Editor’s Note: This post previously ran on June 2, 2016.
It’s not new, but it’s growing in leaps and bounds. Account takeover fraud – which occurs when a criminal gains unauthorized access to an account via identity theft – is expanding geometrically, according to an analysis by a major Canadian cybersecurity company.
Even back in November 2015, British Columbia-based NuData Security was reporting that between May-June 2015, nearly half a billion “aged” accounts were flagged with potential fraud, up 28 percent from the first quarter of 2015. “This highlights the growing value fraudsters are seeing in using aged accounts in an effort to circumvent traditional fraud detection systems that place a level of trust in an aged authenticated account,” wrote Ryan Wilk, the company’s Vice President for Customer Success, in The Social Media Monthly.
Aged or new, account takeover is a type of identity theft where a fraudster uses parts of the victim’s identity such as an email address to gain access to financial accounts. The perpetrator often reroutes communication about the account, keeping the victim in the dark so the thievery can continue longer. Affected accounts can include credit cards, checking and savings accounts, brokerage accounts and store loyalty rewards accounts.
With the adoption of EMV, credit card fraud is being dropped in favor of account takeover fraud. “Instead of merely stealing your credit card number, today’s fraudsters are moving to full-blown account takeover, partly to thwart EMV chip-card technology but mainly to maximize their return on investment,” CreditCards.com reported, based on an August 2015 NuData study.
Insidious White Collar Crime
Financial fraud is one of America’s largest growth industries. In addition, the Federal Trade Commission states that identity theft is escalating at 40 percent a year and is particularly problematic compared with more traditional forms of financial fraud.
The U.S. Department of Justice calls identity theft “one of the most insidious forms of white collar crime.” Identity theft tends to be more damaging to both consumers and institutions. It typically results in multiple instances of fraud, which are often of higher dollar value than other types of fraud, according to the Federal Bureau of Investigation.
Greater access to credit, an abundance of information, faster electronic communications and intense competition among financial institutions make it easier than ever for criminals to steal identities and falsify information.
Much like a virus reacts to a vaccine, hackers develop new ways to penetrate security systems as the old methods become ineffective.
For credit unions, then, constant vigilance and intelligent surveillance are key to preventing and detecting account takeover fraud.
Reviewing and Evaluating Internal Controls
A sampling – but not an exhaustive list – of important internal controls include:
- Conduct periodic surprise audits and annual reviews of procedures.
- Provide for the physical security of all checks, including cashier checks, branch checks and deposited checks.
- Provide for the temporary physical security of electronically deposited checks, including storage in a secure facility along with secured shredding.
- Ensure appropriate security is in place over signature plates, cards and software.
- Require an additional review process for all checks over a specified amount.
- Remove individuals from financial institution transaction authority immediately upon resignation or termination.
- Ensure that controls exist for the storage and destruction of all documents that contain account and other related information.
- Determine that appropriate controls are present if employees access financial and banking systems from remote sites.
- On an annual basis, request a legal review of all changes in laws regarding liability as it relates to fraudulent transactions.
Best Practices for Preventing Fraud Losses
Some best practices for fighting account takeover and other forms of fraud include:
Strengthen verification procedures for new accounts. This should include, incorporate more information into the decision process, especially for high-dollar unsecured transactions; break away from conventional thinking (traditional credit scoring and underwriting procedures do not identify fraudulent applications); dig deeper to verify identify beyond using Social Security numbers or other single pieces of data; and look for and assess the fraud potential of inconsistency among all data available, not just in address and credit bureau information (Does the phone number go with the address? Do the age and Social Security number match?)
Strengthen verification procedures for existing accounts in online or call center transactions. Positive verification calls for comparing information provided by the consumer with a trusted third-party source, such as a consumer reporting agency.
Use credit report data to verify name, address, phone number, Social Security number, date of birth and driver’s license number. This includes both “logical verification” (using commercially available analysis tools to determine the consistency of information from various sources) and “negative verification” (checking information provided by the consumer against databases of known fraud, bad checks and government lists).
Strengthen the notification process to the consumer for changes made to the consumers’ existing accounts. Any changes made to a member’s account need to be verified with the member. This can be accomplished by sending a confirmation email to the original email provided by the consumer, a follow-up letter to the original address of the consumer and a phone call to the original phone number on file.
Fighting fraud requires a true partnership between the core processor, credit unions and CO-OP Financial Services. By following the steps above, you have key safeguards that will help protect your credit union and your members in this atmosphere of enhanced technology – and criminality.
Register for the upcoming October 20 Live FraudBuzz Webinar, “Ransomware Threats + Monthly Fraud Roundup,” hosted by Fraud Expert, John Buzzard – our monthly webinar series dedicated to staying ahead of the ever-evolving fraud game.