America's Credit Unions
America's Credit Unions is a weekly podcast featuring credit union people and credit union ideas.
America's Credit Unions
Sponsored: The fraud arms race
It’s hard to stay ahead of fraudsters. Credit unions can renew their security measures and fraud education, but fraudsters find a way.
Envisant President/CEO Libby Calderone joined the CUNA News Podcast to share how the credit union service organization (CUSO) is helping credit unions through the fraud arms race. Calderone and CUNA Digital Media Design Specialist Yeekeng Yang discuss trending fraud attacks, how credit unions can combat them, and more.
Yeekeng: This podcast is sponsored by Envisant, a credit union service organization that helps credit unions across all 50 states achieve their vision. Envisant brings over 50 years of experience and expertise to all areas of credit union service. With a forward thinking product strategy featuring credit and debit programs, prepaid debit cards, portfolio development, consulting collections, and ATM services Envisant delivers a unique customer experience, coined the Envisant difference, to each of its credit union partners.
Welcome back to the CUNA News Podcast. I'm Yeekeng Yang, Digital Media Design Specialist at CUNA. Fraud is an ever going arms race. Whenever new security measures are put in place, fraudsters somehow always find a way. But don't worry, Envisant and its President and COO, Libby Calderone, are here to help.
Libby is a Credit Union veteran dedicated to the movement and its members, and on this podcast, she covers topics including trending types of fraud attacks, how credit unions can combat them, and how the Envisant difference is leading the charge in the fraud arms race. Here's Libby Calderone.
Yeekeng: Hi Libby, welcome to the CUNANews podcast. Why don't we start with introducing yourself to the audience, telling you who you are and what you do at Envisant.
Libby: Excellent. Well, it's great to be here. My name is Libby Calderon. I am the president of Envisant. We are a CUSO owned by the Illinois Credit Union League. We provide Credit union related services to nearly 1, 900 credit unions across the United States, primarily in the payment space, focusing on debit, credit, prepaid, card services, but we also like to dabble in, some other areas as well.
We've made some investments in some various, technologies over the last few years. a FinTech company we've invested in. We've Recently invested in another company that provides some middleware, between cores and solutions. So, you know, we like to dabble in ways to really help credit unions compete and be successful out there in the marketplace.
Yeekeng: Great. So our conversation today is going to be very fraud heavy. So what is account takeover fraud?
Libby: Yeah, we see lots of fraud, we, given that we work in the, the credit and debit card space so much. So fraud is something that, we live and breathe every day. And account takeover is, a form of identity theft. So think of it basically just like it says, account takeover. Someone comes in and takes over your account by getting your credentials. and it could be your login credentials, And they can get those in various ways. Most often though, people just... Kind of give them away, via phishing or smishing or vishing, but, you know, the average person in some way, shape or form ends up giving their credentials away.
Then a fraudster can log in, and take over your account. What they often like to do is change, Terms of your account, they might change your cell phone number, they might add travel privileges to the account, change the email address. That allows them, the fraud, to continue a little bit longer because it becomes harder to detect. so, you know, that's really the, the gist of it, just like it says, account takeover. They come in, they take over your account and sadly end up taking all your money too.
Yeekeng: And you probably touched upon this in your last answer here, but how does account takeover how does that occur?
Libby: I'll give an example of, of a way, so let's say you get a, a text message that says, you know, the, a common package delivery and who doesn't get packages delivered to their homes every day in this, these days of Amazon and online shopping? and you might get a text message that Hey, we're having a problem delivering your package.
Click this link, to help us deliver it. it'll click it and they'll say, you know, we're short. Maybe part of the premise is we're short of payment for the package to be delivered to you. You need to pay a few dollars. Enter your, your cardholder credentials and you'll enter those credentials.
And now all of a sudden they've got information about your account because you entered your credentials. so that's one example. That's a smishing example. Um, there's phishing. Perhaps, maybe he's heard of phishing. uh, you get an email sent to you, and maybe it has a link within that email, you click that link, it may have, a key, keystroke logger software embedded in it, a malware that gets added onto your computer, and then the next time you log into your online banking.
