Two-Crime Crimes

Many cyber criminals prey on consumers and businesses by gaining access to their personal information or financial accounts, either through coercion or use of malicious software. While individual consumers and businesses are the primary victims in these scenarios, they can impact credit unions as well.

In a recent cybersecurity webinar hosted by financial services research firm BAI, FBI Special Agent Eric Brelsford, who specializes in cyber-crime investigations, listed some of the top cyber-attacks currently targeting bank and credit union accountholders as fraudulent wire payments; card-not-present fraud, something criminals pivoted to amid the proliferation of EMV chip cards; and unauthorized access of online financial accounts, which can then be followed by fraudulent transactions such as money transfers.

Jim Van Dyke

Jim Van Dyke, SVP, digital financial wellness for the identity protection firm Sontiq, which in March acquired Breach Clarity, a fraud prevention and detection technology company that Van Dyke co-founded, said nearly all fraud that hits credit unions are "two-crime crimes." Fraudsters first compromise data belonging to an individual or business, often targeting small organizations with weak security postures, then turn around and use the data to commit fraud at the credit union.

"The most damaging breaches on a per-member basis or per-credit union basis are the ones that don't make the news," Van Dyke said. He added, "A really perfect example would be a neighborhood chiropractor, flower shop or electrical supply center, and these small businesses – and they may not necessarily be a Mom and Pop, they might have 100 or 500 employees – they don't have the data management practices and hygiene a big national corporation has. Everybody beat up on Equifax for their massive breach, but when you see these breaches [of small businesses], they have raised so much more risk of fraud on a per-member or per-credit union basis."

Fraudsters have had no qualms about targeting consumers and business owners who may have grappled with illness, unemployment or shuttered doors this past year. Exploiting their victims' desperation for money or COVID-related resources, many have easily stolen funds and scored personal and business information through a variety of pandemic-themed scams. Sontiq revealed some of the top digital COVID scams: Phishing attacks disguised behind texts, emails and voicemails promising COVID updates; fake offers of discounted travel, jobs, and COVID vaccines and "cures"; websites with phony COVID resources that capture personal information and money; and spoofed government and health organization communications.

Sean Murphy

BECU, which is based in Tukwila, Wash., and has $26.8 billion in assets and over 1.28 million members, has seen a wave of pandemic-related scams targeting members this past year and adjusted its communication strategy in response. The credit union's chief information security officer, Sean Murphy, said adversaries preyed on consumers awaiting funds from Paycheck Protection Program loans or stimulus payments, falsely promising information or payments in exchange for the release of personal data. To help members easily spot one of these schemes, BECU delivered communications detailing how the credit union would and would not contact members about pandemic-related financial assistance. He also noted he's seen an uptick in automated attacks in which criminals obtain credential databases on the black market and use them in an attempt to break into members' accounts. To reduce the threat posed by this technique, he advises members and employees to use different credentials for each website login.

"It's so convenient for the bad guys when there is the kind of content that we have now," said Murphy, who got into information security while serving in the Air Force and was chief information security officer for two large organizations – both of which called him in to help with recovery from a large data breach – before joining BECU. "This pandemic has caused a lot of stress, and to add to that stress, they're putting a sense of urgency in their emails to 'hurry up and do something,' and then almost without thinking, you'll click that link in it."

Third-Party Threats

Working with vendors is an often necessary way for credit unions to improve efficiency and provide quality products and services, but it also brings cybersecurity risks – as Cook Security Group Vice President of Compliance and Risk Steve Ryker wrote in a February article for CU Times, credit unions are "only as strong as their weakest vendor link." The NCUA ­highlighted this particular threat area in its April 22 warning, advising all credit union boards to review their relationships, and assess and mitigate risk as it relates to their specific supply chain.

Murphy emphasized that providers of IT and cybersecurity-related products and services are increasingly being targeted, not only by cyber criminals but nation states and government actors, meaning security professionals have had to pivot in their third-party vendor management processes and risk reviews.

