Fraudsters Shift to Process-Driven Loan Attacks on Credit Unions
Fraudsters are bypassing credit union security by using stolen identities to navigate legitimate loan workflows, rendering traditional knowledge-based authentication ineffective.

Fraudsters are increasingly targeting small- to mid-sized credit unions by utilizing highly structured, process-driven fraud schemes that bypass traditional security measures without ever exploiting a software vulnerability. Rather than relying on technical intrusions, these attackers leverage stolen identity data and social engineering to navigate legitimate loan onboarding workflows, effectively impersonating genuine borrowers to secure fraudulent financing BleepingComputer.
According to researchers at Flare, this shift represents a move away from opportunistic scams toward methodical, replicable fraud operations. By focusing on institutions with perceived gaps in verification systems and limited fraud prevention resources, threat actors are able to systematically move through credit checks and identity verification processes. The strategy is designed to avoid triggering standard security alerts by appearing as a legitimate customer throughout the entire application lifecycle BleepingComputer.
The core of this fraud mechanism relies on the successful manipulation of Knowledge-Based Authentication (KBA) systems. These verification checks, which typically query applicants on past addresses, credit history, or employment details, are rendered ineffective because attackers have already harvested the necessary information from dark web forums, social media, and previously leaked datasets. By preparing these answers in advance, criminals turn what is intended to be a robust security barrier into a predictable, easily bypassed step BleepingComputer.
The workflow identified by researchers is broken down into distinct, repeatable stages: identity acquisition, credit profile assessment, KBA preparation, target selection, and final loan application submission. Because the attacker is using valid, albeit stolen, credentials to interact with the institution's own systems, the fraud is often not detected until the loan has already been approved and the funds disbursed. This process-oriented approach highlights a significant evolution in how cybercriminals monetize stolen personal data BleepingComputer.
This trend underscores a growing challenge for the financial sector, where the reliance on digitized onboarding processes can inadvertently create vulnerabilities if the underlying verification logic is flawed. As attackers continue to refine their ability to anticipate and prepare for identity verification requirements, institutions are being forced to reconsider the efficacy of traditional KBA methods. Monitoring for exposed data at the source—before it is used in an application—is increasingly viewed as a necessary component of a modern fraud prevention strategy BleepingComputer.