Your credentials have been stolen via that keystroke logger. So, just, there are a host of different ways that they can get a hold of your credentials. they can buy them on the dark web as well. it's a lot of different ways that the bad guy can get a hold of your credentials. You want to keep those credentials safe and secure.
Have complex passwords, to help eliminate some of that.
Yeekeng: Yeah, and you did touch upon it in the, in what you just said so what should a credit union do to prevent this type of attack?
Libby: Well, really the credit union needs to educate their member. That's the number one line. Letting their members know that, you know, these, these bad guys are out there. They're trying to get a hold of your credentials in different ways. And so, you know, things as simple as having a. Banner on your website that says, you know, the credit union will never ask you for your, your password or your logon user ID.
Don't ever give that up to anybody. having that on your on hold messages, printed on anything that you display or give to your members, remind them regularly about the importance of protecting their credentials. I've heard of some credit unions have. They've had some webinars where they talk about various fraud techs needs. they've recorded videos, have that available on their websites. Just education, continually educating and reminding your members that bad guys are out there and are trying to get a hold of your credentials. So that's probably the easiest way to prevent account takeovers.
Yeekeng: So it seems that a BIN attack is one of these types of attacks what can a credit union look for to prevent it?
Libby: So in a BIN attack, that's where, you guys have, have intercepted a POS system or some sort of merchant system and they're going to use that now to send authorizations through and attack your BIN at the credit union level. So you know, your, your section of cards, be it debit or credit cards.
And they're going to send through lots of little transactions. So small dollar transactions trying to get authorizations to determine that the cards, the cardholder numbers that they're sending are in fact valid cards. So they'll send through, you'll see. In your reports, then your authorization reports at the credit union level, you'll see literally thousands of these transactions trying to come through often from the same merchant usually a dollar, sometimes under a dollar, but that that's a bid attack. And when you see that happening, it happens really fast. you know, just as... a lot over three day weekends. that seems to be when the fraudsters to, to do things. And so you'll, you'll, you need to look at your authorization reports then to review and see if you're having any of these bin attacks happening so that you can shut them down.
Now most, most transactions will be declined. Maybe they'll have lists of, of cards that aren't, It's not valid anymore, but every once in a while, they'll get a valid authorization. And if you happen to ping upon that or you see that during your review of your authorization reports, you'll need to shut those cards down because once they know they have a valid card number, then they're going to sell that card number and the fraudsters are going to use it to commit some fraud.
Yeekeng: Yeah, so you talked about BIN and phishing are there any other trending types of fraud that we should be on the lookout for?
Libby: Oh, you know, there's always so much fraud happening out there. And really an age old one that we're starting to hear about now, but it's been around forever is check fraud. fashion check fraud where, uh, the bad guys are recreating checks. We're hearing a lot of stories where they're breaking into post office boxes and stealing legitimate checks that are within there.
Once they've got those, they can wash those checks and alter them, submit them for deposit. They can make new checks using the maker line data from the checks that they've stolen. So you know, just good old fashioned check fraud is up like a hundred percent year over year and a lot of credit unions now are starting to see that.
So, and I'm not surprised by it, because a lot of. Techniques and, and security has been put into card transactions to try to reduce those and eliminate those, be it tokenization, you know, just various card controls that are out there. So, you know, the, the consumer's trying to limit the, the fraud that can happen on the card side.
Well, the bad guy needs to find something else to attack. And so they're going back to just good old fashioned checks.
Yeekeng: Yeah, that totally makes sense. I was going to ask like, why, why checks? Why now? But it does make sense that, you know, we haven't, a lot of people don't use checks a lot anymore. So that's kind of like we've, you know, let our guard down around security around that. So that, that definitely makes sense.
Libby: Yeah, we have, and are, and are people then watching checks that are clearing their accounts? You know, are they taking a look and seeing what activity is happening in their accounts? And you might not have alerts set up for checks that are trying to clear your accounts, whereas for your card transactions, you know, hopefully you as a consumer have set up alerts so that every time something tries to happen on my card, I'm getting some sort of alert on my phone, be it a text message or an email, and so I'm paying attention to that, but you might not be paying as close of attention.
