“Criminals are out there adopting how they can use those pieces of information,” Buzzard warned. “It is far worse than people realize.” He added criminals have exploited, for profit, virtually every technological milestone involving some form of financial value, from phone cards in the 1980s to home equity loans and online credentials in the late 2000s.

The biggest shift more recently is toward stolen data aggregation. “We tend to fixate on payment card breaches like Chipotle due to the millions of consumer payment cards that are in play at retailers, but the truly valuable information to be stolen is richer,” Buzzard said. “Criminals tend to pay more for complete sets of PII and less for single payment card info.”

He pointed out there is just so much stolen card data in the wild, the fraud market is oversaturated. “The more you have, the cheaper it is.”

Buzzard explained, “There is a vast reselling market via the dark web where criminals offer up stolen payment cards, crimeware and crimeware-as-a-service in virtual stores.” They even provide customer service and custom-designed malware. Faster payments could also lead to more fraud without proper authentication of the payment initiators. To combat this, Buzzard suggested organizations consider multi-layer authentication like RSA and one-time passwords.

CO-OP disclosed it made a $25 million-dollar investment in people, infrastructure and processes to improve and innovate within the fraud-prevention space. That investment included machine-learning technology, which CO-OP plans to implement to help fight fraud on multiple CO-OP business platforms. Buzzard said the goal is to make everyone stronger in their awareness of fraud scams and how they can play a role in preventing its growth.

The $1.44 billion, Indianapolis-based Elements Financial Federal Credit Union, which is part of the CO-OP Network, in the past year made a demonstrated commitment to educate employees and members about cyber-threats such as data breaches and phishing attacks.

For employees, the credit union utilizes a monthly phishing test, online learning, and ongoing sharing of the latest cybersecurity alerts and news through meetings, the intranet, emails and Yammer.

“What we are doing, and continue to do, is test our employees monthly to protect against social engineering,” Chris Sibila, EVP, payments and technology at Elements.

Elements utilizes a phishing security test from the Tampa Bay, Fla.-based cybersecurity firm KnowBe4. “They have a nice tool that lets you queue up varying types of social engineering tests that you send through email,” Sibila explained.

Stu Sjouwerman, CEO of KnowBe4, stated, “Credit unions, in general, have an enormous amount of PII and stiff regulatory requirements they have to adhere to. KnowBe4 helps them manage the ongoing problem of social engineering in a very economic fashion. Credit unions are expected to compete with larger banks with the same regulatory restrictions but without the big budgets to accompany the requirements.”

The Elements security team sends suspect email, without advanced warning, and tries to trick staffers into clicking on links or opening attachments they shouldn't.

When Elements started these tests in December 2016, about 30% of their people failed. From that point forward they educated employees and continued to share examples of what is taking place in the threat world. Plus, they received online learning to help them recognize and understand the devastating organizational effects of social engineering.

“At six months into the year, we're staying under 10% of people clicking on it. Usually it's one, two or three people out of 180 who are falling for it,” Sibila said. He added they are doing a really nice job of either not clicking at all or clicking more often on the Report Phishing button in Microsoft Outlook.

Elements also partnered with the Chicago-based West Monroe Partners, a managed service provider that helps with overall security operations such as network penetration and firewall monitoring, as well as infrastructure management to ensure every server and virtual desktop deploys timely updates and patches.

“We reinforce that we don't want the bad guys to win here,” Sibila maintained.

The credit union, which is a SEG-based credit union known as Eli Lilly Federal Credit Union until 2005, works with 100 companies now. Elements also educates members through 30-minute lunch-and-learn seminars, alerts, blogs and other community outlets.

Sibila revealed, “It's been incredible, the stuff that we have seen even as we try to educate our members.” He recounted a social engineering case on the member side in which a retiree scam victim, convinced he had won a lottery, was in the process of taking out more cash. An Elements employee spotted it and informed the credit union fraud department. “He had already lost $18,000 of his own money and was about ready to go big with these guys and send them more money. We talked him out of it and filed all the information about the event.” The credit union later learned from a DEA agent in Thailand the member was one of about 30 individuals duped by a cybertheft ring, which used the ill-gotten gains to fund terrorists.

Buzzard suggested these cybersecurity best practices for credit unions and members:

• Ask, “How can we show the member a near real-time snapshot of their accounts however and whenever they want it?” The answer may simply be lining up amenities like card control products, account alerts, email notifications and SMS messaging that the member controls.

• When criminals repeatedly victimize members, it's important to note their computers may contain keyloggers and malware.

• Corporate entities need to exercise the same care in educating their workforce on cybersecurity. “The dangers of ransomware show that normally cautious professionals can make a simple mistake by clicking on highly suspicious attachments,” he said.

• Procure cyber-crime prevention professionals to aid in penetration testing and risk assessments on an annual basis.

“I continue to stress with our staff, anything where we have people touching members, you just have to keep it top of mind,” Sibila said.

He advised credit union personnel to think a little more suspiciously before diving in and helping. “Especially in the credit union space where we are always talking about great member service, and going above and beyond, sometimes that works against us. Because the bad guys are trying to trick you into giving great service to a crook.”