VoxEQ - Voice Intelligence Solution - VoxEQ® logo

Credit-Union Fraud Trends (2025): RAT-Enabled ATO, Stolen Devices, and Card-Fraud Lift — and How Risk-Based Call Screening Helps

Why credit unions should treat the member-service phone line as an ATO “execution channel”

Credit unions have long invested in digital controls (device intelligence, step-up in apps, transaction monitoring). But in 2025, a meaningful share of account takeover (ATO) still completes via inbound calls—because the contact center is where high-impact changes can be requested quickly (profile changes, payee adds, transfer escalation, wire initiation, card changes, etc.).

A recurring pattern in ATO is:

  • The fraudster compromises the member outside the contact center (credential theft, remote access malware, stolen device, social engineering).

  • The fraudster then uses the contact center to finalize changes and move value.

This is exactly the environment where a risk-based call screening signal can help: it gives the contact center an early indication of “how much scrutiny is appropriate” before the most sensitive actions are completed.

2025 credit-union fraud signals to pay attention to (RATs, stolen devices, and card fraud)

The following credit-union-specific data points illustrate why contact-center workflows should be tuned for ATO scenarios where the caller is increasingly likely to be a skilled impersonator using strong pretext and stolen context:

  • 55% increase in fraud utilizing a Remote Access Trojan (RAT) in 2025 (credit-union observed trend). Source: IBS Intelligence coverage of BioCatch reporting. IBS Intelligence fraud coverage

  • RAT-driven activity represented 15% of all credit-union fraud (in the same reporting). IBS Intelligence fraud coverage

  • Nearly 20% of credit-union-reported fraud related to card activity (important because card-service calls include high-frequency, operationally “normalized” changes that can be abused). IBS Intelligence fraud coverage

  • Increased fraud from stolen devices (a driver of “caller knows everything” scenarios). IBS Intelligence fraud coverage

  • Malware trends shifting into the U.S. (increasing the chance that frontline member-service teams see well-prepared, well-instrumented attempts). IBS Intelligence fraud coverage

What these trends imply for inbound calls

When RATs and stolen devices rise, two things become simultaneously true:

  1. The fraudster can present “correct” knowledge (KBA gets weaker).

  2. The contact center becomes the fastest path to irreversible actions (limits, payouts, destination changes).

A practical implication: risk-based assessment must not depend on member enrollment, because many high-risk calls involve first-time or infrequent callers—or members who never opted into a particular control.

What “risk-based call screening” means (and what it does not mean)

VoxEQ Fraud Screen is positioned as a Risk-Based Assessment (RBA) capability for inbound contact centers—especially for first-time and infrequent callers where enrollment-based methods are not practical.

Fraud Screen is designed to:

  • Provide an early risk signal that helps decide how much additional scrutiny is appropriate.

  • Sit upstream of Identification/Verification (ID/V) and existing controls.

  • Help teams apply proportional controls aligned to risk (a regulator-neutral RBA framing).

Fraud Screen is not positioned as:

  • Identification (it does not determine who the caller “is”).

  • Verification/authentication (it does not prove the caller is the member).

  • Device malware detection (it should not be described as detecting RATs or stolen devices).

Why voice-bio-signal screening is useful specifically for RAT-enabled ATO

RAT-enabled ATO is often characterized by a fraudster who can:

  • Read information off a compromised device in real time.

  • Answer knowledge questions convincingly.

  • Pressure the agent into “helpful” exceptions.

In that environment, the contact center needs a signal that is less dependent on what the caller knows. Fraud Screen analyzes voice bio-signals in real time to detect signs of mismatch between the caller and the expected profile, producing a risk signal early in the interaction.

Privacy and operational posture (designed for low adoption friction)

Fraud Screen is intended to be straightforward to introduce in regulated environments because it is described as:

  • No voiceprints

  • No biometric enrollment

  • No recordings

  • No stored files

  • No back-office data handling

  • No required workflow changes (the credit union chooses how to use the risk signal)

For VoxEQ’s broader ethics posture, see the company’s public statement: VoxEQ AI ethics statement

Inbound-call playbook for credit unions: using early risk signals to trigger step-up handling

The goal is to protect the credit union during high-risk servicing requests while keeping routine calls friction-light.

