An old scam targeting financing institutions is gaining new traction as data breaches become increasingly common and more information is freely available via social media. Banks are reporting increased occurrences of fraud targeting home equity lines of credit (HELOCs). Using a spoofed caller ID, a hacked email account or a faxed request, the fraudster requests a draw from a HELOC and the funds sent via wire transfer, often to international destinations. The signature on the fax is a perfect match to the borrower’s and the email or phone call appears to originate from the information the bank has on file. Callback procedures are defeated because the fraudsters hacked home phone lines so that the borrower’s phone is forwarded to a disposable cell phone. During the confirmation process, fraudsters are often equipped with the customer’s social security number, all names on the account, phone numbers, and account numbers.
How does this scam work? A HELOC is a mortgage, which is a public record. By using public record search websites, a fraudster can identify a HELOC and obtain a copy of the mortgage, which includes the borrower’s signature. The fraudsters especially target older customers who likely have the HELOC as a safety net and will not carry a balance – leaving plenty of availability funds for fraud. Using an ancestry search website of some kind can lead the fraudster to a mother’s maiden name, place of birth or various other information used to answer security questions. Also, many of the quizzes on social media are designed to collect information commonly used for multi‐factor authentication.
Implementing proper security procedures is essential to protecting customers’ identity and accounts. When evaluating the effectiveness of current controls, consider:
- How reliant are validation procedures on publicly available information?
- If callback procedures are used, is the identification based on the number called or the familiarity of the customer’s voice?
- Does staff have the authority to bypass security procedures?
- Is “convenience” a bigger priority than security?
The Fair Credit Reporting Act (FCRA) includes the Fair and Accurate Credit Transactions Act (FACT Act), which describes the requirements for an identity theft program. Appendix J of Regulation V lists 26 identity theft red flags institutions should consider when evaluating processes. Reg flag #4 is a “material change in the use of credit.” Those responsible for processing wire requests should take additional due diligence steps to validate the legitimacy of a request, particularly when a significant wire transfer request is initiated by a customer who has never used a HELOC in that manner.
Over and above the bank’s procedures for callbacks regarding faxed, emailed or phoned‐in wire transfers, and even beyond simple identification procedures, knowing the customer is essential. Institutions should identify activity that is outside of normal and expected usage patterns. Does the customer typically take cash withdrawals? Are wire transfers normal activity? How long has the HELOC had a zero dollar or low balance? Are draws typical? Has the loan officer responsible for the relationship been contacted regarding the draw activity requested on a HELOC?
Additional security controls may also be necessary. For additional identity verification, special codes can be implemented at the time of the account opening. Using numbers, words, or passphrases can be an effective way to provide additional security by uniquely identifying the customer with information that is not generally available or public knowledge. The key to effective verification codes is to make them unique and obscure but easy to remember.
Additional security measures, procedures, policies and even processes are completely ineffective without training. Staff should be trained to follow procedures and properly execute the security controls, but also be trained on the importance of getting it right. Provide examples of recent fraud trends, re‐enforcing alert notice actions, and effectively monitor and review controls to keep up with the ever‐changing fraud environment.
Whether your needs include a process review or training, TCA’s Technology Risk Management team can help!
