Risk & Fraud

How’s the Phishing?

By: Gene Fredriksen, Security Strategy Consultant

I recently worked with a credit union that had just been the victim of a phishing attack. The email looked official, and the link directed the staff to a page that was a perfect copy of an Office 365 login page. One employee clicked the link and entered credentials. The attackers quickly sent out thousands of duplicate phishing emails to the credit union’s members. The only difference – the email looked as if it came from the credit union employee. No data was lost, but the organization had to send notification letters to its members, telling them to ignore the email. This was embarrassing, to say the least.

Did you know that email remains the top route for criminals to steal data and siphon billions of dollars each year? A standard industry benchmark is that 90% of targeted attacks begin with email. Nearly all of them rely on a human clicking a link. What does this mean to your credit union? People are your most significant risk for phishing attacks. You can’t entirely rely on technology to protect your organization; you must continuously train and test your employees.

Proofpoint, which is a security company, recently issued a phishing report. The company’s findings were based on a survey of 600 security professionals and 3,500 workers in Australia, France, Germany, Japan, Spain, the United Kingdom and the U.S. The survey results on phishing and ransomware come as “employees feel burned out, emotionally drained and distracted,” Proofpoint says, making them more susceptible to falling for such attacks. “Meanwhile, cyber attackers are as adept as ever; they continue to use tactics and lures that resonate with employees and consumers alike.”

The report revealed the following statistics, showing an alarming increase in phishing attacks:

  • Email-based phishing: 83% of organizations said they experienced a successful email-based phishing attack in 2021 versus 57% in 2020. That equates to a 26% increase in organizations hit with a successful phishing attack last year.
  • Spear phishing attacks: 79% of organizations saw spear phishing attacks —attacks targeting specific users — in 2021. That’s up from 66% the year before.

What is phishing again?

Spoofing techniques are frequently used in phishing operations to entice people to take the bait. In this case, the email looks as if it comes from a trusted source like HR or IT. These emails are designed to fool people into giving criminals information that they shouldn’t have.

In a phishing scam, a person may receive an email from a reputable company requesting them to update or verify their personal information by responding to the email or visiting a website. The web address may be identical to the one they have seen previously. The email may persuade them to perform the required action.

When the person clicks on that link, they are sent to a spoofed website that looks almost identical to the real thing. It could look like their bank, credit union or credit card site. They will be requested to enter sensitive passwords, credit card numbers, banking PINs and other personal information. These phony websites exist only to steal their data.

Stay alert

Here are some tips to help avoid falling for a phishing attack to share with your employees:

  • Companies won’t contact you to ask for your account or password.
  • In an unwanted email, don’t click on anything. Look up the company’s phone number on your own and call to see if the request is authentic.
  • Examine the email address, URL and spelling in any email or message carefully. If you are suspicious, delete it.
  • Be cautious about what you download. Never open an attachment from an unknown sender.

Phishing scams often capitalize on current events and news. One of today’s top scams involves mentioning the Russian invasion of Ukraine. These scams are being sent in phishing emails by the millions. The criminals have set up donation scams and used the attack to trick victims into making credit card donations. Threat actors used email subject lines such as “Ukraine Donations” and “Help save children from Ukraine” to target potential phishing victims.

What can your credit union do?

An organization’s first line of defense against phishing is the training and awareness of employees. Your credit union can establish a phishing awareness program that periodically sends an email to your employees that resembles a phishing message. The program should be designed to be a safe, educational environment for users to practice phishing email identification, with no penalty if a link is clicked.

Ultimately, we want participants to recognize, report and avoid phishing attacks. The key to successful, phishing risk reduction is training, assessing and re-training our staff. Experience has shown us that ongoing training is still the best way to improve the employees’ ability to identify, understand and prevent phishing attacks.

Where can you get additional information?

Connect with other credit unions across the country to see how they are responding to this threat. Reach out to credit union service organizations (CUSOS) for help. The National Credit Union Information Sharing and Analysis Organization (NCU-ISAO) is an industry threat sharing organization that provides a lot of information and education at ncuisao.org.

Remember – don’t get hooked by phishers. If you suspect deceit, hit delete!

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.