LAS VEGAS-There are never ending waves of fraud crashing on financial institutions, so credit unions must be constantly updating their knowledge base-and educating their members-to keep up.
That was the message from Don Thompson, risk management consultant for Carmel, Ind.-based Allied Solutions. In some cases, he said, criminals use technology to dazzle and deceive, but other times it is a matter of a simple telephone call.
"These people call on the phone and tell consumers they are about to be removed from the Do Not Call list," he said. "They ask to confirm address, date of birth and Social Security number. If they get that information, they can steal the person's identity. And if the person is not on the Do-Not-Call list, they ask if the want to be, and then ask for the address, date of birth and Social Security number."
Another commonly seen phone scam entails the caller representing him or herself as being from the security division of Visa or MasterCard. The consumer is told his credit card has just been used for a large purchase at, say, Best Buy. When the alarmed recipient of this news insists it is not his card, the fraudster smoothly promises to make an adjustment-as long as the soon-to-be victim confirms the account number and three-digit security code on the back of his card, known as the CVV2.
"People fall for this," Thompson said incredulously. "If the person really was calling from Visa or MasterCard, they would already have the account number.
Credit unions need to educate their members about these types of fraud," he added.
Something New Every Day
With the advent of text message banking has come a new version of fraud, known as "smishing." A typical fraudulent text sent to members' cell phones will contain a message roughly along the lines of "Dear Member. We regret to inform you we had to lock your account access. Call XXX-555-1212 to restore your account."
Of course, the number goes to a phone answered by a criminal, not the person's credit union, and the member then is asked for their card number and CVV2.
Thompson warned of a variety of fraudulent activity that attacks vulnerabilities in ACH/A2A transactions. Specifically, he said CUs should consider limits on the dollar amount of transactions new accounts may make when they are set up via online banking.
"There is a lot of risk involved in ACH," he said. "Members can push funds from their credit union account to an account at another financial institution through ACH credit, or pull funds into their credit union account from another financial institution through ACH debit."
The problem on ACH debits, Thompson explained, is the other financial institution has 60 days to return an unauthorized transaction. He cited the example of one CU that had a new member open a savings account and a $10,000 Visa line of credit. The member paid the LOC using Internet banking, using ACH to pull funds from another institution. The credit union gave immediate credit, and the member took a cash advance.
This process was repeated eight times before the ACH payments were returned for insufficient funds-but the credit union lost $80,000. "This type of credit risk is uninsurable," he said. "Credit unions need to be aware of the credit risk associated with ACH debit and not release the credit limit until funds are received. In the case of the multiple NSFs, people at that credit union were missing significant red flags."
To ward off losses in ACH wire transfers used by criminals for bill pay, Thompson said CUs should not allow immediate access to payment services to new users. Instead, credit unions should implement an enrollment process that sends the new member an e-mail to an address provided at account opening for confirmation. Access to funds should not be granted until the following business day, he said.
"Restrict this feature to members who enroll and qualify," he said. "New payees need to be confirmed with the member. Educate your members through newsletters and notices on your website."