Fraud for today’s credit union has become a significant area to monitor. According to the Institute of Internal Auditors’ 2013 study Current Trends in Financial Institution Fraud, suspicious activity reports — which depository institutions file with the Department of Treasury for instances of known or suspected violations of law or suspicious activity — have increased greatly since data first became available in 2001. Of all suspicious activity reports, or SARs, filed since 2001, 85% were filed since 2005. From 2001-2011, depository institutions filed a yearly average of 530,000 SARs. From 2008-2011, they filed a yearly average of 736,000.
The increased filings are discouraging for their sheer amount; however, they represent a greater awareness of fraud on the part of depository institutions. Internal employee fraud and external fraud such as DDoS attacks, phishing scams, and member frauds are serious threats that credit unions face daily.
“Unfortunately, no one is immune to fraud,” says Audra Rael, vice president of support operations for Silver State Schools Credit Union ($654.5M, Las Vegas, NV). “All credit unions are going to experience it and take losses. We have a fiduciary responsibility to limit those losses the best we can.”
Internal Employee Fraud
Credit unions must protect themselves against those who would attack or steal sensitive financial information. That means a credit union must be aware of weak points, including within its own cubicles. Most employers want their workplace cultures to foster a friendly environment and trust within the ranks. But employers also need to foster a workplace in which employees are comfortable reporting suspicious activity to the proper channels, says Mike Sacher, a CPA with more than 30 years experience serving credit unions.
No. 1: Occupational Fraud
Internal employee fraud, oftentimes called occupational fraud, rarely reaches the sensational heights portrayed in the media. More common examples of employee fraud include unauthorized withdrawals from member accounts, unauthorized loans, or illegal wire transfers. Others are rarer, such as phantom employees on the payroll or an employee buying now and fudging the numbers later.
Employee fraud can take many forms and occur in unexpected places. According to the 2012 Report to the Nations, which is published biennially by the Association of Certified Fraud Examiners, 87% of fraudsters have never been charged or convicted of a fraud-related offense, an indication institutions might be well served to focus on detection and investigation.
“You can never prevent [fraud],” Sacher says. “Bigger frauds typically occur because of a lack of adequate preventive or detective roles — a design deficiency.”
Combatting Internal Fraud
With this in mind, CEOs should strive to establish an environment in which if there is an employee perpetrating a significant fraud, then there is a strong likelihood the credit union will identify it in a timely manner, Sacher says. Unfortunately, as credit union operations incorporate more complex products, services, and technology, institutions all to often fail to adequately update and test the internal control ramifications of these new products, services, and delivery channels.
“Credit unions have an obligation to do ongoing training with all staff — front and back office — in regard to fraud trends,” Rael writes in an email. “This training has to be ongoing and evolving, just like fraud activities.”
In addition to training, a credit union’s fraud detection strategy should also include an anonymous way for employees to report cases of suspicious activity they observe among their peers, say both Sacher and Rael.
“With internal fraud, employees get comfortable with their co-workers and they trust them so the natural tendency is to explain away the suspicious activity they are seeing,” Rael writes. “If they have both a chain of command to report to as well as a confidential way to report their suspicions, I think they are more apt to follow through and report what they are seeing.”
“Every fraud I’ve investigated over the years, when you interview people in the organization, they will tell you they were aware, they were suspicious, but they didn’t feel comfortable reporting it,” says Sacher, who in 2012 launched the whistleblower reporting service Protect My Credit Union to discourage or prevent internal fraud in credit unions. “Either it was someone they directly report to or they just didn’t want to get involved.”
For credit unions that want to ensure their fraud detection tools are up to task, Sacher suggests looking at the same standards auditors who are measuring internal control frameworks must follow. The Committee of Sponsoring Organizations’ “Internal Control-Integrated Framework” is to the internal control side what GAAP is on the accounting side, Sacher says.
Credit unions face external threats on many fronts. Anybody from members to hackers or pirates can attempt to take advantage of an unsuspecting credit union or its members. As with employee fraud, 100% prevention is impossible, but credit unions can be vigilant through their monitoring and detection efforts.
“You need to monitor transactions so you can identify out-of-pattern activity and address it right away,” Rael writes. “If we wait for a member to report fraud, it is usually too late. Credit unions can never stop fraud, but we have an obligation to try to mitigate it.”
External fraud is becoming increasingly electronic and is continually evolving. Today’s fraudsters are using a variety of tactics to trick victims into voluntarily offering sensitive financial and personal information that puts their identities and accounts at risk.
Nos. 2-4: Phishing, SMishing, & Vishing
Phishing is one common external fraud technique that broadly describes the impersonation of a business by a fraudster in an attempt to trick a person into divulging personal information such as username, password, or credit card details. Oftentimes phishing campaigns take people to fake versions of websites that would otherwise, minus some minute details, look legitimate.
SMishing is another popular scam in which fraudsters attempt to collect personal information via cell phone text message or short message service (SMS). And in voice phishing, or vishing, fraudsters call victim’s cell phones and land lines seeking information.
According to data collected by the Anti-Phishing Working Group and published in its Global Phishing Survey, there were 72,758 worldwide phishing attacks during the first half of 2013. Amazingly, that’s a decrease from the 123,486 attacks documented in the second half of 2012. Despite the drop, phishing remains a problem for all institutions tasked with keeping personal information safe.
No. 5: Distributed Denial-Of-Service
Distributed denial-of-service, or DDoS, attacks are another way fraudsters are targeting financial institutions. DDoS attacks make machines such as computers unavailable to users and interrupt or suspend Internet connectivity services by overloading servers with requests and essentially crashing the computer. According to an April 2013 article from eSecurity Planet, a website that provides website security information and advice, DDoS attacks are increasing in size. The article cites a study by Arbor Networks that showed the average size of DDoS attacks in the first quarter of 2013 was 1.77 Gbps (gigabit per second). That’s a 19.5% increase over the same period in 2012. The study also showed larger attacks — defined as packet floods in the 2-10 gbps range — have grown during the same period, now 21.5% of all attacks, an increase from the 15% seen from the first quarter of 2012.
Combatting External Fraud
Credit unions’ biggest defense against phishing attacks, DDoS attacks, and other member-centered scams is comprehensive fraud education. Credit unions have to understand their responsibility during these kinds of external attacks, Rael says. Everyone who works for the credit union has a duty to protect the members, not just the fraud departments.
“Information sharing is powerful and can help to identify what is really going on in the organization,” Rael writes. “Credit union employees need to network with their peers. Join fraud organizations such as IAFCI, robbery task forces, etc. The more you hear about what others are experiencing, the better prepared you will be. Then share the information with all staff at the credit union.”
In addition to sharing information within its walls, a credit union should also make members aware of fraud issues that are occurring. A credit union’s website, newsletter, and staff communications are powerful tools in bringing fraudulent activities to the attention of members.
“[Members] believe we should know if they are going to fall victim to fraud,” Rael writers. “Therefore, I believe we have an obligation to keep them informed and try to point out the schemes and scams we are aware of.”
Communication is key, but the speed with which credit unions report attacks is just as important. To this end, train staff to quickly identify and report fraud. Reporting attacks as soon as they happen is the best way to keep them from spreading.
“Credit union's need to have procedures in place to deal with external fraud such as phishing or DDoS attacks,” Rael writes. “You have to be ready when it happens so you can stop it as soon as possible. The faster you respond, the more effective you will be at preventing actual loss of funds.”