Credit unions, under siege from many cybercriminals, can combat cyberthreats with diligence and vigilance. That message came from a panel at CU Times' Oct. 6 virtual conference, "Data Breach Defense." Approximately 425 credit union executives tuned in for the event.
Director David Brown of credit union security consulting ERM Security, based in Charlotte, N.C., joined Mark Guntrip, group manager, Email Protection, at Sunnyvale, Calif.-based cybersecurity firm Proofpoint and CU Times Executive Editor Heather Anderson to share lessons learned from credit unions that have been hit by current hot-button cyberattacks.
There are financial implications, and reputational and other risks associated with a data breaches. Phishing attacks aimed at employees caused an average sized company $3.77 million per year, Anderson said.
Anderson also focused on some of the most prevalent threats today, which include distributed denial-of-service (DDoS) attacks.
"DDoS attacks evolved from merely knocking institutions offline to distracting IT departments while cyberthieves stole deposits," Anderson said. While there are no known instances of DDoS theft from credit unions, several cases involved banks, she added.
Anderson noted that thieves have stolen more than $2 billion from ATMs, and 98% of losses result from skimming crimes. Just two weeks ago, Wisconsin police discovered eight skimming devices on credit union ATMs.
Brown detailed the dangers of spear phishing, a targeted attack crafted specifically for a credit union and its employees.
"The methods haven't changed but there is a different twist to the execution," he said.
The way organizations typically combat spear phishing is through spam filters and Sender Policy Framework, also known as SPF records. By slightly modifying an attack, an attacker can bypass SPF records and circumvent many spam filters, Brown said. Typically if an email attempts to spoof the credit union from the outside, it is rejected by spam filters. Criminals now send phishing emails from an external email address into the credit union with the credit union's display name, which spam filters often don't catch, he explained.
Brown added credit unions should verify their protection and test frequently against these new attacks.
"Ninety-one percent of threats come through email because that is the way people communicate," Guntrip said.
A big part of the problem is that people are generating more data that requires protection.
"Humans create up to 80% of an organization's total data," Guntrip noted. "Current security tools are ineffective at stopping even commodity threats, let alone targeted attacks."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
