Risk & Fraud

Card Cracking – Not All It’s Cracked Up to Be, and Your Members are the Target

By: David Ver Eecke, Sr. Fraud Product Manager

“Hey, want to make some quick cash? Hit me up @CardCrackingFraudster121! Must have a bank account.”  While it may seem an obvious scam to some, millions of people are falling victim to this method of social media fraud, and when one of the victims is your member, your credit union could be on the hook for the loss.

Card cracking, or card popping as it’s sometimes called, is a scheme that fraudsters use to make quick cash outs using your members’ banking information. In the typical card cracking scheme, the fraudsters attempt to convince your member to act as an unknowing accomplice in stealing money from their credit union. Unlike other fraud schemes, where the fraudsters acquire account details from the dark web or another illicit source to commit fraud, the card cracking fraudster uses social media to get your members’ attention and account details. Often justified as a victimless crime, the enticement of fast money can be difficult for your members to refuse, and in some cases your members may even be complicit in the fraud.

Card Cracking 101

The characteristic card cracking scheme begins with a post on social media. The post will often show stacks of cash in a fancy car or depict a fraudster living the good life with an abundant amount of cash in their hands. The post is accompanied with a comment advertising quick money if you have a particular account with a financial institution. Once the fraudster contacts an interested party on social media, they will often provide a small upfront payment of a few hundred dollars in exchange for the member’s debit card number, PIN and online banking details. Their hope is that the member will not ask too many questions, but it’s at this point that your member may become complicit in the fraud. Typically, the fraudster will ask the member to report the transactions as fraudulent once the fraudster has finished. However, this scheme can play out in many different ways, and sometimes the fraudster will frame the situation in such a way that the member doesn’t fully understand the consequences.

The fraudster will then deposit a number of bad checks into the account, either at an ATM or via mobile deposit, with the goal of cashing out the account before the credit union realizes the checks are phony.

Once the funds are available, the fraudster will cash out the account at ATMs or via P2P payment services such as Square Cash, Venmo, Apple Pay Cash and PayPal. Fraudsters have also been known to help themselves to other legitimate funds in the account beyond the amount of bad checks they have deposited.

Why is This Scheme so Popular?

EMV — which stands for Europay, Mastercard and Visa — has caused the fraud landscape to shift in a number of predictable and unpredictable ways in the United States. With the United Kingdom and several other foreign countries adopting EMV well before the United States, the increase in e-commerce fraud wasn’t all that surprising. However, what did shock many credit unions was the increase in first party, account takeover, new application and other friendly fraud activities, including card cracking.

In all of these circumstances, the fraudster may in fact be the member committing the fraud! That’s a completely new set of rules that credit unions have to follow to effectively combat fraud – not to mention that a false positive may involve the credit union accusing a legitimate member of committing the fraud. The fraud business of the past was largely dominated by third-party fraud, and for good reason. With all of the compromised magnetic stripe data floating around, counterfeit fraud was a breeze for the fraudsters. EMV has restricted that market, and fraudsters aren’t out of the game just yet; they are constantly coming up with new schemes.

Another driver for the increase in account takeover and new application fraud is the increase in personal details available to the fraudsters. The dark web is full of social security numbers, birth dates and other personally identifiable information, thanks to data breaches such as Equifax that exposed the sensitive personal information for 143 million Americans, according to the Federal Trade Commission1. With all of these details freely available on the dark web, the fraudsters have more than enough information to conduct these more profitable types of fraud as counterfeit card details become less available.

How to Protect Your Credit Union from Card Cracking

Like many other first-party fraud schemes, the fraudsters rely on the industry’s passion for reducing the timing for funds availability and transfers. Reducing the time it takes checks to clear and money to move is certainly a good thing for the vast majority of customers, but the increase in speed can open opportunities for fraudsters.

Protect your credit union by setting daily limits on cash, PIN and signature transactions. While daily limits alone will not prevent all of the possible fraud, they can significantly reduce the worst possible outcome and put a stop to runaway fraud runs. They may cause inconvenience for your members so it’s important to find the right balance. It’s also a good practice to hold check deposits longer for newly opened accounts, and limit the amount that can be deposited via mobile deposits. Establishing limits can help reduce your credit union’s potential exposure.

Education is another important step to help protect your credit union. Many card cracking schemes target college students and young adults. These members may not realize that this scam is illegal, and it could leave them with criminal charges and financial liability for the fraud. Educating members on the consequences of participating in a card cracking scheme will discourage them from being fooled online.

Additionally, discouraging your members from providing their banking details to another person, especially over the internet, will remind them that this information should be kept private. Enlist them in the fight and ask them to report any suspicious posts right away. Credit unions can report the posts and have them removed. Instituting daily limits and educating your members can go a long way in protecting your credit union from this type of fraudulent activity.

Card cracking schemes are just a new flavor in a long line of too-good-to-be-true scams. The fraudsters are constantly resetting the fraud landscape, and your institution doesn’t have to be a target. By educating your members about these scams and establishing daily limits and hold times, your credit union will be better protected from card cracking scams and first-party fraud.

1https://www.ftc.gov/equifax-data-breach