Education is the first line of defense in protecting your credit union and its members from fraud.

In medieval times, many strategies were used to help protect the castle: High walls, moats and drawbridges come immediately to mind. Knights who knew what to do didn't hurt, either.

Similarly, safeguarding member and credit union information these days requires a variety of tangible protections. And having well trained staff helps, too.

"There are many things credit unions can and should do to prevent fraud," says Stacey Foster, VP/risk management at $1.3 billionORNL Federal Credit Union (www.ornlfcu.com), Oak Ridge, Tenn. "We follow best practices, require online encryption, guard non -public information, work with outside vendors, provide 24-hour monitoring, encourage members to check credit reports and work with law enforcement."

However, Foster says, the most important element in preventing fraud is a front line aware of fraudulent tactics. The CU uses CUES/ BVS Dynamic Learning (cues.org/bvs) for its employee anti-fraud training.

"The education of our front line as it relates to preventing fraud is something we take very seriously," says Foster. Social engineering, in which seemingly innocent friendships are formed with the goal of obtaining valuable information, is one tactic employees at ORNL FCU are trained to recognize.

"No matter how high the protection walls have become through firewalls and encryption, thieves are creative in fostering personal relationships to lure the unsuspecting," Foster says.

"Members may be tricked by scammers into providing all or most of their personal information needed to transact business through phishing or other means.

"Before the members realize they've been duped, the thieves may make multiple unsuccessful attempts to access account information," Foster says. "Each time they build their story through information gleaned from various conversations. For example, they may learn an employee name that they later reference. It all makes the story sound more legitimate."

When all these different pieces of information are combined, Foster says it might be enough to perform an unauthorized transaction. Because of their anti-social-engineering training, ORNL FCU employees remain vigilant in identifying unusual conversations and immediately report these interactions to the fraud department. The member's account is then flagged to determine if a problem does exist.

"The most basic fraud is also still a problem," Foster says. "The mystery shopping, overpayments and work-athome scams are old fraud tactics, but they continue because each is new to victims. People want to believe in these scams. Whatever the scam, counterfeit checks or postal money orders are usually involved."

When a counterfeit check is discovered, the credit union forwards it to the Secret Service, and the member is made aware of the fraudulent activity. The member's account is also then flagged to monitor future account activity, says Foster.

Additionally, ORNL FCU no longer accepts postal money orders. Instead, says Foster, members are referred to the local post office to cash postal money orders, simply because "they are the most frequently counterfeited items. The post office can quickly identify if they are real or not."

Foster also holds educational seminars for members that focus on identity theft, encryption, secure websites, virus scans, password strengths, and reading statements and credit bureau reports. One of her seminars is the annual "Fraud Comes Home for the Holidays," held around Thanksgiving.

"With family, friends, contractors and neighbors in your home around the holidays, anyone in your home could access any information left out in the open," says Foster, whose seminar focuses on making sure account information, debit cards, purses and financial statements are not laying around for others to see.

"Most real frauds are committed by friends, family and caregivers. These are the people closest to you."

This year, ORNL FCU also purchased a cyber and security incident coverage policy that covers security breaches outside the credit union's control through CUNA Mutual Group (www.cunamutual.com), a CUES Supplier member based in Madison, Wis.

"Recognizing that larger financial institutions were experiencing data breaches through stolen laptops, misplaced backup tapes and network hacking (which standard insurance policies might not address), we felt our members deserved both an extra layer of protection and the assurance that our risk management methods adapt to today's environment to safeguard their personal information," explains Foster.

She further explains that cyber and incident security policies are now available for compromised member personal information, such as through a hacker breaking into the data system or the theft of paper files; programming errors resulting in accidental disclosure, and system impairments, such as denial of service attacks.

The coverage can also include public relations expenses to address negative publicity, costs of affected member notification, member credit monitoring costs and even the expense of hiring computer security consultants and other technical specialists.

Schooling for Knights

In the fall of 2008, Clint Turpén, marketing specialist at REGIONAL Federal Credit Union in Hammond, Ind., noticed on a colleague's desk a stack of counterfeit checks from a secret shopper scam. Someone had used REGIONAL FCUs logo and routing number to send bad checks to members and encouraged them to cash them, explains Turpén. (Read more about secret or "mystery" shopper scans at http:// tinyurl.com/secretshopperscam.)

"I looked at the quarter million dollars' worth of checks sitting at my desk," Turpén says. "I thought, 'If people were more educated on fraud and identify theft, maybe this would not happen so much.'"

Turpén presented this idea to the marketing department, the director of business development and then the CEO. The result was a blog-style website (http:// fraudprevention unit.org), connected with REGIONAL FCUs website (www. regionalfcu .org).

"REGIONAL felt strongly that we should provide as much information as possible to our membership to help reduce the possibility they could become a victim of fraud," says Jill Banning, president/CEO of the $121 million institution. "One of the benefits of the site has been that our representatives, simply by talking to members and knowing the warning signs, have become skilled at spotting members who may be at risk of falling for a scam."

The website started in July 2009, and Turpén continues to maintain it as part of his marketing responsibilities. He has also become a Certified Identity Theft Risk Management Specialist through The Institute of Fraud Risk Management (www.tifrm.net).

