Threat actors in underground forums are developing structured, process-driven loan fraud schemes that exploit onboarding and verification workflows using stolen identities and social engineering. Flare researchers identified a reproducible method targeting small- to mid-sized credit unions that bypasses knowledge-based authentication and monetizes approved loans before detection. #CreditUnions #Flare
Keypoints
- Underground groups are using stolen personal data and social engineering to impersonate legitimate borrowers.
- Small- to mid-sized credit unions are targeted for perceived gaps in verification and limited fraud prevention resources.
- Attackers reconstruct KBA answers from public records, social media, and leaked datasets to pass identity checks.
- The fraud workflow is methodical and digitized, moving from identity acquisition to loan approval and rapid cash-out.
- Effective defense requires monitoring exposed data at the source and adopting controls beyond traditional KBA.