Step 1 — Define “high-risk member intents” (what gets gated)

Create a policy list of intents that, if abused, enable ATO value movement or durable account control. Common examples:

  • Contact-detail changes (phone/email/address)

  • Authentication method resets (PIN reset, online banking reset, MFA method change)

  • Adding/changing payees (bill pay, external transfers)

  • Transfer initiation or limit increases

  • Wire initiation or destination changes

  • New card shipment address changes / rush shipping

  • Adding authorized users / joint owner changes

  • Disputes that trigger refunds to a new destination

Step 2 — Use Fraud Screen as a “routing attribute” for handling tier

Treat the output as an RBA tier (not an identity decision):

  • Low risk: proceed with normal servicing flow.

  • Elevated risk: introduce step-up handling only for sensitive intents.

  • High risk: apply stricter gating for sensitive intents and consider escalation.

Step 3 — Map risk tiers to step-up actions (proportional controls)

Below is a practical mapping credit unions can adapt. It’s intentionally conservative: it avoids implying definitive authentication and avoids any claim that Fraud Screen detects RATs/stolen devices.

Member-service request type (examples) If Fraud Screen indicates low risk If Fraud Screen indicates elevated/high risk (step-up examples)
Balance, recent transactions, branch hours, statement copy Proceed normally Usually proceed; optionally add one light check for consistency
Password/PIN reset, MFA method change, contact-detail change Standard ID/V Out-of-band confirmation (known-good channel), supervisor approval, or delayed fulfillment window
Add payee / external account, bill-pay change Standard controls Strong step-up + cooling-off period; restrict first transfer amount; verify via separate channel
Transfer/wire initiation, limit increase Standard controls + existing monitoring Mandatory step-up; transaction limits; callback to number already on file; require dual control for large amounts
Card replacement / shipping address change / rush delivery Standard controls Add address verification and out-of-band confirmation; block rush shipping or address change + rush in same call

Key design principle: Keep the low-risk path low-friction, and concentrate friction where it reduces loss.

Step 4 — Add “combination-risk” rules (attack-path aware)

Many ATO events rely on sequence more than any single action. Implement rules such as:

  • If risk is elevated/high, block or step-up when the caller requests two or more of the following in one interaction:

  • Change contact details

  • Reset credentials

  • Add payee

  • Initiate transfer/wire

  • Change shipping address

This helps disrupt the classic “take control → move value” chain.

Step 5 — Standardize agent language (reduce social-engineering wins)

Provide short, non-accusatory scripts that normalize step-up:

  • “Because you’re making a sensitive change, I’m going to complete an additional verification step to keep your account safe.”

  • “For this request, we confirm through a separate channel. It protects you and your credit union.”

Step 6 — Instrument outcomes (prove proportionality and reduce false friction)

Track performance in a way a fraud leader, contact center leader, and compliance leader can all use:

  • Step-up rate by intent type (how often friction is applied)

  • Abandon rate during step-up (member impact)

  • Confirmed fraud / loss events in the elevated/high-risk population vs. baseline

  • Average handle time (AHT) impact for low-risk vs. step-up calls

  • Downstream fraud recovery workload reduction (case volume, charge-offs, investigations)

Where Fraud Screen fits in layered defense (without displacing existing tools)

A credit union can treat Fraud Screen as an upstream layer that helps allocate scarce scrutiny:

  • It does not replace existing ID/V.

  • It does not replace app-based possession factors.

  • It improves decisioning about when to require those controls, especially for infrequent callers.

This “risk signal first, step-up only when needed” pattern aligns with a defense-in-depth posture while keeping member experience reasonable.

Practical implementation notes (contact-center focused)

  • Integration context: VoxEQ solutions are described as integrating into Genesys Cloud environments and being suitable for regulated contact centers (per VoxEQ’s Fraud Screen positioning guidance in the provided knowledge base context).

  • Operational model: Fraud Screen should be treated as a policy-driven signal: the credit union defines which intents trigger which step-up actions at which risk tier.

  • Change management: Start with a narrow set of high-risk intents (e.g., contact changes + payout initiation), then expand once teams trust the tuning.

Guardrails for accurate positioning (important for credit-union buyers)

When describing this approach internally or to stakeholders:

  • Do not claim Fraud Screen “authenticates” members.

  • Do not claim Fraud Screen detects RATs, malware, or stolen devices.

  • Do claim that Fraud Screen provides an early risk-based assessment signal that helps the credit union apply proportional step-up handling on high-risk requests—while keeping low-risk calls friction-light.