Credit/Shutterstock

Phishing attacks are targeting every industry; however, financial institutions are dealing with more than their share. In 2023, according to PYMTS.com, fraud-related costs surged to $3.8 million for financial institutions with assets exceeding $5 billion, indicating a 65% increase from the previous year. Forty-seven percent of financial institutions reported account takeover fraud (ATO) in the past year, while phishing attacks continue to target 73% of banking customers, leading to further security breaches. 

Numbering just over 4,500, credit unions are a mainstay in the U.S. and are not exempt from scams or fraud. The threat research team at my company recently identified a surge in phishing attacks targeting these institutions and smaller lending partners. We uncovered a sharp increase in malicious URLs targeting prominent credit unions and banks, with an average of 500 phishing domains during the months of May, July and August 2024, with more than 4,000 URLs found in June 2024 alone. The scale and coordination of these attacks suggest a well-organized operation. The result is widespread risk for financial institutions and their members.

How the Scams Are Perpetrated


While attackers’ strategies can vary, one way in has been to use a single IP address linked to multiple websites. Phishing links are a popular method used by attackers to compromise credentials. The website pages reveal nothing suspicious to most, however when attackers add index.html or page.html to the URL, the phishing web pages can be seen to someone with a keen eye. As with all phishing web exploits, the pages are created to mirror the login screens of legitimate credit unions and banks. Users are then deceived into entering their personal information including account numbers and passwords.

Another way to deceive users is not uncommon and is known as business email compromise (BEC). Attackers create their own emails designed to look like legitimate email communications from the credit unions they are targeting. The scam begins when the user enters their information to the phishing pages and is then directly sent to the attacker’s email addresses instead of the credit union. While many people think they can spot imposter emails, they often very closely resemble the actual website branding and layout. The end goal for the attacker is to have access to personal information and in turn accounts.

Five Security Measures to Adopt


With no credit union safe from phishing scams, organizations can adopt security measures to better protect the institution and its members. While no measure can guarantee attackers won’t be successful, proactive appropriate security measures can increase the likelihood of stopping an attack. These include:
  • Train Members and Employees: It may sound simple, however creating awareness and conducting consistent training sessions to educate members and employees on recognizing the signs of phishing scams is critical. Some credit unions are already doing this. For example, Navy Federal Credit Union has an extensive ‘Phishing Scams’ webpage available. And Patelco Credit Union in California created a comprehensive fraud protection site for its members to quickly and easily access, especially when they get a suspicious phone call, email or text.
  • Alert Members to Imminent Risk: Ensure your members know about potential threats as they arise and arm them with information and the tools and knowledge to protect themselves and their personal information. TLC Community Credit Union in Michigan did just this when it warned members of a recent wave of text message scams.
  • Detect and Block Malicious Emails: Use email filtering systems to identify and block emails from well-known malicious addresses. Security teams should have a list of known attackers’ email addresses. While this can’t block every suspicious email, it is a first step. Blocking threats from unknown attackers is the next and critical step. AI tools today can enable organizations to analyze emails in real time and take immediate action to prevent malicious messages from reaching inboxes.
  • Authenticate URLs: Take an extra step to closely look at website URLs. Do not spend time on any website where the URL is inconsistent or includes unfamiliar additions such as “index.html” or “page.html.” A consistent way to identify malicious emails is to check the web address that a link would lead you to.
  • Leverage Multi-Factor Authentication (MFA): Adding an extra layer of security through MFA, a security measure requiring two or more pieces of identification to authenticate the user, ensures strong access controls, making it more difficult for attackers to gain access. Credit unions can leverage passkeys as an alternative to passwords to achieve MFA in a single step. Designed to protect against phishing attacks, they eliminate the need to manage multiple passwords and are standardized by the FIDO Alliance. Passkey authentication leverages public key cryptography and biometric authentication to verify a user.
Staying one step ahead of cyber attackers is an ongoing effort that requires awareness, and of course, a series of proactive security practices. With these practices implemented, financial institutions can lessen the risks and protect their members’ information and financial resources.

Abhilash Garimella

Abhilash Garimella is the Vice President of Research at the Santa Clara, Calif.-based cybersecurity company Bolster AI.

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Cybersecurity & Privacy