Ask the Expert: Eric Kraus on Key Fraud Drivers Across the Industry

By Randy Salser, President, NAFCU Services

It seems as if new forms of fraud are always creeping up before we’ve even begun to contain the old ones. 2020 brought a whole new set of challenges for credit unions and at the top of that list for many was accelerating digitization and contactless options, while combatting the increase in related fraud attempts. To better understand this struggle and find out what tools credit unions can be leveraging in 2021 to stay ahead of new forms of fraud, I spoke to General Manager of Fraud at FIS, Eric Kraus. We talked about why more data means less fraud and friction for your members, the most prevalent forms of fraud to prepare for, and key fraud prevention strategies to keep that precious data secure.

Here’s what he had to share:

Randy: The last couple years have been turbulent, to say the least. So what’s the most prevalent form of fraud that’s been kind of rocking the boat lately?

Eric: Very clearly, whether you think about cards and payments, I would say there’s been a material rise in card-not-present fraudulent activity. We had already seen this trend kind of coming into the year, even if you want to think pre-pandemic. The point-of-sale channel or the card-present channel had been locked down pretty well with the EMV in chip cards. We’ve seen high levels of adoption now both on the merchant side as well as in the issuing community. So, you know, we’ve done a really good job in what I would say was the bigger problem in history, which was the counterfeits and a lot of the point of sales…And then digital apps, the payment apps are popular. Sometimes people don’t always think of those. But you’re typically loading in card information as the funding source within some of these apps, so we see those as a card-not-present transaction as well. And when I talk about payment app, we’re talking about Zelle and Venmo and Cash App and those type of applications that have become very, very popular, certainly through the pandemic.

Randy: What are some of the earliest, or maybe easiest to recognize, red flags that can alert a credit union of some of these types of fraudulent transactions?

Eric: I mean, this is really where a robust data strategy pays dividends for you at the credit union. Consumer behaviors have changed quite a bit, and do you have a full understanding of even what the new normal looks like? It’s important to understand a baseline before you can really understand if something out of the ordinary is happening. And when we talk about data strategy, it’s aggregating views into all of your channels—call center, online, in person—some things that can tip you off pretty quickly, are you seeing a rise in the type of requests that you don’t usually see? PIN changes, requests to tokenize my account so I can load it into an app. I mean, making something up: if you typically see 10, 20 of these types of requests a day and your call center’s getting lit up for 100 all of a sudden, maybe there’s something there that you want to take a closer look at. Web traffic logs, I think that’s another important one. Do you have the right type of monitoring in place to ensure that you’re just not seeing rapid guessing of passwords and user credentials, only allowing so many attempts from a certain IP or the same email address? So I think the more of this that you can have a full insight into or full visibility into from a data perspective, it’s going to make you stronger because you’re going to be able to identify those anomalies much, much quicker.

Randy: What are some of the unique data elements that can be leveraged to effectively determine if a transaction is valid or fraudulent?

Eric: This is an area in which the industry is really coming a long way, and you hear over the years a lot of challenges between, hey, what can I see as the issuer and what does the merchant see that I’m not seeing? And it’s maybe not been as an effective data share as it really could have been for the good of the overall industry. So as we’ve seen more of a pivot to enrich datasets, you’re starting to see opportunities to leverage device-identification numbers, IP addresses, in your strategies. The requester URL. A browser’s time-zone application identification number. There’s so much more enriched data that’s coming through, and what this allows is really for issuers to become smarter with some of the information that merchants see and vice versa…And this can be effectively used for fraud modeling. This can be used for streamlining commerce without increasing risk, which is really the most important. So smarter, more-connected decisions are possible, and more ways to reduce that friction that your member might experience is really the power of these enhanced and enriched datasets.

Randy: People are using a variety of digital devices, and far more than ever before. Most are connected to at least two or three different digital points of contact. How can credit unions maintain the same level of fraud prevention across all of those?

Eric: I think, again, we talk about data. I think there’s opportunity there when it comes to aggregating data to pick up on signals and anomalies across different payment channels. We’ve kind of talked about that, bringing it all together. But one of the things that I think the industry really needs to get more serious about is trying to get members and consumers to stop using static passwords. There are so many more effective ways now to authenticate through multifactor authentication. I mean, we just talked for about OTP, one-time-passwords or passcodes, being one of the opportunities there. Biometrics for mobile apps.

It’s still amazing, quite frankly, about how many people don’t lock their devices. I think somewhere around 43, 45 percent [of] Americans don’t lock their devices. And it seems pretty basic as a default. But again, multifactor authentication is critically important when it comes to your Web interfaces, and biometrics, leveraging the capabilities there, whether it’s facial recognition, even thumbprints…So just be aware, be alert, be skeptical.

To hear our full conversation, go to