CUNA Mutual Group Risk Alert: Increase in Identity Theft-Related Account Fraud

A credit union in the Northwest recently experienced a rash of fraudulent accounts opened online. The fraudsters opened 30 accounts using personal information belonging to others, including names, Social Security Numbers, dates of birth and addresses – most likely garnered from a recent major data breach of a credit bureau and purchased on the dark web. A unique aspect is the fraudsters used the identity theft victims’ addresses when opening the accounts. These addresses were within the credit union’s normal trade area so no red flags were raised.

Identity thieves traditionally use addresses they control when opening accounts under someone else’s identity to prevent the ID theft victims from learning of the fraud. However, a unique aspect of this fraud case is the use of identity theft victims’ addresses when opening the accounts. Addresses used were within the credit union’s normal trade area so there were no red flags raised. Additional characteristics of this fraud case include:

• Fraudsters successfully answered security questions – derived from the person’s credit report - generated by the identity verification solution used for the online account opening and funding platform.
• Most of the fraudulent accounts were auto-approved by the system. Fraudsters immediately enrolled for online banking after the accounts were opened.
• Many accounts were opened with the same phone numbers.
• Bill pay (expedited payments not based on a good funds model) was used to generate checks payable to others. However, the credit union was able to stop the fraud after being alerted to suspicious activity by the bill pay service provider and successfully placed stop payments on the checks.

Opening accounts online, rather than in person at a branch, allows fraudsters to minimize personal contact. Credit unions that provide this service could be at greater risk. Credit unions with associations (e.g. charities) within their fields of membership are also attractive targets since fraudsters can join the association to qualify for membership.

Identities stolen in the recent breach of a credit bureau were likely used and will be used for years to come to open fraudulent accounts. In addition, fraudsters could apply for loans or make fraudulent deposits (e.g., checks and/or ACH debits) and withdraw the funds before the deposited items are returned unpaid.

Credit unions should also consider the impact this breach can have on account takeovers via online banking. Many account takeover losses involve fraudsters enrolling member accounts for online banking by taking advantage of weak authentication methods.

Risk Mitigation
Credit unions should ensure their ID theft prevention program is up-to-date and followed by employees opening new accounts and processing loan applications. If you offer online account opening and funding, consider:

  • Use an identity verification service that relies on strong out-of-wallet questions.
  • Be alert for multiple credit inquiries in a relatively short period of time when examining new membership applicants’ credit reports.
  • Disable automatic approvals over weekends. These applications should require a manual review.
  • Require a manual review of applications from individuals qualifying for membership by joining an association within the field of membership or who live outside of the credit union’s normal trade area.
  • Scrutinize IP addresses, including:
    • Geo-location tracking of IP addresses to ensure they are consistent with the individual’s address.
    • Be alert for multiple applications received from the same IP address.
    • Block IP addresses if fraud is suspected. Note that fraudsters may quickly switch to different IP addresses after the block is in place.
  • Screen suspicious applications identified through a robust identity verification service. Some credit unions have experienced success in blocking fraudulent membership applications by screening suspicious applications through a skip trace service.
  • Refrain from opening accounts if you are unable to verify the identity of new membership applicants. Send an adverse action notice explaining the reason(s) for denying the account.
  • If members can fund the account online (e.g., by ACH or payment card), ensure the monetary limits are reasonable.
  • Send a welcome letter to new members.
  • If your bill pay product is not based on the good funds model, be alert for large dollar expedited payments via check created by new members.

Credit unions should mitigate the risk of account takeovers via online banking by deploying an identity verification service for the online banking self-enrollment feature.