How credit unions can fight back against account takeover fraud and scams

A version of this article was originally published in CUSO Magazine and is republished here with permission.

It’s all over the headlines: financial fraud is higher and costlier than ever before. Credit unions, in particular, have been hit hard by the meteoric rise in financial fraud. According to Alloy’s 2025 State of Fraud Report, credit unions and community banks experienced higher rates of fraud losses exceeding $5 million than any other segment. 

While digital channels are crucial for delivering high-quality member experiences, their growing prevalence in financial services has provided fraudsters with new opportunities to infiltrate and target credit unions and their members.

Account takeovers are hitting credit unions hard

One of the most insidious forms of fraud to emerge in the era of digital financial services is account takeover fraud, which is when a fraudster gains unauthorized access to a member’s account.

Account takeover fraud may occur when a member is scammed into revealing personal information, ultimately opening the door for fraudsters to access and take control of their account. Account takeover can also occur on other channels, such as if a fraudster impersonates a member at a branch, making it difficult to detect and address.

Once a fraudster has obtained a legitimate member’s credentials, they may alter the member’s personally identifiable information (PII), such as their address, or even additional data, such as the email address or phone number associated with the account.

This action better disguises the fraudster’s activity and prevents the member from receiving notifications. The fraudster can then impersonate the legitimate member to complete transactions, add themselves as an authorized user on the account, or even request a new card, so they have one in their physical possession.

Account takeover fraud has likely driven many of this year’s financial losses for credit unions. According to TransUnion’s 2025 State of Omnichannel Fraud Report, account takeover fraud has increased by 129% since 2020. Javelin’s 2024 Identity Fraud Study also found that account takeover fraud resulted in nearly $13 billion in customer losses in 2023 (up from $11 billion in 2022).

While any type of fraud can erode members’ confidence in their credit union’s security, account takeover fraud has a particularly severe effect on brand reputation because it involves bad actors directly controlling customers’ personal accounts. As a result, it often winds up being a highly emotional and violating experience for members that can cause them to lose trust in their financial institution.

What can credit unions do?

To prevent account takeover fraud, credit unions must develop a deeper understanding of their members before any funds are transferred from their accounts. This requires a shift in strategy, from tracking fraudulent activity through transaction monitoring to focusing on identity, which enables a more proactive and holistic risk assessment using fraud indicators that emerge much earlier.

In other words, credit unions will have a better chance of preventing fraud before it happens. To achieve this, credit unions should layer identity-focused fraud prevention measures on top of their real-time transaction monitoring capabilities.

More specifically, credit unions can start by incorporating tools that monitor device and behavioral changes. They should also ensure that they are monitoring suspicious events, such as changes in a member’s PII. If a change in a member’s PII occurs, credit unions can then trigger a step-up verification method, such as document verification, to thwart the account takeover.

Monitoring members at onboarding will give credit unions a more accurate depiction of how their members’ risk profiles evolve over time. With this information, credit unions can then identify any anomalies that emerge. Then they can interdict, alerting the member about the risky behavior soon after it occurs. Ultimately, members will have a higher level of confidence in their credit union, and the institution will be more secure.

As a first line of defense, credit unions should also ensure their members’ are armed with adequate fraud prevention knowledge. They can do this by encouraging the use of unique and non-repeating passphrases, requiring multi-factor authentication to sign into accounts when available, providing ongoing education about phishing attacks and social engineering scams, and sending reminders about the types of information their customer service agents require, as well as what they will never ask.

Have a plan in place

Account takeover fraud is a serious concern, but if credit unions can adopt an identity-centric, layered approach, they will be well-positioned to prevent it. Ultimately, this will result in a better experience for their members, cementing the brand loyalty that sets credit unions apart from other financial institutions.