NCUA Warns Credit Unions About Business Email Compromise
For the first time in six years, NCUA has issued an alert – all because of the increased rate of Business Email Compromise attacks against credit unions. Do you know how to protect yourself?
The National Credit Union Administration (NCUA) doesn’t issue an alert lightly. In fact, it’s been six years since the last time they did.
In August, they issued a new alert all about Business Email Compromise, and the increased rate at which they’re seeing cybercriminals use it as a method to victimize US-based credit unions. The number of complaints associated with this scam increased to the point that the FBI created a recovery asset team to address them in February 2018. Between then and May of this year, the team recovered more than $331 million based on the complaints they received.
What Is Business Email Compromise?
Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments.
In layman’s terms, a cybercriminal will write an email pretending to be from your credit union, and request that a payment be processed – instead of to a legitimate source, the payment will go to them.
A popular form of Business Email Compromise is CEO Fraud. This is a form of Business Email Compromise where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information.
Business Email Compromise can be carried out a number of ways:
Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.
How Can You Protect Your Credit Union?
“Credit unions can take steps to prevent this type of fraud and should report such fraud, when it occurs, to the FBI’s Internet Crime Complaint Center,” said NCUA Chairman Rodney Hood in the alert. “Credit unions that report incidents to the Internet Crime Complaint Center promptly increase their opportunity to recover funds that have been wired under fraudulent pretenses.”
According to the National Association of Federally-Insured Credit Unions (NAFCU), cybersecurity is a systemic risk that affects all levels of business, government and ordinary people. It is such a high-risk area for credit unions that the NCUA placed cybersecurity as a top focus for exams. As the cybersecurity world continues to evolve, it’s important that your credit union is prepared for possible threats. The NAFCU FFIEC Cybersecurity Assessment Tool is available to members here along with other cybersecurity resources.
4 Tips To Protect Against Business Email Compromise
1. Defend Your Organization
Email filtering
Two-factor authentication
Automated password and user ID policy enforcement
Comprehensive access and password management
Whitelist or blacklist external traffic
Patch/update all IT and security systems
Manage access and permission levels for all employees.
Review existing technical controls and take action to plug any gaps.
2. Have Your Personnel Contribute To Cybersecurity
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger, so start here:
Train users on the basics of cyber and email security.
Train users on how to identify and deal with phishing attacks with New-School Security Awareness Training.
Implement a reporting system for suspected phishing emails.
Continue security training regularly to keep it top of mind.
Frequently phish your users to keep awareness in mind.
3. Keep An Eye Out For Warning Signs
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
Awkward wording and misspellings
Spoofed email addresses and URLs that are very close to actual corporate addresses, but are only slightly different
Sudden urgency or time-sensitive issues
Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information,” which are often used according to the FBI.
4. Test Against Phishing
Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
Continue simulated phishing attacks at least once a month (twice is better).
Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behavior changes; they develop a less trusting attitude and get much better at spotting a scam email.
Randomize email content and the times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
How Can KTG Help Your Credit Union?
KTG provides compliant IT managed services as well as managed security solutions designed to meet the compliance standards required by the NCUA. If you’d like to learn more about how we can help your credit union implement a robust technology & cybersecurity management solution, reach out to us today.
Like this article? Check out the following blogs to learn more:
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.