NCUA Issues New Cyber Warning to CUs

Six weeks after it initially sent a warning to credit unions concerning the possibility of a Russian state-sponsored cyberattack, the NCUA has issued yet another warning.

In a Risk Alert letter to credit union boards of directors and CEOs, NCUA Board Chairman Todd Harper warned, “The ongoing conflict in Ukraine has raised concerns about potential cyberattacks in the U.S., including those against the financial services sector.”

The Risk Alert pointed to the concern of social engineering and phishing attacks against credit unions of all sizes. “All credit unions and vendors, regardless of size, are potential targets for cyberattacks, like social engineering and phishing attacks, and must remain vigilant. Your credit union should report any cyber incidents to the NCUA, your local FBI field office or the Internet Crime Complaint Center and the Cybersecurity and Infrastructure Security Agency,” the letter read.

On Feb. 9, weeks before the Russian invasion of Ukraine, the NCUA issued a statement asking credit union executives “be aware of critical cyber risks and take urgent steps to reduce the likelihood and impact of a potentially damaging compromise.”

While there have not been any crippling cyberattacks reported in the credit union industry, or financial industry as a whole since the war in Ukraine began, Chris Sachse, CEO of the Baltimore-based cloud and cybersecurity organization Think|Stack, said earlier this month, “We have seen hundreds upon hundreds of percentage increase in attacks over the last two to three weeks. We are seeing the activity levels in ways that we haven’t seen.”

In the NCUA’s Risk Alert, it reminded credit unions “of the ongoing threat of social engineering and phishing attacks and reiterates the continued importance of educating your employees and members on how to avoid these threats.”

The letter included ways to avoid being a victim of a phishing attack. Those steps include:

• Be suspicious of unsolicited phone calls, visits or email messages from individuals asking about employees or other internal information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes clicking on or following links sent in email.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the entity directly by another means such as the phone.
• Install and maintain anti-virus software, firewalls and email filters to reduce some of this traffic.
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Use and enforce the use of multi-factor authentication.

Recently, the NCUA created the Automated Cybersecurity Evaluation Toolbox or ACET, for federally-insured credit unions to use when evaluating their levels of cybersecurity preparedness. The ACET is a downloadable, standalone app developed to be a holistic cybersecurity resource for credit unions, the NCUA’s letter stated.