Credit unions hit by process-based loan fraud, not exploits

Flare researchers tracked a structured loan fraud playbook circulating in underground forums that bypasses credit unions without touching a single vulnerability. Operators assemble stolen identity packages — names, addresses, DOBs, credit history, and the personal trivia needed to clear knowledge-based authentication — by stitching together breach dumps, public records, and social media. The application then walks through standard onboarding as a ‘legitimate’ borrower, with funds moved through intermediary accounts immediately after approval to outrun manual review.

Small and mid-sized credit unions are explicitly named as preferred marks because they lean on legacy KBA, lack behavioral fraud analytics, and prioritize member accessibility over friction. Auto lending fraud exposure alone is projected at $9.2 billion in 2025, with regional lenders absorbing a disproportionate share. The workflow is documented in eight repeatable steps, signaling a shift from opportunistic scams to productized, replicable operations.

The defensive implication is that identity verification can no longer treat KBA as a barrier — once an answer set exists in aggregated leak data, the control is theatrical. Detection has to move upstream to exposed-credential monitoring and downstream to behavioral signals across the application-to-cashout chain, since each individual transaction in the monetization phase looks routine in isolation.