Top-Level Takeaways
-
Cyber Monday volume can create a distraction for fraudsters to slip in unnoticed.
-
Member education combined with tech tools form a defensive bulwark.
Cyber Monday has replaced Black Friday as the largest single sales day of the year, and with it come the requisite threats of theft by cyber fraud.
They include old attacks in new forms, such as the so-called Magecart groups that are placing digital credit card skimmers on hacked websites, as well as the rapid growth of card-not-present fraud as a result of EMV chip card adoption, and good ol’ fashioned phishing in all its nefarious forms.
John Buzzard, Industry Fraud Specialist, CO-OP Financial Services
We’re definitely seeing a shift to fraudulent card-not-present transactions on a routine basis due to the presence of chip-enabled payment cards, says John Buzzard, industry fraud specialist at CO-OP Financial Solutions. The holidays will simply add to that experience as transaction volumes increase.
He also notes that CO-OP has been seeing increased transaction volume for the past three Mondays after Thanksgiving and expects that trend line to continue upward because of consumer adoption of mobile devices, faster payments, and online retailers’ efforts to lure in busy shoppers with outstanding experiences like next-day shipping and easy returns.
This is their opportunity to hide in plain sight and take advantage of higher transaction and call volumes.
Not-so-outstanding experiences include phishing emails about supposed online orders. They’re particularly pernicious because they appear to come from UPS or FedEx and are sent to personal and credit union domain email addresses, says Heather McCalman, credit union council manager with FS-ISAC.
ContentMiddleAd
The phishing emails encourage the recipient to click on a malicious link to see the next delivery time or to see who the package is from, says McCalman, a veteran credit union IT and cybersecurity manager before joining information-sharing consortium about two years ago. It’s easy for consumers to think the emails are legitimate because of the abundance of online shopping, even if they didn’t order anything recently or it’s too early for the package to be delivered.
Texting For Trouble
A new threat is also emerging in the form of an old favorite in digital communications.
Whereas the traditional path of delivering fraudulent links has been via e-mail, there’s a growing trend toward using text-based messages, says Gene Fredriksen, chief security strategist at PSCU.
Gene Fredriksen, Chief Security Strategist, PSCU
Fredriksen says studies show people tend to trust text messages more than emails and are more likely to click on an embedded link.
Combining this trend with the holiday spirit’ yields a fertile environment for fraudsters, Fredriksen says. Shoppers looking for the perfect or hard-to-find gift are likely to take financial risks they might not otherwise take.
The sheer volume of transactions around the holidays also can make it easier for fraudsters to slip by unnoticed; however, the threats of the shopping season actually hold true all year, the fraud fighters say.
Bad actors don’t need a sale to incent their illicit activity, says Eric Kraus, line of business executive for fraud management at FIS. The threats presented during this busy shopping season are not dissimilar to the threats credit unions face every day.
Kraus predicts Cyber Monday this year will bring account takeover attempts, EMV fallback activity at POS, fuel pump skimming, ATM cash-out schemes, and increasing e-commerce fraud. That might seem like a lot, but Kraus says that’s activity financial institutions see every day.
Buzzard at CO-OP also advises credit unions to be prepared for fraudsters to attempt to plow the same ground.
It’s important to think back over last year’s holiday season, the fraud specialist says. Any scam that represented a huge loss then should be mitigated by now. But at the same time, it’s also a smart idea to make sure you’re prepared to face the same challenges all over again.
When it comes to stopping financial crime, we can all learn from one other’s past successes and missed opportunities.
Fredriksen at PSCU adds that old scams can still be effective, so the credit union and its members need to be aware of those.
The best defense is consumer education, he says. Combine people, processes, and technology systems to provide a comprehensive solution.
Educate. Prepare. Support.
What can credit unions do to prepare for Cyber Monday? Heather McCalman, credit union council manager for the Financial Services Information Sharing and Analysis Center (FS-ISAC), has a few tips.
Educate Members and employees need continual awareness campaigns. Sometimes the only reason an attack works is because employees weren’t on the lookout for it.
Prepare Implement strict fraud rules and respond to alerts. The Target breach reportedly involved industry best practices not adhered to before and during the attack.
Prepare Credit unions need a due diligence program and well-planned vulnerability and patch management programs for vendors. Then, understand any update, patch, and other changes a vendor implements.
Prepare And Support Prepare employees to work beyond business hours to test and apply serious updates or patches. They should also feel that executives have them covered if they slow down processing to respond to a potential issue.
Support When credit unions participate in information sharing groups, they hear about attacks and mitigation tactics before the general public.
Credit unions can raise member consciousness with online, ATM, and in-branch messaging that underscores the importance of reporting fraud now rather than later. According to Buzzard, Think before you click messages encourage safer online behavior and If you see something, say something messages encourage members to report unusual transactions immediately.
It’s worth the effort to educate members and employees alike about the threats, but even that has its limits. McCalman says she knows of some credit unions that do things like deposit $5 into the savings accounts of members who complete a training on the credit unions’ website; however, it’s not easy to gauge what they actually take away.
You can’t conduct phishing tests on your members, says the FS-ISAC manager.
Let’s Work Together
Buzzard and the fraud-fighting gurus at other major payments processors in the credit union space recommend credit unions come to them to partner on preparing for the holiday season.
That includes working together to ensure the processing system rules for flagging transactions are updated, ideally with analytics that leverage big data concepts that Kraus at FIS says can help more intelligently increase fraud detection rates while reducing potential false positive transaction declines.
Heather McCalman, Credit Union Council Manager, FS-ISAC
Kraus also advises working with industry partners to identify trends and potential compromises as quickly as possible.
Credit unions openly sharing their experiences with one another can also be very helpful, he says. When it comes to stopping financial crime, we can all learn from one another’s past successes and missed opportunities.
Beyond the payments ecosystem, it’s also important for credit unions to protect their brand integrity online. Be vigilant in monitoring your social media presence and your online domain for potential spoofing and brand impersonation.
For members, credit unions should send transaction and account change alerts and consider apps that allow members to turn cards on and off. They should also be vigilant where a member might not have enough information to be.
There are a bevy of things to look for, such as massive batches of pre-authorizations from the same retailer for identical or nearly identical amounts, Buzzard at Co-p says. Sometimes this is large-batch card testing that usually results in card fraud later.
The CO-OP fraud specialist also says tracking increased call center activity can help detect if fraud actors are taking advantage of busy holiday periods to try to request new cards, PINs, and addresses.
This is their opportunity to hide in plain sight and take advantage of higher transaction and call volumes, he says.