There’s No Such Thing as Too Small to Hack

People are a credit union’s greatest asset. They also represent one of its most significant liabilities.

Just as imagination, tenacity and ambition can mobilize missions, carelessness, apathy and naiveté can cripple them. So, too, can a basic lack of awareness or education around threats facing the organization.

Cybercrime is one such threat. While the hazard of a data or systems breach is substantial for organizations of all sizes, it’s particularly worrisome for small and midsize businesses (SMBs), a category home to many credit unions.

It’s not uncommon for credit union leaders to believe their cooperative is too small to hack. However, size is irrelevant to cyber crooks in search of valuable consumer data. Even a small amount of stolen personally identifiable information can be extremely profitable in the digital black market.

It’s easier than ever for cyber crooks to earn a remarkable ROI on their hacking investment. Armed with automated technologies that scan the connected universe for open doors, credit unions are just as vulnerable as major corporations, if not more so. Attackers simply walk through the first open door and take as many (or as few) records as they can. Then, it’s off to the next victim.

So what do hackers want with credit unions? Two things:

• Data: Any amount of it is valuable, especially when you consider the organically growing databases of PII on the dark web. You don’t have to have a million member records to be on a hacker’s radar.
• Connections: In this era of seamless integration, vendors have an increasing level of access to credit unions’ systems and data. Hackers know all too well that third parties are the Achilles heel of even the most fortressed of companies.

While the tools and methods used to exploit the workforce vulnerability are continually changing, there are several that continue to cause trouble for credit unions and other employers. Five, in particular, are wreaking ongoing havoc on organizations across all industries.

Phishing and Social Engineering

Social engineering is especially effective when paired with spear phishing, an attack targeted at a specific individual or organization. The killer combo of social engineering and spear phishing might present itself like this: A cyber crook targeting a credit union CEO keeps an eye on their LinkedIn activity and sees that they are speaking at an out-of-town conference on Friday. A well-timed email to the credit union’s CFO, cleverly disguised as coming from the CEO, requests an immediate wire transfer. For extra assurance, the email references the CEO’s out-of-office status and gives the CFO permission to bypass the company’s protocols.

Because social engineering often relies on psychological manipulation, an employee who falls victim to an attack can feel incredibly embarrassed, upset or guilty. It’s especially important in these cases to ensure the employee feels supported and isn’t overly penalized for taking the bait.

Ransomware

Ransomware is among the most significant threats facing SMBs, and industry experts advise the attacks are expected to become even more common in the future. Based on its study of the threat environment, Cisco has ransomware growing at a yearly rate of 350%.

In one recent, widespread attack, a ransomware strain was spread through romantic emails delivered around Valentine’s Day. Curious, and perhaps hopeful, victims downloaded and opened an attachment – something the ransomware designers stimulated by including only an asterisk in the body of the email. Once downloaded, the attachment, which was disguised as a text file, instantaneously encrypted their personal data and held it for ransom.

While every credit union has different protocols, it’s critical all employees are aware of them. Because cybercriminals often make it easy to comply with their demands, employees, especially those who feel bad about falling for the trap, may take it upon themselves to pay the ransom. This could open the credit union up to an entirely new set of challenges. What’s more, there’s no guarantee payment will result in the restoration of the cooperative’s data.

Credential Stuffing

Credential stuffing is an automated attack in which cybercriminals populate online forms with stolen credentials at an extremely rapid pace. Cyber crooks, armed with large scale bots, attempted this attack 28 billion times in the second half of 2018 alone.

Although e-commerce sites seem to be the favorite among credential stuffing hackers, credit unions with online and mobile banking channels are also extremely vulnerable to this attack.

You may wonder how this is related to frontline employee vulnerability. Here’s the deal – credential stuffing is only possible because of poor password habits. If people did not reuse their passwords as often as they do, these automated attacks, which rely on large collections of stolen credentials sold on the dark web, would be much less effective.

The other relationship between credential stuffing and employees is their ability to spot suspicious activity. The whole point of this attack is to take over the account of a legitimate member. Employees who are empowered with sophisticated fraud prevention tools and a good protocol for reporting suspicious activity are in the best position to mitigate losses from a credential stuffing attack.

Mobile Malware

The proliferation of bring-your-own-device to work cultures has greatly increased the attack surface for cybercriminals. With 5G around the corner, more employees than ever before are expected to check off their professional to-do lists via connected mobile devices.

Two inherent qualities of mobile devices make them a breeding ground for cyber malware. Small screens and atypical formats can cause employees to overlook something that may seem odd were it viewed on a desktop computer or even a laptop. The need for Wi-Fi access to download big files or work at a decent speed creates a second vulnerability, as it tempts many users to fall for free wireless hotspots operated by cybercriminals.

According to Fortinet’s Threat Landscape Report for Q3 2018, 26% of the organizations studied in that quarter were attacked by malware that specifically targeted mobile devices like smartphones and tablets.

Then, there are the mobile app copycats. Distributed through vendor-based stores, these are look-alike apps employees may download to make it easier to work while away from the credit union office. Employees can use them for weeks, months or longer without realizing they’ve downloaded a malware-infected fake.

Consider, too, that devices like USB drives and USB-powered gadgets, like desktop fans and novelty keyboards, can be loaded with malware. Once plugged into a computer at work, these seemingly benign devices become door openers for any number of cyber threats.

These are just five of a growing number of threats against credit unions, their employees and members. All it takes is one mistake by an employee in the building, or another working remotely, to let the bad guys in. Often, employees don’t even realize they are engaging in risky behaviors. Leadership owes it to their boards of directors and members – and the employees themselves – to invest in properly training the frontline for the inevitable cyberattack coming their way.

Corey Skadburg is COO of BrightWise. He can be reached at corey.skadburg@bright-wise.com.