Account takeover fraud, which occurs when a criminal gainsunauthorized access to an account via identity theft, is growing byleap and bounds.

It's a type of identity theft where a fraudster uses parts ofthe victim's identity, such as an email address, to gain access tofinancial accounts. The perpetrator often reroutes communicationabout the account, keeping the victim in the dark so the thieverycan continue longer. Affected accounts can include credit cards,checking and savings accounts, brokerage accounts and store loyaltyrewards accounts.

At least partially explaining its growth, the adoption of EMV isleading to account takeover fraud growing even faster than paymentcard fraud. In addition, greater access to credit, an abundance ofinformation, faster electronic communications and intensecompetition among financial institutions make it easier than everfor criminals to steal identities and falsify information.

Much like a virus reacts to a vaccine, hackers develop new waysto penetrate security systems as the old methods becomeineffective. For credit unions, then, constant vigilance andintelligent surveillance are key to preventing and detectingaccount takeover fraud.

Reviewing and Evaluating Internal Controls

Fighting this type of fraud begins with a thorough review andevaluation of a credit union's own internal controls. A sampling –but not an exhaustive list – of important steps in maintainingtop-notch internal controls are:

• Conduct periodic surprise audits and annual reviews ofprocedures.

• Provide for the physical security of all checks, includingcashier checks, branch checks and deposited checks.

• Provide for the temporary physical security of electronicallydeposited checks, including storage in a secure facility along withsecured shredding.

• Ensure appropriate security is in place over signature plates,cards and software.

• Require an additional review process for all checks over aspecified amount.

• Remove individuals from financial institution transactionauthority immediately upon resignation or termination.

• Ensure that controls exist for the storage and destruction ofall documents that contain account and other relatedinformation.

• Determine that appropriate controls are present if employeesaccess financial and banking systems from remote sites.

• On an annual basis, request a legal review of all changes inlaws regarding liability as it relates to fraudulent transactions.

Best Practices for Preventing Fraud Losses

Some best practices for fighting account takeover and otherforms of fraud include:

1. Strengthening verification procedures for newaccounts. This should include incorporating moreinformation into the decision process, especially for high-dollarunsecured transactions; breaking away from conventional thinking(traditional credit scoring and underwriting procedures do notidentify fraudulent applications); digging deeper to verifyidentify beyond using Social Security numbers or other singlepieces of data; and looking for and assessing the fraud potentialof inconsistency among all data available, not just in address andcredit bureau information (Does the phone number go with theaddress? Do the age and Social Security number match?)

2. Strengthening verification procedures for existingaccounts in online or call center transactions. Positiveverification calls for comparing information provided by theconsumer with a trusted third-party source, such as a consumerreporting agency.

3. Using credit report data to verify name, address, phonenumber, Social Security number, date of birth and driver's licensenumber. This includes both logical verification (usingcommercially available analysis tools to determine the consistencyof information from various sources) and negative verification(checking information provided by the consumer against databases ofknown fraud, bad checks and government lists).

4. Strengthening the notification process to the consumerfor changes made to the consumers' existing accounts. Anychanges made to a member's account need to be verified with themember. This can be accomplished by sending a confirmation email tothe original email provided by the consumer, a follow-up letter tothe original address of the consumer and a phone call to theoriginal phone number on file.

5. Establish limits on withdrawal frequency.Limits should also be established on amounts to minimize a member'sexposure to skimming and card theft.

Fighting fraud requires a true partnership between creditunions, core processors and payment services providers. Byfollowing the steps above, you have key safeguards that will helpprotect your credit union and your members in this atmosphere ofenhanced technology – and criminality.

Join us at Credit Union Times' Fraud:Don't Let It Happen To Your Credit Union Conference, where youwill find the latest tools and techniques for preventing fraud anddata breaches; strategies for responding in the immediate aftermathand best practices for restoring reputation, financial stabilityand information security. This two-day conference is designed forcredit union executives, boards of directors and those responsiblefor your credit union's cybersecuritypolicy. Registerto attend and save $150.

CarolineWillard is EVP, markets and strategy for CO-OP Financial Services.She can be reached at 800-782-9042, Ext. 5934or [email protected].