To, what's happening with your, checking account and seeing if what's clearing there.
Yeekeng: So can you explain synthetic identity fraud?
Libby: So synthetic identity fraud, a little bit different here. So in this, it's an identity theft where it's got components of actual real people within it combined with fraudulent information. An example of that might be using a child's social security number and then combining it with a different address, saying a different age, but creating A synthetic or a fake identity. I read a statistic and I found it alarming from, from a company that analyzed this information where they said they think one to three percent of checking accounts that are opened in financial institutions are synthetic accounts. And in fact, aren't even real people. They're fake accounts.
And the synthetic fraudster is in it for the long haul. So they'll set up this synthetic identity at a financial institution and then they'll start to do just regular normal transactions. You know, they'll have, they'll get a, maybe a credit card with a small limit, a secured credit card. They'll make payments on it.
It'll have a good credit history and then they'll request. to乾 you's grafts because the clinical company does want for transcription language Brooklyn studio. fraudster will do what they call bust out and they'll, they'll do the big transaction. you know, they'll max out the they'll make a payment and then releasing, then spending on the card, they'll make another transaction with the card, make another payment.
And they'll do this in just a couple of days. and then they'll disappear. The payments will be returned. And so, in fact, the credit, you know, what was maybe a 5, 000 credit limit could blow up to 25, 000 and the fraudsters long gone because they've created this synthetic identity and they've, they've busted out now.
So it's an interesting problem that's out there and it's, it's certainly on the rise, dramatic increases in synthetic identity theft over the last few years.
Yeekeng: Is there like a pattern on what to look for if an account is a synthetic account?
Libby: You know, what a credit union will want to do, just at the beginning of the account opening process is make sure that they've got really robust identity verification processes in place. You know, take a look at, reports, subscribe to various services that provide ID verifications. sometimes, you know, using this, small dollar transactions to verify the validity of an account, if you're funding one account with another account, that will help. address those issues, you just really need to be very careful at the account opening process and then, you know, for new accounts, be really careful about what levels of activity you allow new accounts to do. don't be afraid to put some limits in place if you don't know the, account applicant, not the fraudster at that point.
Yeekeng: So how can credit unions educate their members about fraud?
Libby: Well, again, it just comes down to regular education, you know, and all the different methods that credit unions are going to communicate with their members, about. Any products that they offer, providing robust education about fraud is just as important about talking about all the other products that a credit union may, might offer. you know, members are so susceptible to it in all aspects of their life that it's just really incumbent upon the credit union to provide that, and that's part of financial literacy that we can give to members is, is helping them understand that fraud does exist out there. we've, we've talked about different ways they could do that on their websites.
They could do mailings to members, host webinars, have videos on their sites, maybe regular email communications, the fraud tip of the week, for example, you know, and email that out to their members. Just various different ways that, They just need to be in regular communication, though, and make sure that their staff is trained as well.
You've got to have your staff knowledgeable about all these fraud techniques, so that when they see things that seem suspicious, that they can stop them as well with their members right away.
Yeekeng: And I think you touched upon this a bit already, but are there any other best practices credit unions should consider in combating fraud?
Libby: Well, you know, having as many layers of security as possible, that's going to be helpful. Anytime you can employ multi factor authentication or OTP biometric identification for your For your online banking or for your cards, that will be helpful, because that's just one more layer of security. Credit unions. should pay attention to how they have their programs set up. You know, look at their parameters. Do they have limits for dollar spins? Do they have velocity limits in place? we had a credit union just, one of our credit unions over the weekend, didn't want to have dollar limits out there. because they had a few members who wanted to be able to, you know, maybe spend 5, 000 at a time on a transaction. And so they didn't have dollar limits in place. And we saw them get hit with some fraud over the weekend. And the fraudsters, you know, did 5, 10 transactions. At their dollar limits, because they didn't have those limits in place.