"If you sell me a firewall, how am I, as BECU, going to vet that that firewall is free of bugs, or if I get updates, how do I know that that process is going to be free of malware?" he asked, noting that the high-profile SolarWinds attack occurred through updates.

Mitigating these threats involves regular reviews of third-party vendors' security postures and meticulous vulnerability management, which Murphy said is labor-intensive but very important in today's high-risk environment.

"In a third-party vendor risk management program, you have to look at their track record, artifacts that relate to their security posture and vulnerabilities that have been listed against their products," Murphy said. "You have to do your due diligence and not just from an RFP, initial purchase perspective, but on an annual basis."

Direct Hits

While criminals can certainly cause damage to credit unions through attacks on members and connected third parties, they sometimes go straight to the source. In BAI's webinar, Brelsford sounded the alarm on two types of crimes that can hit credit unions directly: Ransomware and business email compromise (BEC).

Ransomware attacks – in which criminals breach an organization's network, essentially hold its data hostage and refuse to release it until the organization pays a requested ransom amount, usually in Bitcoin – were prevalent before the pandemic but now pose even greater risk. Brelsford said typical ransom dollar amounts have increased from the tens of thousands to the hundreds of thousands; in addition, criminals are stealing data prior to requesting the ransom instead of just encrypting it like they used to, and are finding more weak networks to easily infiltrate due to the rise of remote work.

Targeted organizations can find themselves stuck between a rock and a hard place: The FBI does not recommend paying the ransom, however, some victims decide to pay because the cost of recovering their stolen data is even higher than the ransom amount, Brelsford explained. He added that even when the victim does not pay, criminals will follow through on their threats to release their data publicly and use the ­successful attack as a case study for their next victim.

To prevent ransomware attacks, Brelsford recommended teaching employees how to spot suspicious links, limiting the number of staffers with administrative access to systems holding critical data, monitoring admin login activity patterns to detect unusual behavior, and regularly creating and maintaining offline data backups.

In a BEC attack, a bad actor emails an employee who is responsible for wire transfers at an organization, impersonating a known vendor or company executive either by creating an email address that looks similar to the known party's address or hacking into the known party's email account, and duping the victim into wiring funds to the criminal. Brelsford said credit unions should monitor for email account logins from unusual places such as foreign countries where the credit union does not conduct business. He added that if recipients of suspicious wire transfer request emails simply picked up the phone to confirm the request, "they could probably prevent 90% of successful BECs."

Murphy said while BECU has seen ransomware and BEC attack attempts, they haven't been a problem for the credit union thanks to a combination of advanced security monitoring tools and employee education.

Strengthening Your Credit Union's Defenses

As cyber criminals continue to refine their attacks and exploit consumers' pandemic-related vulnerabilities, how can credit unions build stronger walls of protection for their institutions and members?

Due to its size, BECU has had the ability to invest in cybersecurity at industry standards. About two years ago, it made the decision to expand its investment, increasing its staff dedicated to the business area from 20 to 50, Murphy shared. He added while the investment can be a sticker shock to credit unions, there is strong evidence that a major security breach can cost a credit union in devastating ways, including a damaged reputation and loss of members.

When it comes to employee cybersecurity education, Murphy said while it's important to make employees aware of how important their role is in preventing attacks, credit unions must also ensure employees feel comfortable speaking up when they make a mistake that could lead to a breach – perhaps by offering an incentive for reporting such incidents. He also recommended credit unions focus on the frequency and content of their education programs. BECU conducts quarterly employee phishing tests with immediate feedback, quarterly training on special topics and on-demand training, and even held an educational festival during National Cybersecurity Awareness Month pre-pandemic.

"We try to do as much as we can to have interesting content for employees, but ultimately the messaging is about them being the first line of defense," Murphy said. "We want to build confidence and make them feel like if something happens or they suspect something, they're not at risk to tell people."

Van Dyke emphasized that credit unions, as relationship-oriented financial institutions, have an opportunity to eliminate the confusion around cybersecurity protocol for both employees and members through education. "We need people to know what their priorities should be and have a one-stop-shop approach, whether they're an employee or a member, to applying these tools and working from a prioritized set of risks," he said.