ANAHEIM, Calif.–“The times they are a changin’,” one person observed here in sharing the Bob Dylan song, but in another way they very much are not: fraudsters continue to use every tactic they can imagine in attacking credit unions and their members.
And many of those scammers, said Jay Isaacson, VP product executive-business protection with CUNA Mutual Group, are often found inside credit unions.
In remarks to the CUNA CFO Council annual meeting here, Isaacson spoke to the issue of avoiding large losses with proper preparation, offering a number of tips for doing just that.
Isaacson noted that the highest number (42%) of fidelity bond claims CUNA Mutual receives has to do with fraudulent deposits and forgery, but those represent just 14% of losses. Claims of employee dishonesty represent just 13% of the claims it receives, but those in turn are 50% of the claims dollars the company pays out each year.
A third category, funds transfers, has been growing relatively quickly, he said.
Some examples of employee dishonesty Isaacson said CUNA Mutual has seen:
- The “C-Note Sandwich.” At one credit union where a sole employee with access to vault cash was breaking apart bundles of bills and reinserting smaller denominations of cash. That took place over an 18-24-month period, and was only discovered after the CU started getting suspicious about the number of cash orders being made to the Fed.
- Dishonest Purchase Orders. One manager was ordering IT components using fictitious purchase orders, and then reselling the components on eBay.
- One loan officer went as far as to create fictitious businesses and then made loans to those fictitious businesses.
“Often, it’s simply about opportunity,” he said. “There is a lot of trust in the credit union system and in people helping people, and rightfully so, but unfortunately not all employees deserve it.”
To reduce the risk of employee dishonesty, Isaacson urged:
- Strong hiring practices. Is a prospective employee bondable? Bondability can be pulled if a CU becomes aware of an employee acting in fraudulent manner and doesn’t act on it, he noted.
- Segregation of duties.
- Regular review of authority levels.
- Dual controls.
- Supervisory/internal audit program (trust but verify).
Isaacson reminded that while check transactions have declined steeply, there were still about six-billion check transactions in 2014. Despite the steep drop, check fraud reductions have not fallen at the same pace.
Other potential loss risks addressed by Isaacson:
Wire Transfer Fraud
Isaacson said thieves have been getting “more devious” with the appearance of wire destinations, tricking members into providing false instructions for legitimate transactions. One area where criminals have gotten much better is in sophisticated spear-phishing attacks on senior executives, with email messages, for instance, that appear to be from another senior exec but which are not.
To fight wire transfer fraud, he urged these steps:
- Put a monetary cap on wire requests not made in-person
- Understand coverage risk-sharing
- Exceptions must be approved by officer
- Written agreements with members in advance
- Passwords on file
- Avoid too much reliance on signature verification or any documentation sent electronically
- Train staff to be looking for red flags.
ACH Transaction Losses
“We’re seeing a lot more of this now, and it’s is a fairly complex process to understand what culpability you might have in the event there is fraud,” cautioned Isaacson.
That process begins with understanding if the FI is an originating depository institution or a receiving FI. “Ultimately, these are not insurable,” he added.
An example of ACH transaction fraud includes Social Security payments being made to an account on which the account-holder is deceased. Another area: tax refund fraud. If a tax refund comes in and the name and account number don’t match, it’s best to send the funds back, said Isaacson.
To manage ACH Transaction fraud, he recommended:
- Know the people who are joining via remote steps.
- Assessing and controlling ACH risks requires a strong understanding of transaction process.
Plastic Card Fraud
Isaacson said the implementation of EMV, or chip, cards will by no means be the end of card fraud. For instance, in the U.K., which transitioned to EMV in 2006, it initially saw a 25% reduction in card fraud, but the trend line soon started moving upward again, and now overall card fraud represents a larger figure than back in 2006, with the U.K. seeing a “dramatic uptick” in card not present fraud.
Management and Professional Liability Trends
For CUNA Mutual, employment practices liability represents 53% of all its losses, followed by lender liability at 33%.
Why the increase in Employment Practices Liability? Isaacson said part of it might have been due to the down economy which led many credit unions to downsize. That, in turn, led to lawsuits by former executives that they had been let go due for reasons of race, gender or national origin. But the biggest category here is lawsuits alleging “retaliation,” often around age or disability. Those suits are heard by juries, which are often sympathetic to plaintiffs, said Isaacson.
Cyber Security
The four drivers of cyber-breaches or risks are employee negligence/theft; lost/stolen data, vendor leaks/mistakes, and network hackers/malware.
“One area we are seeing in particular has been employee negligence, with some theft,” said Isaacson, before adding, “But what we’re finding is fraudsters are trying to exploit every aspect of your operation.”