care of this?’ because it’s cyber. And I give the NCUA credit because by putting the word cyber on it, they elevate the importance in the eyes of the beholder.”

What’s more, numerous news reports have indicated a dramatic rise in check fraud. A June 12 Associated Press article advised consumers to stop sending paper checks through the mail, with the Financial Crimes Enforcement Network recording about 680,000 bank-reported check fraud incidents in 2022 (up from 350,000 in 2021), and the U.S. Postal Inspection Service reporting double the number of mail theft complaints in 2021 compared to 2020.

Despite an overall reduction in check usage in recent years, criminals have begun running complex operations to steal checks via the U.S. mail, which involve multiple people who target post office distribution centers, set up fake businesses and IDs to deposit stolen checks, and are employed as “walkers” trained to convince financial institution branch tellers to cash the checks, according to the AP article.

Anecdotally, two recent incidents targeting members of my family raised my own personal alarm bells when it comes to this type of fraud. After paying a home improvement contractor by check in person earlier this year, one of my uncles received an alert from his bank that someone had cashed a check originating from his account for around $30,000; since his payment to the contractor was for a much smaller amount, either his check had been doctored or his information had been stolen off the check. And just a few weeks ago, every mailbox on the street where my parents live (outside of Portland, Ore.) was opened and rummaged through (thankfully, theirs was empty at the time).

In an op-ed for the June print issue, Al Pascual, a fraud expert with TransUnion, warned credit unions about the growing risk of check fraud. “With effective new schemes, cybercriminals have found ways to make check fraud more profitable than ever – meaning preventative efforts are worth even more to credit unions and their members,” he wrote, noting a reduction in human check verification measures, fraudsters’ ability to source checks along with unlawfully obtained information about account balances and the relative ease of opening a drop account at a credit union as reasons for the uptick.

“Particularly to stay in line with digital-first challengers, credit unions have worked hard to make the account opening process simple. As a result, the identity verification standards for new accounts are typically very low, making it easy for scammers to set up drop accounts at credit unions. Then, remote deposit makes a subsequently deposited altered or forged check harder to detect,” according to Pascual.

Like cargo pants, crop tops and bucket hats, fraud appears to be following the lead of fashion trends from decades ago that we thought we were done with but have suddenly reappeared everywhere.

I bring up the resurgence of old-school check fraud not to negate from the ever-present threat of attacks carried out solely or in part on the internet. We’re reminded of those every day, the most recent being the MOVEit cyberattack that reportedly swiped millions of names, addresses and Social Security numbers belonging to residents of Oregon and Louisiana via a hack of software at those state’s transportation agencies.

But the growing trend of non-internet-based fraud is a reminder to expect the unexpected, stay on top of the latest threats and tweak your credit union’s security strategies accordingly – for example by updating employee and member educational materials to reflect the latest trends, and offering identity theft detection and recovery services.

And, if you’re thinking of retiring that annual community shred day event, now is probably not the time.

Natasha Chilingerian

Natasha Chilingerian is executive editor for CU Times. She can be reached at nchilingerian@cutimes.com.