Three things credit unions should do to boost cybersecurity.
As the government shutdown continues, a large percentage of people who work on national cybersecurity remain furloughed. This includes many Department of Homeland Security and National Institute of Standards and Technology resources that would normally be watching the bad guys. This gap in defensive monitoring is practically an invitation for cyber attackers to ramp up their efforts. Many of these efforts will come in the traditional form of phishing, or fake communications designed to trick a user.
For example, after natural disasters or during times of great need, attackers are especially opportunistic, sending out phishing emails for spoofed or fabricated charities and stealing the money donated to the “cause.” Similarly, as credit unions have stepped up to address the need to help furloughed workers with member-friendly loans, this becomes a prime area where attackers can take advantage. Spoofing a credit union email, asking a member to log into a fake website or call a fake phone number, would be a simple and effective attack.
Attackers may also target a credit union directly by impersonating members and taking advantage of the credit union’s generosity by opening accounts or applying for a loan under the guise of furlough assistance. Identity theft continues to be a major issue and attackers will utilize any method necessary to achieve their goals.
It is also important to note that phishing is not limited to emails and can come from multiple communication methods. Phishing can also occur over the phone, or through text messages as well.
This is how attackers compromised 140 members at one credit union at the end of 2018: They used email, text, and phone to gain members’ login information and then transferred money out of the accounts.
So What Should CUs Do About Cybersecurity Today?
First, keep communication lines open to all stakeholders.Tell your members to be wary of suspicious emails, verify links in emails before clicking on them, and let them know that you would will never solicit usernames/passwords or personal information. Ask employees to be cautious when authenticating members on the phone and member applications for accounts or loans. And talk to your business partners to understand what they are doing for security both in general and in response to the shutdown.
Second, ensure that your email security is up to the task. Talk to your email provider or your email security vendor about threats related to the government shutdown. This company should have a wide view of activity across multiple customers, so they should be educating you on what is happening. Ask if they are seeing any specific threats and what actions they recommend you take.
Third, evaluate your processes to ensure you are properly verifying member identity. This should include phone, paper and—especially—online authentication mechanisms. If you do not offer your members a multi-factor authentication option for online banking login, you are denying them the ability to protect their money. Attackers are very good social engineers and people will fall for their phishing schemes. It is imperative that credit unions take the necessary precautions to protect members and themselves, especially during this time of heightened risk.
Justin Silbert is chief information security officer at CUES Supplier member and strategic provider LEO Cyber Security, Dallas, a cybersecurity consulting company specializing in maturing security programs through leadership, cyber operations, incident response, and compliance.