This week we have been helping one of our client credit unions deal with an insidious fraud scheme. Members of this credit union are getting what appears to be a normal text message notifying them about a potentially fraudulent charge on their Debit cards. It says:
XXX CU: Please verify charges for your debit card: Date XX-XX-2020 Amt: $XX.XX Where: Walgreens. Did you authorize this? Reply Y or N. To stop receiving debit card fraud alerts, reply STOP.
This is just like what you might expect from a debit card fraud alert.
Since this was a fake charge, if anyone replied, it would be with a No. As soon as they replied, they got a phone call from the CU's phone number and CallerID to help resolve the issue for them. The bad actor in this situation had actually set up a call center and was spoofing the ANI of the credit union so that the call appeared to be coming from their institution.
The call center would then go about asking some questions to verify the member, Name, Debit Card Number, Zip Code, CVV from the card, etc. They would work with them to explain that the charge was declined so they would not see it on their statement. They would disable the card for them and send out a new card to replace this one. They did not need to worry about any fraud that might happen on this card going forward. They nicely assured them that they would not be responsible and that they would take care of them. This is just like what you might expect from a Member Support Representative from their CU.
The bad actors would then proceed to start using or sell the debit card. The member would wait for the new card which would not show up. A couple days later they would start noticing all of these charges and finally call up the CU to ask what is going on because these charges are all showing up in their account now. This is the point where the CU started finding out about this happening. And it quickly escalated from being one member to many members.
As a credit union, how do we defend against this? The CU is still in the midst of trying to figure out the answer to that question. They want to tighten up the controls that detect fraudulent use of the debit card, but the bad actors already know what those types of things would look like and they keep their transactions within those limits to maximize their profits. Their first step is to send out a marketing message that hopes to educate members that this particular CU does not send out such text alerts. They send out other text alerts, but not fraud alerts. But many CU's do send out fraud alerts which would make distinguishing fraudulent alerts very difficult.
While we work to try to determine the best responses, it highlights a few other issues that we all need to be aware of. First, it is so very important to protect that PII that each CU holds. In this case, the only bits of info that needed to be leaked were member phone numbers. With home phones going away, we can actually assume that the majority of those numbers are actually cellphones and able to receive a text message. Other info could all be cobbled together through different social engineering tactics but it was not even needed in this case. It highlights that a simple marketing spreadsheet that is pulled from the core system containing simply names and phone numbers can be used to perpetrate fraud. In this particular case it was obvious that someone had a list that actually tied these names and numbers to the particular CU. They were specifically being targeted rather than just spamming out messages with the big banks names.
The second issue that comes to mind in this situation is to figure out how a CU member can actually verify that the call or text they receive is from the Credit Union. Our MSR's go through many steps to verify that the person they are talking to is the actual member, but somehow the member needs to be able to do the same back to the MSR. There needs to be some Multi-Factor Authentication that is passed both directions that can be put in place. Maybe the credit union's app should have a screen that they check that provides a passcode/pin/photo that the MSR must also identify. There will still be plenty of times that the member will not think to verify the MSR and give away their info, but this might help reduce the number of successful fraud attempts.