Relief payments fill ACH pipelines and attract phishing and false identity attacks.
Education and authentication remain the best weapons against money mules and those who hire them.
Pete VanGraafeiland was among the leaders at Local Government Federal Credit Union ($2.4B, Raleigh, NC) who had high hopes for member growth when they launched Civic Federal Credit Union ($51.2M, Raleigh, NC) as a branchless cooperative.
Pete VanGraafeiland, Senior Vice President for Member Services, Civic FCU
“We thought we’d be popular but not this popular,” VanGraafeiland says of 3,000 or so member applications they’ve seen originated — but not completed — in recent weeks on Civic’s online account opening portal.
Most of those were bots and other fraud attempts, it seems. The 800-member Civic was among those targeted by cyber criminals aiming to create accounts as a way to receive and make off with ill-gotten gains from opportunities generated by the COVID-19 pandemic.
While the stakes have grown, one thing that hasn’t changed is the importance of strong authentication measures.
Generating Unwanted Attention
Civic was launched in early 2019 to serve first responders, their side gigs, and their employing agencies across the Tarheel State.
“We’ve done some marketing in North Carolina, but not enough to generate this kind of attention, and certainly not from places like California where we can see a lot of these internet addresses originate,” says VanGraafeiland, Civic’s senior vice president of member services.
Sean Sanner, Vice President for Fraud Prevention, Patelco Credit Union
VanGraafeiland says Civic aimed to make joining the de novo credit union as easy as possible when they put the infrastructure together. That included a digital account opening process that can enroll a legitimate member in as little as five minutes.
He says the account opening's multi-screen authentication process weeds out most of the nefarious activity, and that of those that make it far enough for humans to see them, some are almost as sublimely easy to spot as suspicious.
“We had one from a guy with a California address who not only failed some ID checks but said he was 28 years old and had worked for his company for 30 years and had income of $90 million a month,” VanGraafeiland says. “Since then, though, they’ve gotten smarter.”
Far more sophisticated hackers are using spear phishing and broad phishing attacks and more. These actors are taking advantage of stressful times to target staff and members who may be more vulnerable than usual to social engineering.
Complicating matters are incidences of real people, not bots, being paid to create legitimate accounts to accept those funds and then send the money to fraudsters. In effect, they’re money mules.
There are tools and techniques, however, that can help filter out the fraudsters.
More From The Credit Union Perspective
Fight Fraud With These Messages
Patelco provided these examples of fraud-fighting messages. These – and more documents, templates, and collateral on multiple topics – also can be found in Callahan’s Policy Exchange.
Patelco Credit Union ($7.5B, Dublin CA) has about 378,000 members and 38 branches. Sean Sanner is its new vice president for fraud services. The 20-year veteran of risk management, fraud management, and information security joined Patelco in March, just as the pandemic was taking hold.
He says along with government deposits there are other targets about which credit unions should be cognizant in these troubled times. “Similar deposits coming into established accounts should be monitored for their members being duped by social engineering schemes such as romance scams or work from home scams,” Sanner says.
Along with data analytics, Patelco emphasizes creating awareness among members and staff of top issues and key protocols to follow to mitigate security risks, Sanner says. That includes frequent communications based on keeping up with what’s going on out in the wild.
“Examples would be a descriptive set of red flags to watch out for when a fraud group is attempting to open new accounts, or inconsistencies in an ACH deposit that can be identified to mitigate losses from the COVID-19 unemployment disbursement scam,” the Patelco fraud fighter says.
More From The Insurer’s Perspective
Fraud loss is among the insurance coverage that CUNA Mutual Group (CMG) provides to thousands of credit unions, and the Wisconsin-based company puts a lot of resources towards prevention even when its clients aren’t directly liable for the losses.
Ken Otsuka, Senior Consultant for Risk & Compliance Solutions, CUNA Mutual Group
That’s largely the case as the pandemic has created new opportunity for fraudsters targeting the flood of unemployment, Payroll Protection Program, and other stimulus checks going out from states and the federal government.
Ken Otsuka, a CMG senior consultant for risk and compliance solutions, pointed to a Nigeria-based ring called Scattered Canary as a particularly notorious band of thieves among those using phishing attacks and stolen and synthetic identities to take advantage of the processing rush states experienced as unemployment claims soared.
The vast majority of those payments travel the ACH rails. Otsuka notes that credit unions, as the receiving depository institutions, are required only to ensure the payment makes it to the right account number. They are not required to match names on incoming payments to the names on the accounts.
Still, it behooves credit unions to do what they can to protect the system, and matching names on payments to names on accounts is a recommended best practice. “If you see a mismatch, return the ACH payment to the originator,” Otsuka says.
Here is an example of a phishing attempt that arrived at Member Driven Technologies.
More From A Core Processor’s Perspective
Mark Ernest, Senior Manager for Security and Threat Intelligence, Member Driven Technologies
Member Driven Technologies’ role as a provider of core processing and other technologies to 116 clients in 28 states includes security services, and gives the CUSO a position of responsibility and a bird’s eye view into cyber threats against member-owned financial cooperatives.
“We began seeing sporadic COVID-19 themed phishing campaigns in early April and they’re still persisting,” says Mark Ernest, senior manager of security and threat intelligence.
He says the majority of the phishing campaigns have been large-distribution attacks, not targeted specifically at MDT or its credit union clients. There have been exceptions, though.
“We’ve observed scammers using COVID-19 lures while impersonating MDT’s CEO as a means to make the spear phishing campaigns appear more authentic,” says Ernest, who’s been with the suburban Detroit-based CUSO for six years.
His advice to credit unions:
Provide security awareness training to all employees.
Build and communicate phishing reporting workflows for employees.
Use simulated phishing campaign technologies to reinforce phishing red flags.
Provide a dedicated “member security awareness” page.
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.