“The phishing emails encourage the recipient to click on a malicious link to see the next delivery time or to see who the package is from,” says McCalman, a veteran credit union IT and cybersecurity manager before joining information-sharing consortium about two years ago. “It’s easy for consumers to think the emails are legitimate because of the abundance of online shopping, even if they didn’t order anything recently or it’s too early for the package to be delivered.”
Texting For Trouble
A new threat is also emerging in the form of an old favorite in digital communications.
“Whereas the traditional path of delivering fraudulent links has been via e-mail, there’s a growing trend toward using text-based messages,” says Gene Fredriksen, chief security strategist at PSCU.
Gene Fredriksen, Chief Security Strategist, PSCU
Fredriksen says studies show people tend to trust text messages more than emails and are more likely to click on an embedded link.
“Combining this trend with the ‘holiday spirit’ yields a fertile environment for fraudsters,” Fredriksen says. “Shoppers looking for the perfect or hard-to-find gift are likely to take financial risks they might not otherwise take.”
The sheer volume of transactions around the holidays also can make it easier for fraudsters to slip by unnoticed; however, the threats of the shopping season actually hold true all year, the fraud fighters say.
“Bad actors don’t need a sale to incent their illicit activity,” says Eric Kraus, line of business executive for fraud management at FIS. “The threats presented during this busy shopping season are not dissimilar to the threats credit unions face every day.”
Kraus predicts Cyber Monday this year will bring account takeover attempts, EMV fallback activity at POS, fuel pump skimming, ATM cash-out schemes, and increasing e-commerce fraud. That might seem like a lot, but Kraus says that’s activity financial institutions see every day.
Buzzard at CO-OP also advises credit unions to be prepared for fraudsters to attempt to plow the same ground.
“It’s important to think back over last year’s holiday season,” the fraud specialist says. “Any scam that represented a huge loss then should be mitigated by now. But at the same time, it’s also a smart idea to make sure you’re prepared to face the same challenges all over again.”
When it comes to stopping financial crime, we can all learn from one other’s past successes and missed opportunities.
Fredriksen at PSCU adds that old scams can still be effective, so the credit union and its members need to be aware of those.
“The best defense is consumer education,” he says. “Combine people, processes, and technology systems to provide a comprehensive solution.”
Educate. Prepare. Support.
What can credit unions do to prepare for Cyber Monday? Heather McCalman, credit union council manager for the Financial Services Information Sharing and Analysis Center (FS-ISAC), has a few tips.
• Educate — Members and employees need continual awareness campaigns. Sometimes the only reason an attack works is because employees weren’t on the lookout for it.
• Prepare — Implement strict fraud rules and respond to alerts. The Target breach reportedly involved industry best practices not adhered to before and during the attack.
• Prepare — Credit unions need a due diligence program and well-planned vulnerability and patch management programs for vendors. Then, understand any update, patch, and other changes a vendor implements.
• Prepare And Support — Prepare employees to work beyond business hours to test and apply serious updates or patches. They should also feel that executives have them covered if they slow down processing to respond to a potential issue.
• Support — When credit unions participate in information sharing groups, they hear about attacks and mitigation tactics before the general public.
Credit unions can raise member consciousness with online, ATM, and in-branch messaging that underscores the importance of reporting fraud now rather than later. According to Buzzard, “Think before you click” messages encourage safer online behavior and “If you see something, say something” messages encourage members to report unusual transactions immediately.
It’s worth the effort to educate members and employees alike about the threats, but even that has its limits. McCalman says she knows of some credit unions that do things like deposit $5 into the savings accounts of members who complete a training on the credit unions’ website; however, it’s not easy to gauge what they actually take away.
“You can’t conduct phishing tests on your members,” says the FS-ISAC manager.
Let’s Work Together
Buzzard and the fraud-fighting gurus at other major payments processors in the credit union space recommend credit unions come to them to partner on preparing for the holiday season.
That includes working together to ensure the processing system rules for flagging transactions are updated, ideally with analytics that leverage big data concepts that Kraus at FIS says can help more intelligently increase fraud detection rates while reducing potential false positive transaction declines.
Heather McCalman, Credit Union Council Manager, FS-ISAC
Kraus also advises working with industry partners to identify trends and potential compromises as quickly as possible.
“Credit unions openly sharing their experiences with one another can also be very helpful,” he says. “When it comes to stopping financial crime, we can all learn from one another’s past successes and missed opportunities.
“Beyond the payments ecosystem, it’s also important for credit unions to protect their brand integrity online. Be vigilant in monitoring your social media presence and your online domain for potential spoofing and brand impersonation.”
For members, credit unions should send transaction and account change alerts and consider apps that allow members to turn cards on and off. They should also be vigilant where a member might not have enough information to be.
“There are a bevy of things to look for, such as massive batches of pre-authorizations from the same retailer for identical or nearly identical amounts,” Buzzard at Co-p says. “Sometimes this is large-batch card testing that usually results in card fraud later.”
The CO-OP fraud specialist also says tracking increased call center activity can help detect if fraud actors are taking advantage of busy holiday periods to try to request new cards, PINs, and addresses.
“This is their opportunity to hide in plain sight and take advantage of higher transaction and call volumes,” he says.
Want more credit union strategies? Sign up for the CreditUnions.com free newsletter.