Data Breaches Are Down; Here’s Why Fraud Will Likely Get Worse for CUs

It’s no coincidence this trend aligns with a rise in the financial toll of fraud. The median consumer loss now exceeds $1,700 – a hefty sum for many Americans, a third of whom report having more credit card debt than emergency savings, according to BankRate’s 2025 Emergency Savings Report. That’s a significant jump over previous years. When extrapolated across the U.S. adult population, this represents collective fraud losses of $265 billion in the past year. Among consumers who reported losing money in a fraud scheme, 20% said it happened through an account takeover.

Fueled by the widespread availability of stolen identity credentials, synthetic identity fraud is emerging as a noteworthy concern. U.S. lenders face a potential $3.3 billion in losses from synthetic identities due to fraudulent auto loans, bank credit cards, retail credit cards and unsecured personal loans – the highest level recorded since TransUnion began tracking the data in 2009. These figures, however, only represent direct losses. While harder to quantify, the emotional impacts on consumers and operational effects on credit unions are no less important.

What Breached Data Predicts About Future Fraud Patterns

The type of information exposed in a breach provides critical insight into future fraud behavior. Here are some of the most impactful potential fraud trends for credit unions based on the top credentials exposed in 2024.

• SSNs pave the way for new credit account fraud and tax refund fraud;
• Driver’s license numbers can be used for new account fraud of all kinds, such as checking, credit and even utility accounts, as well as legal impersonation;
• Bank account numbers risk account takeover in which criminals exploit login credentials or deceive identity verification methods; and
• Payment card details lead to credit or debit account fraud where criminals may start with small test charges before escalating to large withdrawals or purchases.

Many consumers erroneously believe because data breaches are so common, their information is already exposed. While it’s true cybercriminals have relatively easy access to low-level consumer data, such as names and email addresses, high-value credentials are another story.
When this breached data is pooled and sold on the dark web, fraudsters can compile a complete identity profile to exploit. Since criminals go where the money is, credit unions will remain a primary target.

A Better Risk Response

The volume of account takeover fraud grew 20% year-over-year in 2024 – up 129% since TransUnion first analyzed it in 2020.
Stopping new account fraud isn’t enough. Credit unions must double down on protecting existing members, especially those with known data exposure. Unfortunately, most consumers remain underinformed and underprotected.

TransUnion’s ongoing consumer sentiment research consistently shows Americans are deeply concerned about identity theft, but few take preventative action. The reasons are familiar: They feel overwhelmed, don’t know where to start or underestimate their personal risk.

Credit unions should consider a more personalized, data-informed approach to fraud mitigation. Across all sectors, personalization is proving to be a powerful force in sparking positive behavior changes. For credit unions, this can mean:

• Segmenting members by breach risk. Rather than treating all members equally, credit unions can assign them to different groups based on security threats. Then, they can prioritize outreach and fraud controls to those most at risk of serious financial or identity crimes, such as members with compromised SSNs, driver’s licenses or account numbers.
• Providing actionable, tailored guidance. Consumers need clear, personalized steps based on the type of compromised data in question. If their checking account numbers have been exposed, the financial institution should recommend specific, relevant actions, such as turning on real-time transaction notifications or setting up transaction limits or holds.
• Promoting underutilized fraud controls. Multi-factor authentication (MFA) remains an effective fraud deterrent, which is why the Federal Financial Institutions Examination Council implemented MFA requirements. Yet, adoption lags for many stronger forms of MFA like app-based or biometric authentication. Education is key. Members are more likely to activate these features when they understand the connection between their personal breach risk and protection offered by MFA.
• Educating on the most likely or serious threats. As trusted partners, credit unions are in a unique position to close the education gaps regarding what consumers should do when their personal data is breached. Using the kind of data-driven risk insights now available, credit unions can go beyond generic fraud communications to instead educate members about the fraud risks most relevant to them. Simple, clear, contextual information helps consumers take proactive steps so they don’t feel overwhelmed and uncertain.

While the decline in breaches might suggest the fraud threat is receding, in reality, the threat is simply evolving – resulting in more targeted, devastating fraud incidents.

Credit unions must respond to the changing nature of identity risks. Delivering a proactive, intelligence-led approach that addresses the severity of breaches in addition to their frequency helps protect members and the institution from future fraud.