Contact Us

[contact-form-7 id="ceb4db8" title="Contact form 1"]

Client Login

Select a platform below to log in

TraceCSO
TraceInsight

vCISO Cybersecurity Intelligence Brief: February 2026

Executive Summary

Every month, TraceSecurity’s Senior Information Security Engineers develop a Cybersecurity Intelligence Brief exclusive to our vCISO customers. These briefs include information on the latest threats to organizations, training recommendations, best practices, regulatory advice, and more. Below are a few highlights from our vCISO brief for February 2026.

This month’s brief covers escalating AI-powered phishing attacks targeting financial institutions, a critical vulnerability in widely-used payment middleware, and the emerging threat of deepfake-enabled business email compromise. We also provide staff training materials on recognizing AI-generated social engineering.

847%

Increase in AI-Powered
Phishing Targeting Banks

$4.9M

Average Cost of a Data Breach
in Financial Services

36 Hours

FFIEC Regulatory
Notification Window

Emerging Threat Landscape

The following threats have been identified as having significant relevance to community banks, credit unions, and savings institutions during the current reporting period.

CRITICAL: AI Generated Phishing Campaigns Targeting ACH & Wire Operations

Threat actors are using large language models to craft highly convincing phishing emails that mimic internal communications, vendor invoices, and regulatory correspondence. These attacks specifically target wire transfer authorization workflows and ACH file approval processes. Unlike traditional phishing, AI-generated content contains no grammatical errors and accurately mirrors institutional tone and formatting. Multiple community banks have reported losses exceeding $250,000 from single incidents.

Recommendation: Implement out-of-band verification for all wire/ACH requests above your established threshold. Deploy email authentication (DMARC/DKIM/SPF) at enforcement level. Train staff that grammatical perfection no longer indicates legitimacy. Consider implementing AI-based email analysis tools that detect behavioral anomalies rather than relying solely on content-based filtering.

HIGH: Deepfake Voice & Video in Business Email Compromise (BEC)

Sophisticated threat actors are now combining traditional BEC tactics with AI-generated voice calls (“vishing 2.0”) that convincingly impersonate executives and Board members. At least three confirmed incidents in Q4 2025 involved deepfake voice calls instructing operations staff to initiate urgent wire transfers. One credit union reported that the synthetic voice was indistinguishable from their CEO.

Recommendation: Establish code-word verification for high-value transaction approvals requested by phone. Never authorize transactions based solely on voice or video calls. Update incident response playbooks to include deepfake scenarios. Brief Board members and senior management on this specific threat vector.

HIGH: Critical Vulnerability in MOVEit-Class File Transfer Software

A new zero-day vulnerability (CVE-2026-XXXX) has been disclosed in a widely-used managed file transfer platform common in financial services environments. The vulnerability allows unauthenticated remote code execution and has been actively exploited in the wild since late January. Institutions using this platform for SFTP transfers, core system file exchanges, or regulatory reporting should take immediate action.

Recommendation: Identify all instances of affected software in your environment and with your critical vendors. Apply vendor patches immediately or take systems offline until patches are available. Review transfer logs for indicators of compromise. Contact your TSP and core processor to confirm their patching status. File a SAR if unauthorized access is confirmed.

MEDIUM: QR Code Phishing (“Quishing”) Targeting Bank Customers & Staff

A growing trend of malicious QR codes appearing in physical mail, lobby signage overlays, and even ATM surroundings is directing users to credential-harvesting sites. Attackers place fraudulent QR codes over legitimate ones in branch locations or mail fake correspondence appearing to originate from the institution.

Recommendation: Educate customers and staff to verify QR code destinations before entering credentials. Conduct physical inspections of branch QR codes regularly. Consider removing QR codes from public-facing materials or using branded short URLs instead. Implement web filtering on employee devices to block known phishing domains.

Recognizing AI-Enhanced Social Engineering

Artificial intelligence has fundamentally changed the social engineering threat landscape. The traditional indicators that employees relied on to identify phishing and pretexting attempts are no longer reliable. This training module is designed to be shared with all staff and provides updated guidance for identifying modern social engineering tactics.

The Old Rules No Longer Apply

What We Used to Teach

  • Look for spelling and grammar errors
  • Be suspicious of urgent language
  • Check for generic greetings
  • Look for mismatched sender names

What We Teach Now

  • AI write flawless emails; verify the request, not the writing
  • Urgency is the #1 tool; slow down every time
  • AI personalizes messages using public data about you
  • Verify through a separate, trusted channel, every time

5 Actions Every Employee Must Take

STOP: Pause Before Acting

When you receive any request involving money, credentials, account changes, or sensitive data, stop and take 30 seconds before responding. Attackers exploit the urgency instinct. A legitimate request will still be legitimate in 5 minutes.

VERIFY: Use a Separate Channel

If an email asks you to initiate a wire, change account details, or provide credentials, verify by calling the requester at their known phone number (not the one in the email). For executive requests, use the internal directory or walk to their office.

INSPECT: Check the Full Email Address

Hover over the sender’s name to reveal the actual email address. Look for subtle misspellings (rnicrosoft.com, tracesecurlty.com). Check if the reply-to address differs from the sender. AI-generated content may be perfect, but spoofed domains still contain tells.

REPORT: Flag It Immediately

If something feels off, report it to your IT/Security team immediately. Do not forward suspicious emails; use your organization’s phishing report button or notify IT directly. Early reporting can prevent losses and protect your colleagues.

PROTECT: Guard Your Credentials

Never enter your password on a page you reached by clicking an email link. Always navigate directly to the site. Never share MFA codes over the phone, even if the caller claims to be from IT or your bank’s vendor. Legitimate support will never ask for your full password or MFA token.

Add a vCISO to your team today

Let’s see how we can help meet your cybersecurity and compliance goals

Get a Quote

Resources

FFIEC IT Examination Handbook: ithandbook.ffiec.gov
CISA Alerts & Advisories: cisa.gov/known-exploited-vulnerabilities-catalog
FS-ISAC Threat Intelligence: fsisac.com

Tags
Feel free to share our content.

Related Posts