AI technology has “fundamentally changed” the fraud threat, warns sector body America’s Credit Unions (ACU), making it easier than ever to mount a cyber attack.
“What once required technical expertise and significant resources can now be executed at scale using readily available AI tools,” the apex warned in a blog, “putting credit union members at unprecedented risk.”
It says member engagement and training are essential to counter the growing threat, with Deloitte’s Center for Financial Services warning that generative AI could enable fraud losses to reach $40bn in the United States by 2027, up from $12.3bn in 2023. And Signicat’s Battle Against AI-Driven Identity Fraud 2024 report warns that fraud cases using AI deepfakes have risen over 2,000% in the last three years.
Much of this is driven by the use of deepfakes, with fraudsters using synthetic voices to bypass voice-based authentication systems and other security processes.
Attackers also use AI-generated videos to impersonate executives during video conference calls, or to make phone call mimicking the voice of a loan officer requesting immediate fund transfers.
ACU is advising members to implement multi-factor authentication that doesn’t rely solely on voice or video verification, to train staff to recognise red flags, and educate members about the risks.
New security measures are needed, the apex adds, such as behavioural biometrics that analyse typing patterns, mouse movements, and navigation habits rather than just verifying identity through appearance or voice.
Related: Co-op and mutuals movements adjust to life on the cybercrime frontline
Another threat is the rise of “ghost profiles”, where criminals invent entirely new identities by comparing real information, like a stolen social security number, with a fake name and address, to bypass verification processes.
“When these fraudulent accounts eventually default, credit unions absorb significant losses,“ says ACU. “Real members whose information was stolen as part of the synthetic identity may face credit bureau complications, damaged credit scores, and the long process of proving they weren’t responsible for the fraudulent activity.
“Unlike traditional identity theft, where the victim quickly notices unauthorised activity, synthetic identity fraud can go undetected for years.”
ACU advises credit unions to enhance their identity verification processes beyond basic credit bureau checks.
“Look for inconsistencies in application data, such as addresses that don’t match typical patterns or phone numbers that have recently been associated with the social security number. Monitor new accounts closely during the first 90 days for any behaviour that doesn’t align with the account’s stated purpose.”
Lenders can also use consortium data to flag identities appearing across multiple institutions simultaneously, and velocity checks to identify suspicious patterns, such as multiple applications from similar profiles within a short timeframe.
It’s not just credit unions being targeted, warns ACU: their members are also vulnerable, with deepfakes and personalised phishing being used to trick customers into sending money to fraudulent accounts.
“Urgent, convincing messages that appear to come from trusted sources such as your credit union, a family member in distress, or a government agency,” said ACU. “The member is pressured to act immediately, often being told their account is compromised or a loved one needs emergency funds.”
To tackle this, credit unions should add confirmation steps for unusual payment patterns, alongside member education campaigns to help them safeguard themselves against AI fraud
“Establish a verification callback protocol that members can use when they receive suspicious requests,” says ACU. “Consider delayed processing for high-risk transactions, giving members a window to cancel if they realise they’ve been scammed.”
Business email accounts remain highly vulnerable, warns ACU. “Many companies still rely on methods such as human callbacks or email confirmations to validate vendor bank account information, but these approaches are increasingly ineffective against AI-enhanced attacks that can spoof entire email threads and create convincing forgeries.”
Related: Desjardins launches cyber insurance product for small business
The apex advises credit unions to offer their business members specific guidance on vendor payment authentication protocols. “Encourage them to establish out-of-band verification for any payment change requests, using a known phone number rather than one provided in the email. Provide fraud detection tools specifically designed for business accounts that flag unusual payment patterns.”
Members of credit unions are also vulnerable to romance fraud or relative-in-need scams, where criminals use AI bots to build fake relationships before conning people out of their money. Staff would be warned to recognise warning signs, says ACU, such as unusual international transfers, making large withdrawals while seeming anxious, or progressive increases in transfers to the same recipient.
ACU’s warning on AI comes against a wider backdrop of cyberthreats. CU Today reports that in the US, “77% of credit union executives reported at least one unauthorised network or data access incident in the past year, while 46% said fraud is increasing and 37% reported rising cyberattacks.
“Cyber risk is no longer an IT issue, but a board-level growth and trust issue,” it warns. “Cybersecurity is now the top concern across all credit union asset tiers, surpassing fintech competition and operational pressures.”
And while the sector is boosting its defences, the risk is also growing.
“As more member activity moves online, security becomes inseparable from member experience, reputation, and retention,” says CU Today.
