June 28, 2011
By Ken Otsuka
Credit unions continue to experience severe losses from unauthorized wire transfers. In Q1 of 2011, credit unions reported $1.2 million in losses from wire transfers to CUNA Mutual Group. Annualized, CUNA Mutual estimates losses could reach $4.8 million, exceeding the 2010 reported losses of $4.0 million.
Wire Fraud: The Characteristics
According to a January 25, 2011, article appearing in CNNMoney.com, The King of Home Equity Fraud, famed cyber scam artist, Tobechi Onwuhara, stole a confirmed $44 million in less than three years. However, the FBI believes the total may be anywhere from $80 million to $100 million. He preferred targeting HELOCs at credit unions as they were “soft targets.”
Fraudsters have easily initiated advances against members’ home equity line-of-credit (HELOC) loans to fund the wires by calling the credit unions and impersonating the members in requesting the advances. And don’t think this can’t happen to your credit union. Two years ago a Northwest credit union fell victim to the HELOC scam.
In some cases, fraudsters successfully had member accounts set up for audio response - again by calling the credit unions - which they used to take advances against the HELOCs. In other cases, fraudsters initiated advances against member HELOCs via credit union online banking systems by compromising member login credentials or by successfully having a member’s online banking password reset to the default password. It should be noted that not all losses involved advances against member HELOCs to fund the transfers.
The following are common characteristics of the scam:
- Virtually all of the wire transfer requests were received by telephone or fax. Signatures contained in faxed requests were good forgeries;
- Most of the credit unions performed callback verifications; however, they were ineffective in verifying the authenticity of the request. The phone number used for the callback in a few cases was the same number provided in the faxed request. In many cases, the fraudsters utilized social engineering tactics to have telephone companies forward calls made to member home phones to the fraudsters’ untraceable cell phones. Fraudsters were equally successful in having credit unions change member phone numbers on accounts; and
- Funds were wired to domestic and foreign banks. Fraudsters have a wealth of information at their fingertips and are able to answer even the strongest security questions posed by credit unions in their attempt to verify the identity of members. This suggests that the callback verification may be losing its effectiveness as a security procedure to confirm the authenticity of wire transfer requests received remotely from members. Fraudsters employ a number of data mining techniques to obtain personal information on members, including:
- Searching public databases for recorded mortgages, fraudsters search for HELOCs with high credit limits. Member signatures are easily lifted from recorded mortgages;
- Paying for background searches through skip-tracing sites to obtain personal information on members, such as Social Security numbers, birth dates, relatives’ names, prior addresses, and employment history;
- Using genealogy websites to build a member’s family tree to obtain mother’s maiden name; and
- Fraudulently obtaining credit reports, which they use to get details on member HELOCs.
Loss Control Policies
The changing environment for wire transfer fraud indicates a need for credit unions to change their loss control policies and procedures, especially for large dollar wire transfer requests. Asking security questions to verify a member’s identity over the phone is no longer reliable.
In the absence of a written wire transfer agreement, credit unions should require members to request large dollar wire transfers in-person at a branch office where identity is easy to verify. Credit unions should consider establishing a monetary threshold for this purpose. The threshold should reflect the credit union’s risk tolerance in accepting wire transfer requests by phone, fax and email.
Members requesting wire transfers that exceed the threshold would be required to make the request in-person at a branch office. For wire transfer requests below the threshold, credit unions can attempt to verify the authenticity of the request by performing a call-back to the member.
Credit unions can significantly reduce their exposure to loss from unauthorized wire transfers by implementing the following additional loss controls:
- Adopt a written wire transfer agreement with members for future requests;
- Do not rely on notarized signatures on faxed requests as notary seals and signatures are easily forged. Additionally, faxed images of government issued photo identification are not reliable as they are easily altered or may have been stolen from members;
- Encourage members to place a password on their account, which can be used to verify the authenticity of wire transfer requests;
- Do not allow advances against members’ HELOCs based on phone requests;
- Review the member’s account to determine if the wire transfer request is reasonable given the member’s history of requesting transfers. This is particularly important for large dollar requests;
- Credit unions electing to perform callback verifications should ensure their written policies and procedures address the following:
- Check the member’s account to determine if the phone number was changed within the last 30 days. If the member’s phone number was changed within the last 30 days, credit unions should not process the transfer unless the phone number change was verified through direct contact with the member (e.g., by calling the prior phone number);
- Audible clues to listen for when performing the callback indicating the member’s phone may have been hijacked by the fraudster. These clues include an unusually long delay for the call to connect and/or clicking sounds; and
- Audible clues that suggest the voice is not the member’s voice.
- Be wary of large dollar transfers to foreign banks, especially institutions located in Korea, China and Japan. Be particularly cautious of wire transfer requests to transfer funds to the Bank of Tokyo; and
- Credit unions should conduct frequent employee training on the loss control procedures utilized in processing wire transfer requests. All employees involved in the wire transfer process should be included in the training.
The state of wire transfer fraud poses a delicate balancing act for credit unions. Convenience ranks high on many credit unions’ priority lists in providing good member service. However, the convenience factor must be balanced with the legal obligation to protect member accounts from unauthorized access as well as the potential damage to a credit union’s reputation.
Questions? Contact Sales & Marketing Associate Craig Reed: 206.340.4789, firstname.lastname@example.org.