PHILADELPHIA – Sb1 FCU is still trying to find out how identity thieves were able to tap into a member’s home equity line of credit, steal his private information – including passwords – and convince the credit union to wire $220,000 from the HELOC to an unrelated account in Hong Kong.
The unidentified member was among dozens of credit union members in the Mid-Atlantic region who had their HELOCs manipulated for the transfer of millions of dollars, much of it to overseas accounts. Some 20 suspects have been charged so far in the HELOC scam, which hit U.S. Senate FCU, Navy FCU, Pentagon FCU, State Department FCU, Affinity FCU, Financial Resources FCU, First Financial FCU, as well as JP Morgan Chase, Wachovia, Washington Mutual, Bank of America. Other Mid-Atlantic credit unions targeted were: BMS FCU, FDU FCU, L'Oreal USA FCU, New Jersey Gateway FCU, North Jersey FCU, Novartis FCU, Picatinny FCU and Self Reliance FCU. It is unclear whether the criminals in the different cases were part of the same scheme.
While credit unions typically verify the authenticity of a wire request by contacting the member at a telephone number on file, the suspects used one of two techniques to reroute the verification call. Either they would persuade credit union officials to change the account holder's number on file to one they set up; or they would contact the local phone company to report a fake technical problem and have the calls forwarded to one of their own phones.
Some of the details of how the scam worked have emerged in a new suit filed by Sb1, the credit union for pharmaceutical giant SmithKline Corp., against CUMIS Insurance Society, which has denied its $220,000 claim in the fraud. CUMIS, a unit of CUNA Mutual Group, said the credit union’s claim is not covered under the Funds Transfer, Electronic Crime, Forgery or Alteration, and Unauthorized Signatures provision of its bond, which excludes losses occurring through “fraudulent e-mail, faxes or telecommunications,” according to the suit, filed in U.S. District Court for the Eastern District of Pennsylvania.
According to the suit, the member had been with the credit union for 10 years when he opened a home equity line of credit in February 2008. In a sophisticated fraud, earlier this year an unknown third party obtained access to the member’s account information, e-mail address and even the password for his credit union account, then was able to present a phony signature to the credit union for use with the HELOC account.
On Jan. 13, someone had called the credit union call center identifying himself as the member and was able to answer several security questions, according to the suit. The caller convinced the call center rep to change the phone number for verification on the member’s records. The following day someone purporting to be the member called again and asked that the funds be transferred from the available credit on his HELOC to his checking account, then to the Hong Kong account.
The “Wire Transfer Request and Fee Agreement” provided the member’s correct member ID number, the proper account number, an e-mail address indicative of the spouse’s account, and evidence of a matching signature from various specimens held by Sb1 FCU. The request also had a copy of the member’s passport with a signature matching the wire transfer request.
The credit union called the new number affixed to the HELOC for verbal verification twice and received confirmation both times, according to the suit. Then the funds were transferred.
A week later, on Jan. 21, the member realized that his account had been illegally accessed. The member filed complaints with the Philadelphia Police Department and Hong Kong’s Joint Financial Intelligence Unit.
In denying the claim, CUMIS says the credit union did not perform a proper callback verification and that there was “no commercially reasonable security procedures set forth in a written funds transfer agreement signed by the member...that govern(ed) the transaction or instruction.” The credit union claims that CUMIS agents had visited the credit union numerous times and had approved its security policies and procedures.
An attorney representing the credit union in the case declined to comment.
