Over the course of the last few years, the AuditLink team has been involved in a number of investigations related to both member and employee fraud and theft. In almost every circumstance, it was not just one activity that led to the loss associated with the fraud situation. Take, for instance, the situation where an employee began siphoning money from a dormant account. The activity of withdrawing money from the account in itself did not necessarily mean that the employee was stealing. A much better to way to see whether or not the employee was conducting fraudulent activity was observing the sequence of events as they generally follow the same pattern in cases of fraud. In this case, the employee withdrew funds from the account and then waited a number of weeks. After feeling confident that the withdrawal had gone undetected, the employee began to siphon off more and more funds, as is often the case, and in many cases, in larger transaction amounts. In this case, the sequence of events followed a distinct pattern and one that could be monitored by reviewing activity on the account after the initial withdrawal was made. Keep in mind that with cases like these, monitoring the account must be done proactively and with the knowledge of what type of data would necessitate a deeper review.
Another example of monitoring for patterns relates to compromised plastics. In many cases, the neural network and VISA/MC fraud detection systems catch these occurrences, but oftentimes only as isolated events; these systems often miss the larger picture of associated events. In this case, the first transaction of the compromised card took place online at the Staples website and was in the amount of $1.95. After the transaction posted, the perpetrator knew the card was live and ready to use. A series of transactions then suddenly hit the account. They were for a series of $50 gift cards at a big box store.
Fraudulent check schemes are also a popular way for identity thieves to steal money. In this type of scheme, the criminal understands that for the first thirty days after account opening checks are put on hold as a matter of practice. The fraudster will therefore deposit a $300 check to open an account and leave it for a period of 45 to 60 days before performing any significant transactions on the account. On day 45, the fraudster will begin cashing fraudulent checks in amounts less than the funds on deposit and will hit multiple locations over a series of two days (prior to these checks begin returned). CU*BASE already stores the last three months of activity from every origin on every member, and detecting suspicious activity such as this is just one of the many fraudulent schemes for which we are currently developing monitoring software.
The CU*Answers AuditLink team is embarking on a new initiative to better understand fraudulent patterns and develop software tools to uncover these patterns in a proactive manner and in real time. Some of the first types of fraud for which we are developing software include the ones described above, but additional types of fraud such as account takeovers and wire transfer fraud are also being discussed with potential CU*BASE software solutions. This summer, the AuditLink team will be inviting loss mitigation specialists from both inside and outside the network to focus groups in an effort to identify as many of these fraudulent patterns as possible. The goal of these groups will be to investigate current fraudulent activity for the purpose of systematically designing as many CU*BASE tools as possible to identify and prevent this type of activity.