Four Top Fraud Threats—and How to Fight Them
Integrate anti-fraud measures into your CU culture.
The New Year is well underway, but credit unions must realize that while 2011 has faded into the past, potential fraud threats will not.
Even though many credit unions employ state-of-the-art detection and prevention measures, criminals can still strike.
Unfortunately, fraudsters are only becoming more sophisticated and their tactics more complex. There are four top categories of fraud and data compromise that will remain prominent in 2012.
By understanding what risks each category brings, credit unions have a better chance of mitigating those risks and stopping criminals in their tracks.
1. Network intrusion
Network intrusion represents the majority of fraud that takes place today. Network intrusion covers a range of attack methods:
• Malware. This comprises a variety of forms of hostile, intrusive, or annoying software or program code that can collect sensitive information from a computer undetected.
• SQL injections. This involves entering SQL code into Web forms such as login fields or browser address fields to access and manipulate the database behind the site or system.
In other words, it tries to fake out the login function using SQL commands instead of actual user names and passwords to gain access to sensitive information.
• Personal identification number (PIN) hacking. Some sophisticated criminals grab unencrypted PINs while they sit in memory on bank systems during the authorization process. Or they hack into a bank’s hardware security model and trick it into providing an encryption key to “unlock” the data passing through the system.
• Packet sniffing. With packet sniffing, a malicious intruder can capture and analyze all of the network traffic within a given network and capture username and password information that’s generally transmitted in clear text and viewable by analyzing the packets being transmitted.
2. Social engineering
This type of fraud focuses on manipulating people rather than hacking into computers for information.
They key to social engineering fraud is tricking a person into performing a specific action, such as revealing an account number or password, or installing malware.
Some of these attacks start with network intrusion in the form of stealing email addresses from a financial institution. The criminals then send emails that link to a fake landing page mimicking the consumers’ bank or credit card provider’s site.
The consumers enter usernames, passwords, Social Security numbers, and/or account information—unaware that a cyber thief is capturing that data for malicious use.
Skimming techniques allow thieves to gather account information, PINs, and even CVV2 numbers. The criminals swipe and store card information using a small electronic device (skimmer).
This type of theft takes place during an otherwise legitimate transaction at ATMs, gas pumps, or restaurants, for example.
Skimming often involves the use of a hidden camera to record customers’ PINs or phony keypads placed over real keypads to record keystrokes. For criminals, there is a risk of getting caught when going to retrieve the devices.
The criminals are getting smarter, though. Now, using Bluetooth technology, they can sit in a nearby vehicle and remotely gather data instantaneously with no need to retrieve the devices they install.
4. Insider fraud
Insider fraud is a growing problem among financial institutions. It’s a term assigned to a wide variety of criminal behavior perpetrated by a firm’s own employees or contractors.
Insider fraud generally falls into three categories: theft from members, theft from the firm, and abuse of position.
Unfortunately, employees and contractors who access financial institution systems during the course of work often know the system better than anyone else and are better positioned to exploit the systems’ vulnerabilities.
As with other forms of fraud, insider fraud is changing. Historically, employee fraud involved account skimming and other small-scale attacks that put money in the employee’s pocket.
Today, with access to the online fraud forums, employees can advertise and sell customers’ personal and financial information and make money without stealing directly from accounts.
Along with understanding how criminals are adapting their fraud practices to the market, it’s critical for credit unions to implement strategies to fight these evolving strategies.
Here are a few strategies to consider:
• Invest in security and promote it. To retain valuable members and accounts, credit unions must reduce the risk of fraud by investing more in detection and prevention services—and then make members aware of those extra investments.
Security no longer should be considered a corporate secret. It’s a competitive advantage to be marketed and valued.
• Integrate anti-fraud measures into the culture. Credit unions must deploy fraud awareness and prevention programs across every department.
The marketing group should know and understand how to monitor for suspicious behavior when promoting new debit/credit card programs. At the same time, the fraud prevention group needs to understand marketing’s member-acquisition goals, and not implement fraud controls that are too stringent for a program to succeed.
Human resources must also be on high alert when hiring employees, even those whose jobs do not give them access to sensitive information.
• Use data analysis tools to get a 360-degree view of fraud. To be proactive about fraud prevention, credit unions must understand the fraud that’s happening in their own portfolios and keep on top of what’s happening in the industry as well.
Criminals are tricky—so what appears to be a small risk within your own portfolio could represent serious fraud when viewed from an industry-wide perspective.
• Take action now. With attacks coming in many different forms and through many different channels, credit unions must gain a better understanding of how criminals operate and how fraud is changing.
With this understanding, credit unions will have a better chance of mitigating the risks and recognizing attacks before they do serious damage.
SHELLY HUNTER is vice president, product management, for First Data’s fraud and risk services.