Three huge cybersecurity problems for credit unions center on email. That's according to KnowBe4 CEO Stu Sjouwerman, who delivered the keynote address at the CU InfoSecurity 2016 conference in New Orleans.
"The biggest mistakes credit unions make is not configuring their email server correctly so that spoofed email addresses sail right through and employees open attachments that they should not," Sjouwerman warned.
The first problem is CEO fraud, Sjouwerman said. In this type of scheme, scammers send an email to a targeted recipient, usually posing as the organization's CEO or a senior executive, in an attempt to coerce them to process a payment via wire or credit transfer. The FBI estimated CEO fraud cost organizations more than $2.3 billion in losses over the past three years. In one attack, scammers unsuccessfully tried to entice Clearwater, Fla.-based KnowBe4 personnel.
The second problem, W-2 fraud, can be considered a different flavor of CEO fraud. In this variation, a scammer purporting to be the CEO or another company executive sends an email to a company payroll or office employee requesting a list of employees and corresponding information, including their Social Security numbers and other personally identifiable information. In March, the IRS issued an alert to payroll and human resources professionals warning them of these types of emails.
The third major area of concern is ransomware, which Sjouwerman said has grown tremendously as cybergangs compete for criminal market share. In a typical ransomware attack, which is mainly delivered through spam or phishing emails, the malware renders computer systems, devices or files inaccessible and holds the victim hostage until they make the payment, usually in the form of bitcoins.
Sjouwerman pointed out two recent, concerning developments in ransomware. One is a worm-like feature that is added to a particular ransomware strain, which essentially replicates itself over the network and locks machines.
The other is a new strain called Crysis, which encrypts personal documents found on a victim's computer and sends a few encrypted files to the control and command server.
"That is really bad because that gets you into data breach territory. That is one strain of ransomware that you do not want to get hit with," Sjouwerman told attendees.
Sjouwerman suggested credit unions consider employing the concept defense-in-depth in order to become a hard target. Defense-in-depth is a multilayered, holistic approach that uses specific countermeasures to create an aggregated security posture to help defend against cybersecurity threats and vulnerabilities.
The KnowBe4 CEO said, "If you are a sufficiently hard target they will go somewhere else. You need to defend the outside mushy, messy layer of humans and turn that into a human firewall. You need to continue with defending your perimeter, network, applications and data."
It is a constant struggle to enlighten decision makers about the risks that are currently out on the internet, Sjouwerman explained.
"Equipping somebody with email is very handy and customers expect it, but it opens up a massive hole in your defenses," he said. "Essentially, you need to train employees to spot the red flags."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