To maintain the site, Turpén monitors Google Alerts and RSS feeds for articles and updates on identity theft and fraudulent activities. He posts when something specific is trending online and updates the site regularly with new information on scams and data breaches. The website is promoted internally as well as through lobby handouts.

"Credit unions that want to implement a similar program would do well to have a dedicated person on their team whose duties involve staying informed and putting out new information regularly because the world of fraud and identity theft is constantly changing," says Banning.

Sue Vandermeuse, VP/internal audit and risk management at $251 million Köhler Credit Union in Köhler, Wis., knows that "in today's economy, everyone is looking for fast money and drawn into fraudulent schemes. Our staff knows to question things such as the Canadian Lottery and secret shopper checks," shares the CUES member.

Signs are posted in the credit union lobby, stating, "If it seems too good to be true ..." about potentially fraudulent checks. Members are also educated through security alerts, a printed brochure on safe Internet practices and Köhler CU s website "Security Center" (www.kohlercu.com). The brochure and website include information on how members can protect their information online, their computers and their phones, how to identify online fraud and how the credit union protects its members.

"In addition, if fraud seems to be focused primarily toward electronic banking, alerts (from CUNA Mutual) are imbedded into our system. When a member signs into electronic banking, there is a 'tab ad' where we post advertisements and switch it out when a security alert is activated. This is part of the home page after log in, so members do not have to click on anything else to view the alert. Also there is a link to our security center on the home page of the electronic banking.

"If something is really critical, we may send an email blast out to the members who have their email listed with us," further explains Vandermeuse.

Köhler CU sometimes highlights fraud prevention techniques and online safety in its quarterly newsletters; however, as Vandermeuse suggests, "often times the information can be outdated before publication."

A "security alerts" section is also on Köhler CUs employee intranet. Whenever anything is posted to that page, such as a scam alert or fraud advisory, an email alert is sent to employees, says Vandermeuse.

"Employees are held accountable to look at these items and ask questions if they have any. We also discuss fraud trends and news stories related to fraud at our branch meetings," she says, noting that the credit union is implementing CUES/BVS Dynamic Learning and TRC Interactive (www.trctnteractive.com) for its fraud training.

Lines of Defense

Mark Cowley, VP/security and fraud at $876 millionAPG Federal Credit Union (www.apgfcu.com) with 94,700 members in Aberdeen, Md., oversees the "Personal Security" tab on APG FCU's website. This tab links to the CU's "Personal Security Center" page that includes links for information on fraud alerts, identity theft, email scams and how the CU protects its members.

One of the tactics APG FCU uses to prevent fraud started two years ago when the credit union no longer required members to put their checking account numbers on the back of deposited or cashed checks. Instead, each accountholder has a photo taken when an account is opened, explains Cowley. When the account holder is completing a transaction, the teller verifies the persons identity through matching him or her with the photo ID on the account. The teller then initials the back of the check and writes the last four digits of the member s driver s license number on the check to indicate the identity was verified.

"This came as a result of a few members telling us they were not comfortable putting their account numbers on the back of checks. Now we match the person, a picture and the account," explains Cowley. If a transaction occurs at an ATM, a picture is also available of the person. ATM security footage is reviewed when a member notifies the credit union of a fraudulent or potentially fraudulent ATM-related deposit or withdrawal.

Cowley's department also maintains a "Security Link" intranet page to provide information and procedures on fraudulent and counterfeit activities for its employees. Besides the internal site, monthly branch meetings, email blasts and daily interaction aid employees in fraud prevention.

"Our tellers and member service representatives are our first line of defense. They are educated to look for certain things if they suspect that someone is attempting to open a fraudulent account. Things that don't look right, like expired IDs," says Cowley, a CUES member.

Additionally, the credit union has a risk alert committee that meets at least once a month to discuss fraud issues, more often if needed. The committee is composed of employees from IT, lending and auditing.

Cowley also provides educational resources for members. One of his frequent tips involves members who have trouble remembering their PINs. Instead of writing the PIN on paper to store with the card, he suggests listing the PIN as part of a phone number under a fake contact in a member's phone. Cowley also suggests that credit unions help each other when fraud is detected.

"We are all in the same business. IfI see fraudulent activity, I will call other credit unions in the area and say, 'This is what I'm seeing. Are you seeing it too? Are you still having issues? This is what we did to stop it.' Credit unions are like family. We need to protect another credit union, share information and walk them through what worked," says Cowley.

"No matter how high the protection walls have become through firewalls and encryption, thieves are creative in fostering personal relationships to lure the unsuspecting."

Stacey Foster

Resource

See the free video, "Don't Get Socially Engineered," at cumanagement.org/ 1009dontgetsociallyengineered.

Also read "On Compliance: New Online Security Guidance," which discusses FFIECs focus on educating members, at aimanagement.org/0223Uoncompliance, and "Insurance Matters: Cyber Liability Coverage" at cumanagement.org/ 111611insurancematters.

Learn more about CUES/BVS Dynamic Learning at cuesbvs.org.

Jessica Whitmore isa freelance writer based in Pennsylvania. She blogs at http://jessicawhit more.com/blog/.