Why credit unions need advanced authentication that extends beyond perimeter defenses

Authentication Fraud prevention Payments

According to the Federal Trade Commission (FTC), consumers lost over $12.5 billion to fraud in 2024. And while credit unions (CUs) and their members believe some transactions are immune to fraud or present a lower risk — like those over their internal payment rails — that’s not always the case. An outdated, siloed fraud prevention approach can create gaps that fraudsters will exploit.

In a recent interview at Q2 Connect25, VP of Digital at Nuvision Credit Union, Michael Hayden, highlighted a growing fraud trend impacting CUs: member-to-member (M2M) transfer fraud.

Let's explore why modern authentication is essential to protect all interaction channels, including internal payment rails.

Member-to-member transfer fraud — a growing fraud trend

Although member-to-member transfers move across internal payment rails rather than external networks, the mechanism has recently become a target for fraudsters, Michael warned. Fraudsters have found a way to defraud members from within a CU’s internal channels, which are typically perceived as safe.

Here’s how a fraudster could carry out this attack. The fraudster opens a fraudulent account at a CU, then takes over a genuine member’s account. They transfer funds from the compromised account into their own. “Then it’s their money. And it’s there in real time!” Michael adds.

Next, the fraudster quickly withdraws the funds through another channel, such as a branch withdrawal. And the deed is done.

Fraudsters are taking advantage of this perception, and lack of controls, on internal payment rails. Consequently, these transactions are no longer immune to fraud.

So, what can credit unions do to mitigate this threat? Protecting their members requires modern, adaptive fraud prevention measures, before and after users log into an account. A solution that detects suspicious or high-risk activity in real-time and responds appropriately before members’ funds are lost.

Above: Watch Nuvision’s interview at Q2 Connect25 and explore Entersekt’s additional resources for Q2 here.

The gaps left by outdated, static authentication

Fraudsters will always seek the path of least resistance. Consequently, credit unions still relying on static authentication — like one-time passcodes (OTPs) or secure access codes (SACs) — become easy targets. OTPs and SACs are easily intercepted, leaving accounts vulnerable.

The bottom line is that these outdated defenses are no match for modern fraud tactics. As Mzukisi Rusi, Entersekt’s VP of Product shared in a recent PYMNTS interview:

“Banks have long clung to the belief that once a user passes the login, the session is safe.”

Unfortunately, we’re seeing that that’s no longer the case. Internal transfers are a growing blind spot that all FIs need to address quickly.

The solution? Adaptive authentication that analyzes real-time signals, applies intelligent risk scoring, and introduces friction only when it’s needed. Modern authentication, like Entersekt’s, can help credit unions close these gaps fraudsters exploit.

Protecting members and building trust with modern authentication

Modern authentication closes fraud gaps, before and after login, which prevents fraud losses for members and any reputational damage that would tarnish a credit union’s brand.

With Entersekt, credit unions can safeguard members using adaptive security that evaluates the risk of each transaction, not just logins. And in real-time. As Mzu explains:

“The question is not about, ‘Did you just log in?’ It’s about, ‘Are you still acting like you?’”

That’s how risk-based authentication (RBA) applies the right level of friction, based on context. This approach ensures strong protection for every transaction, without compromising user experience.

Let's look at an example. A fraudster opens a fake account at a credit union, then hijacks a real member’s login to transfer funds. With RBA analyzing device, behavior, and transaction context, the unusual transfer triggers an extra verification step — stopping the fraudster’s attack, yes; but also signaling to the member that their CU has their back.

Entersekt uses active authentication, like device prompts and biometric authentication, combined with silent authentication, like behavioral analytics and device signals (requiring no action from the member). The result: safeguards for logins and beyond that protect members without detrimental effects on their experience.

Fraud prevention that puts member experience first

Whether we’re talking about credit unions or banks, another growing priority the industry is realizing is the need to break down silos between systems. For instance, when member and risk data remain fragmented, members are at a greater risk of being exposed to fraud but also being subjected to a disjointed user experience.

Entersekt's Chief Strategy Officer, Dewald Nolte, advises:

“Financial institutions need to get to the point where there's a consistent authentication experience across all of their channels.”

To bring that about, banks and CUs need authentication solutions that cover all their channels and share customer and risk signals across those channels.

In addition, credit unions that empower members to choose their preferred authentication method improve more than just security, shares Dewald: “If a customer knows and can choose how they want to be challenged, the authentication success rate is much higher. Because now, when they get a challenge event, it's the one they’ve chosen — so they know exactly how to use it.”

Getting ahead of the curve

Modern fraud tactics are advancing too quickly for credit unions to rely on outdated defenses. Member trust, seamless experiences, and long-term resilience depend on adopting adaptive authentication that can spot threats in real-time and stop them before losses occur.

Michael warns:

“If you're not taking those steps, you are going to be not just the low hanging fruit, but also a target and you're going to see increased attacks like credential stuffing or social engineering. So, get ahead of the curve, because you don't want to have to answer to your members when you're not.”

Learn more about Entersekt’s dynamic authentication measures for Q2: Click here.