So, velocity and dollar spend limits are helpful. check your fallback transaction. Limits as well, so that if a card has to go into a fallback mode, meaning it's not using its normal authentication testing, that it will actually use, limit your fallback amounts to small dollar amounts and make sure you have something in place for that, or don't even allow fallback.
Work your reports. It's something as simple as really working your daily reports that you get. Look at your authorization reports. Are there strange things coming through? Are you seeing massive amounts of authorizations trying to come through for small dollar amounts, which could indicate a bin attack is happening? Cardholder data changes, i. e., if a cardholder has changed their, their address recently. take a look at that information as well, because that's often what a fraudster do on an account takeover. They're going to call in and try to change some of those basic demographic information.
So, review your reports, and then if you do have fraud. Make sure that you're working your chargeback rights aggressively. Oftentimes, you have chargeback rights and make sure that you're completing all that paperwork and submitting it on a timely basis and meeting all the required parameters for that so that you get your chargebacks wherever possible.
Sometimes we see credit unions just aren't as aggressive in that as they should be and they end up not meeting the chargeback timing criteria.
Yeekeng: Alright, so some listeners may have heard about the Envisant Difference, your hands on approach to helping your credit union partners thrive. How does this translate into your fraud department?
Libby: Well, because we have, you know, Several hundred credit unions that we do debit and credit processing for every day. We're able to aggregate all of their data together and, and take a look at for trends. We can find common points of compromise when we see fraud happen. With one credit union, oftentimes it's happening somewhere else as well.
So we can point that out. We can look across our, all of our data that's happening and alert those credit unions before they might not even know it, that, that fraud is in fact happening. So we're mining that data from all the authorization reports. we help our credit unions write rules so that if they do see some fraud happening, we'll proactively in real time write rules to stop fraud. and then again, we can share with our other credit unions because they may have the same, very same situations arising. So if we see a, maybe a merchant that's got tests off, we can write rules to, you know, from that certain merchant. So that's another way that we can help them as well. and then we help with chargeback. We make sure, just provide counsel and advice on the best ways to do things. we help them set up all the parameters that I talked about. So making sure that you have the proper velocity and dollar limits in place. we help with that every day as well. So it really just comes down to, because we have so many credit unions that we work with, we have a vast amount of experience.
to tie together and then we're able to share that expertise that we gain to all of our credit unions, not just to a single one. So they don't have to solve their problems on their own. We're there to help them solve those problems.
Yeekeng: And can you speak to the experience of your team? What advantage does that present for credit unions who work with you? Well,
Libby: We have years of experience. I mean, a couple of our employees have 25 plus years of experience in the fraud realm. you know, our employees that are with us have been here a long time. We have over 500 years of experience in our fraud department and our customer service department. So, adding all that up really helps over time.
It's certainly not experience you can get on your own, and they've seen a few things. You know, chances are if your credit union is experiencing it, we've seen it in another credit union too, and so just those years of experience help. And the fact that we process on several different platforms, not just one platform.
We're across, three different processors with multiple platforms within that. So we're very familiar with all the fraud controls that exist on all these different platforms and we're able to counsel and help credit unions set up best practices for themselves on the different platforms.
Yeekeng: great. Was there anything else you'd like to add? Anything you want to close on?
Libby: you know, we always talk about fraud that we want to stay just one step behind the fraudsters because we know that we just can't seem to get ahead of them. and it's hard to stay even. And so what we look at is if, you know, the first fraud happens, we want to stop the second instance of it. And so we're paying attention to reports and data so that we can, in fact, do that for our credit unions. and one of the things that we're, I think, really proud of at Envisant is that our, our fraud team. Thank you.
Uh, I guess I'd like to think that our team is doing a really great job for our credit unions in helping reduce the fraud for the credit unions and ultimately for the credit union members. So, having fraud and having identity theft or anything like that is a real problem. It's a real troubling thing for a member to experience, so the more we can do to reduce that for our members, the better our credit unions all will be, so we're real proud of our ability to help our credit unions do that.
This podcast is sponsored by Envisant.
Envisant combines incomparable expertise and genuine caring to bring credit unions, counsel products and services that help them see success.