- Key insight: The credit union says it caught a post-Hurricane Milton account-takeover spike on its fraud vendor's dashboards before members noticed anything was wrong.
- Supporting data: Suncoast says it monitored 269 million digital logins in 2024, with only 11,990 escalating to fraud investigations and 98% of logins automatically approved.
- Forward look: Suncoast says more payment use cases are in development alongside a coming mobile-app launch, but declined to detail them.
Overview bullets generated by AI with editorial review.
When Hurricane Milton made landfall on Florida's Gulf Coast in October 2024, the power went out, the internet went down and more than a million members of one of the country's largest credit unions stopped watching their accounts.
Fraudsters bet on this lapse in focus. Suncoast Credit Union says it saw a spike in account-takeover attempts as the storm hit. The credit union caught the pattern on dashboards run by its fraud-decisioning vendor before members noticed anything was wrong.
That episode is one piece of a three-year story of Suncoast moving away from checking a member's identity once at account opening and toward checking continuously for the life of the account. During that journey, it has moved onto the platform sold by Alloy, an identity-and-fraud-decisioning company founded in 2015.
The credit union says net fraud losses fell more than 35% from 2023 to 2024 after it deployed Alloy's technology at onboarding and expanded into login monitoring. (The credit union has not disclosed the dollar baseline for that decrease, and public financial reports credit unions file with regulators do not typically break out fraud losses.)
Rising fraud and the spread of instant payments are pushing financial institutions off periodic, point-in-time review and toward always-on monitoring, according to Jim Mortensen, a strategic advisor in the fraud and anti-money-laundering practice at the research firm Datos Insights.
As a result of simultaneous movements toward real-time payments and increasing fraud risks, there has been "a genuine directional shift" toward continuous monitoring, Mortensen said. But, "adoption is still uneven."
From onboarding checks to constant vigilance
Suncoast, which today holds $20.7 billion in assets and serves more than 1.3 million members, started its fraud prevention shift three years ago. It began with onboarding.
The credit union had been routing digital applicants into branches to finish opening accounts because it could not verify remotely that people were who they said they were, according to Diana Nixon, Suncoast's vice president of digital strategy.
Once onboarding worked, the credit union extended the same decisioning to digital logins and later to mobile and in-branch channels.
That produced scale, in Suncoast and Alloy's telling. Suncoast monitored 269 million digital logins in 2024, and only 11,990 of them turned into fraud investigations, according to a
The system automatically approves 98% of logins into online and mobile banking, according to Nicole Allen, Suncoast's vice president of fraud management. Allen said the approach is meant to keep false positives low while still flagging genuine risk.
"Alloy helps us say 'yes' to growth without compromising our member-first culture," Eva Coffee, Suncoast's manager of digital strategy, said in the Monday press release. "It gives us a centralized place to manage identity and fraud decisions across onboarding and the entire member lifecycle."
Aggressive growth carries its own fraud risk, said Suzanne Sando, lead analyst for fraud management at the research firm Javelin Strategy & Research. In
A "growth at all costs" mindset pushes onboarding teams toward instant approvals and sign-up bonuses that strip friction out of account opening, Sando said. That same reduced friction helps fraudsters run large-scale bot attacks to open many accounts at once.
The direction of change is genuine, not just vendor framing, Mortensen said. Datos Insights identified continuous authentication and so-called trust-graph approaches, which update as new information arrives, as a trend for 2026, he said.
But the compliance side of that shift moves more slowly, he said. Continuous fraud monitoring pays for itself in measurable loss reduction; the identity checks that exist mainly to satisfy regulators do not show the same clear dollar return.
Absent a regulatory mandate, the internal case for the compliance piece is harder to make, Mortensen said. Most North American institutions are still only planning it, and 73% report pushback from business teams worried about adding friction after a customer signs up.
Inside the fraud-loss numbers
The 35% decrease is a year-over-year decline in net fraud losses from 2023 to 2024, excluding recoveries, which Allen said the credit union tracks separately rather than netting in. It is not a measure of attempted-fraud volume or of charge-offs.
Suncoast says its fraud losses had been rising nearly 30% year-over-year before it deployed Alloy, a trend Allen said uses the same loss definition.
The credit union did not share the dollar amounts under either number or a breakdown by fraud type beyond saying the early gains were strongest in account-opening fraud and account takeover.
The open question, he said, is whether the improvement traces to the lifecycle architecture, to better data integration or to weak controls before the change.
A hurricane-driven account-takeover spike "makes year-over-year comparison particularly tricky," he said. "It could flatter or inflate the improvement, depending on which period absorbs more of the anomaly."
Instant payments are forcing the issue
Fraud risk on real-time payments had kept Suncoast from offering them, Nixon said in
"It seemed to always come down to fraud," Nixon said in the case study. "Once a real-time payment goes out, it's very hard to pull it back. If an account gets taken over or a member gets tricked into sending money, we may not have time to catch it before the funds are gone."
Lifecycle decisioning scores identity, unusual account behavior and takeover risk inside the payment flow itself, which let the credit union deploy faster money movement behind its authenticated channels.
The pressure to bring that kind of real-time decisioning to instant payments is industry-wide, Mortensen said.
Instant rails collapse the window to intervene to essentially zero, exposing the limits of batch or periodic controls. Sixty percent of financial-crime executives believe anti-money-laundering rules will soon require real-time monitoring, according to Mortensen.
The appeal of a third-party platform doing that decisioning in real time is genuine, he said.
However, "a different and harder question" is whether a credit union at Suncoast's scale can cleanly integrate such a platform into its core banking infrastructure, Mortensen said.
Suncoast says more payment use cases are in development alongside a coming mobile-app launch. It declined to detail them.
The hurricane test
Fraudsters' account-takeover push during Hurricane Milton is "exactly the same account-takeover behavior that you see in small volumes every day of the year," said Parilee Wang, Alloy's chief product and operating officer.
"The hope on the fraudster side is that this is a moment where no one's paying attention," Wang said.
In other words, disaster fraud is the same day-to-day account-takeover playbook, attempted at volume. Alloy said it sees the pattern in other crises such as California wildfires.
Indeed, disaster events generate address changes, credential resets and customer-service volume that fraudsters exploit to pass identity checks, with account takeover the primary vector, according to Mortensen.
Sando agreed that post-disaster environments are associated with elevated fraud activity, including account-takeover attempts. She pointed to the standing warnings that federal agencies and relief organizations issue after disasters.
She described the post-disaster chaos not just as driving higher account takeover volume but something different in kind.
A baseline account-takeover push is broad and industrialized, leaning on stolen credentials and bots aimed at a wide range of victims, according to Sando.
A post-disaster push exploits the disruption itself. Fraudsters concentrate on the affected region, impersonate disaster victims and press credit union employees with a sense of urgency.
Displaced and short-staffed branches then struggle to keep up.
