NCUA Warns Credit Unions About Email Compromise

The National Credit Union Administration (NCUA) doesn’t issue an alert lightly. In fact, it’s been six years since the last time they did.

Business Email Compromise

In August, they issued a new alert all about Business Email Compromise, and the increased rate at which they’re seeing cybercriminals use it as a method to victimize US-based credit unions. The number of complaints associated with this scam increased to the point that the FBI created a recovery asset team to address them in February 2018. Between then and May of this year, the team recovered more than $331 million based on the complaints they received.

What Is Business Email Compromise?

Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments.

In layman’s terms, a cybercriminal will write an email pretending to be from your credit union, and request that a payment be processed – instead of to a legitimate source, the payment will go to them.

A popular form of Business Email Compromise is CEO Fraud. This is a form of Business Email Compromise where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information.

Business Email Compromise can be carried out a number of ways:

  • Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
  • Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
  • Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.

How Can You Protect Your Credit Union?

“Credit unions can take steps to prevent this type of fraud and should report such fraud, when it occurs, to the FBI’s Internet Crime Complaint Center,” said NCUA Chairman Rodney Hood in the alert. “Credit unions that report incidents to the Internet Crime Complaint Center promptly increase their opportunity to recover funds that have been wired under fraudulent pretenses.”

According to the National Association of Federally-Insured Credit Unions (NAFCU), cybersecurity is a systemic risk that affects all levels of business, government and ordinary people. It is such a high-risk area for credit unions that the NCUA placed cybersecurity as a top focus for exams. As the cybersecurity world continues to evolve, it’s important that your credit union is prepared for possible threats. The NAFCU FFIEC Cybersecurity Assessment Tool is available to members here along with other cybersecurity resources.

4 Tips To Protect Against Business Email Compromise

1. Defend Your Organization

  • Email filtering
  • Two-factor authentication
  • Automated password and user ID policy enforcement
  • Comprehensive access and password management
  • Whitelist or blacklist external traffic
  • Patch/update all IT and security systems
  • Manage access and permission levels for all employees.
  • Review existing technical controls and take action to plug any gaps.

2. Have Your Personnel Contribute To Cybersecurity

No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:

  • Train users on the basics of cyber and email security.
  • Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
  • Implement a reporting system for suspected phishing emails.
  • Continue security training regularly to keep it top of mind.
  • Frequently phish your users to keep awareness in mind.

3. Keep An Eye Out For Warning Signs

Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:

  • Awkward wording and misspellings
  • Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
  • Sudden urgency or time-sensitive issues
  • Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.

4. Test Against Phishing

  • Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
  • Continue simulated phishing attacks at least once a month (twice is better).
  • Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
  • Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.

How Can KTG Help Your Credit Union?

KTG provides compliant IT managed services as well as managed security solutions designed to meet the compliance standards required by the NCUA. If you’d like to learn more about how we can help your credit union implement a robust technology & cybersecurity management solution, reach out to us today.

Like this article? Check out the following blogs to learn more:

The Need for Cybersecurity Expertise at the Board Level for Banking

The new Health Industry Cybersecurity Practices (HICP)

NIST’s Small Business Cybersecurity Corner