No longer solely a back-office issue, fraud attacks against credit unions are becoming faster, more technology-enabled, and more pervasive across all member touchpoints.
As digital capabilities advance, institutions must view fraud within a broader risk management framework, especially as financial crimes grow more scalable and irreversible, with schemes like business email compromise, cryptocurrency fraud, identity theft, and lending scams exploiting speed, anonymity, and control gaps.
But there’s also a way credit unions can protect themselves: by implementing practical solutions to counter threats. These include proactive approaches based on internal controls, training, monitoring, and governance, along with identifying weaknesses and addressing them before they can be exploited.
Barry Pelagatti, a partner in RKL’s Audit Services Group and leader of its Financial Services and Risk Management Service groups, shares insight from his 30 years of experience helping financial institutions across the Mid-Atlantic strengthen controls, respond to evolving threats, and manage risk in a practical, proactive way.
How does RKL support credit unions in preventing, detecting, and responding to fraud and identity theft?
Barry Pelagatti: RKL supports credit unions in designing risk-based plans focused on preventing, detecting, and responding to fraud and identifying theft by emphasizing strong internal controls, data protection, access management, security awareness, and incident reporting.
Internally, we focus on safeguarding sensitive information through restricted access, password controls, secure data storage, device security, ongoing training, and prompt reporting of lost devices or suspected unauthorized access.
These same practices help us support credit unions as we work with them to strengthen fraud prevention, improve detection of suspicious activity, and respond quickly to potential incidents.
What are the key fraud trends you’re seeing today, including some recent data and the rise of cyber-enabled and cryptocurrency-related schemes?
BP: Fraud trends today show that financially motivated crime is increasingly digital, fast-moving, and scalable. The FBI Internet Crime Complaint Center’s 2024 Report shows the Internet Crime Complaint Center has received approximately 836,000 complaints per year on average during the past five years, reflecting the persistent nature of online fraud. The report also highlights that cyber-enabled fraud accounted for roughly 38% of 2024 complaints but nearly 83% of total reported losses, with approximately 333,981 complaints and $13.7 billion in losses.
Investment scams were the largest category by reported loss at about $6.57 billion, whereas business email compromise caused roughly $2.77 billion in losses. Cryptocurrency continues to play a major role due to its speed, pseudo-anonymity, and limited recovery options, with more than $9.3 billion in losses in 2024.
Common payment channels include cryptocurrency, wire transfers/ACH, debit and credit cards, peer-to-peer payments, and gift cards. Overall, fraud is becoming more technology-enabled, more cross-border, and harder to reverse once funds leave the victim’s control.
How are fraud schemes evolving, and what should credit unions know about identity theft risks, modern scam tactics, and loan fraud red flags?
BP: Fraud schemes are evolving by blending traditional deception with modern technology, social engineering, and increasingly realistic fake documentation.
Identity theft remains one of the fastest growing crimes, with fraudsters targeting personally identifiable information such as Social Security numbers, addresses, driver’s license numbers, email credentials, insurance data, and loan information.
Tactics include phishing, spear phishing, vishing, smishing, pharming, skimming, mail theft, pretexting, typo-squatting, and whaling. Newer scams like “pig slaughtering” involve building trust over time before steering victims into fake investment platforms, often involving cryptocurrency.
An important takeaway is that scams are no longer always crude; fake websites, executive impersonation, and AI-assisted document creation can make fraud attempts appear legitimate. On the lending side, red flags include unusually large loan requests, questionable repayment terms, inconsistent or forged documentation, discrepancies in personal information, frequent applications, and reluctance to provide supporting details.
What practical steps can credit unions take to strengthen fraud risk management, including detection methods, internal controls, employee training, and overall risk strategy?
BP: Credit unions can strengthen fraud risk management by starting with a formal fraud risk assessment that identifies vulnerabilities, measures risk, and connects those risks to specific control activities.
Strong internal controls are foundational, especially since fraud often arises from control weaknesses. Key measures include segregation and rotation of duties, mandatory vacations, surprise audits, employee account reviews, and background checks for higher-risk roles.
Maintaining a confidential reporting system allows employees, agents, and the public to report concerns without fear of retaliation, which is critical since tips are a leading method of detecting fraud. Continuous monitoring, including automated tools, helps ensure controls are working as intended.
Employee training should be mandatory and ongoing, covering fraud awareness, warning signs, reporting procedures, and consequences. Targeted, frequent, recurring training is especially important for high-risk functions.
At a broader level, organizations should align fraud management with governance, oversight, and a prevention-first strategy, as prevention is generally more effective than recovery after losses.
To learn more about RKL, visit the firm’s website and follow RKL on Instagram, Facebook, X, and LinkedIn for updates on services, insights, community involvement, and career opportunities as well as information about RKL’s mission and values.