Contact Us

[contact-form-7 id="ceb4db8" title="Contact form 1"]

Client Login

Select a platform below to log in

TraceCSO
TraceInsight

vCISO Cybersecurity Intelligence Brief: April 2026

Executive Summary

Every month, TraceSecurity’s Senior Information Security Engineers develop a Cybersecurity Intelligence Brief exclusive to our vCISO customers. These briefs include information on the latest threats to organizations, training recommendations, best practices, regulatory advice, and more. Below are a few highlights from our vCISO brief for April 2026.

This month’s brief addresses the growing threat of AI-accelerated cyberattacks following federal warnings to major banks, the Scattered Spider cybercrime group’s expanding operations targeting financial services, the FFIEC CAT retirement and transition to NIST CSF 2.0, and the emerging risk of Microsoft Teams impersonation attacks. We also provide staff training materials on recognizing help desk impersonation and social engineering via collaboration platforms, and outline best practices for identity and access management hardening.

80%+

Identity-Based Attacks as
Leading Breach Vector

$6.08M

Average Cost of a Data Breach
in Financial Services (2024)

<30%

Amount of Financial Institutions that have
Transitioned from FFICE CAT to NIST CSF 2.0

Emerging Threat Landscape

The following threats have been identified as having significant relevance to community banks, credit unions, and savings institutions during the current reporting period.

CRITICAL: AI-Accelerated Cyberattacks: Federal Warning to Financial Sector

Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an emergency meeting with major bank CEOs in early April to warn that advanced AI tools are now enabling threat actors to reduce the cost, time, and expertise needed to launch sophisticated cyberattacks. Federal officials reported that AI-generated phishing messages are increasingly indistinguishable from legitimate communications, and that advanced language models now enable even novice actors to produce highly credible attacks. Identity-based attacks have become the leading method for initial access, with more than 80% of incidents now tied to stolen credentials or compromised accounts. A joint House task force issued recommendations calling for stronger cybersecurity standards and better oversight of AI use across government and financial services.

Recommendation: Review and update your institution’s phishing awareness training to address AI-generated threats specifically. Implement phishing-resistant MFA (hardware tokens or FIDO2/passkeys) for all privileged accounts and remote access. Deploy email authentication (DMARC/DKIM/SPF) at enforcement level. Consider AI-based email analysis tools that detect behavioral anomalies. Brief your Board on the federal advisory and document your institution’s response in your risk assessment.

HIGH: Scattered Spider Targets Financial Services with Social Engineering

Scattered Spider, the English-speaking cybercrime collective responsible for high-profile breaches at Caesars Entertainment and MGM Resorts, has expanded its targeting to the financial services sector. CISA and the FBI issued an updated joint advisory in July 2025 warning that the group is deploying DragonForce ransomware alongside its signature social engineering tactics. The group specializes in SIM-swapping attacks, MFA fatigue bombing, and impersonating IT help desk personnel to obtain credentials. A senior member of the group pleaded guilty on April 18, 2026 to wire fraud conspiracy and aggravated identity theft, confirming the group’s continued activity. Scattered Spider has directly targeted multiple financial institutions including PNC Financial Services, Truist Bank, and several insurance companies.

Recommendation: Implement strict verification protocols for all help desk password reset and MFA bypass requests. Train help desk staff to verify caller identity through callback procedures using known contact numbers. Deploy phishing-resistant MFA that cannot be bypassed through MFA fatigue attacks. Review your institution’s SIM-swap protections for executive and privileged accounts. Monitor the CISA advisory (AA23-320A) for updated indicators of compromise.

HIGH: Microsoft Teams Impersonation Attacks Targeting Enterprise Access

Microsoft issued a warning in April 2026 that threat actors are increasingly abusing external Microsoft Teams collaboration features and legitimate remote administration tools to impersonate help desks and gain enterprise access. The attack pattern involves sending Teams messages from external tenants that appear to originate from internal IT support, directing employees to install remote management tools or visit credential-harvesting sites. Once access is established, attackers use the legitimate remote tools for persistence and lateral movement without triggering traditional security alerts. Financial institutions that use Microsoft Teams for internal communications are particularly vulnerable to this vector.

Recommendation: Review and restrict external tenant access settings in Microsoft Teams. Implement policies that prevent external users from initiating chats with internal staff unless explicitly approved. Train staff to verify any IT support requests received through Teams using a separate, trusted channel. Monitor for abnormal remote administration tool execution across user support workflows. Update your acceptable use policy to address collaboration platform security.

HIGH: Supply Chain Attacks Continue to Cascade Through Financial Services

Third-party vendor breaches remain a primary threat vector for financial institutions. In 2025, a ransomware attack on a financial software provider impacted more than 70 U.S. banks and credit unions. A separate breach at a credit reporting agency through a compromised CRM system exposed over 4 million consumers’ personal information. Mandiant reports that financial services accounted for 17.4% of all cyber investigations conducted globally in 2024—the highest of any sector. Verizon’s 2025 DBIR found third-party involvement in breaches doubled year-over-year to 30%. Cyber insurance data shows data theft-only extortion attacks rose from 49% to 65% of claims in the second half of 2025, indicating attackers are shifting from encryption to pure data exfiltration.

Recommendation: Review vendor contracts to ensure 24-hour incident notification requirements for critical/high severity events. Request confirmation from critical vendors regarding their patch management and MFA programs. Evaluate fourth-party risk for your most critical service providers. Ensure your institution has documented procedures for responding to a vendor-originated breach. Review cyber insurance coverage to ensure it addresses data exfiltration scenarios, not just ransomware encryption events.

MEDIUM: FFIEC CAT Retirement: Framework Transition Required Before Next Exam

The FFIEC Cybersecurity Assessment Tool (CAT), the standard framework used by community banks and credit unions since 2015 to assess cybersecurity maturity, was officially retired on August 31, 2025 following OCC Bulletin 2024-25. The FDIC, NCUA, and other FFIEC member agencies issued parallel guidance directing institutions to adopt any industry-standard cybersecurity framework appropriate for their risk profile. Four primary options have emerged: NIST CSF 2.0 (selected by approximately 73% of institutions), the Cyber Risk Institute (CRI) Profile (a financial-sector-specific framework that consolidates over 2,500 regulatory expectations into 318 diagnostic statements with impact tiering), CISA Cybersecurity Performance Goals (CPGs) (a prioritized set of practical, high-impact security practices), and CIS Critical Security Controls (a prescriptive, prioritized set of defensive actions). Despite broad adoption intent, fewer than 30% of institutions have completed the transition. Examiners will no longer use CAT to evaluate cybersecurity preparedness, and institutions still referencing CAT maturity levels face examination findings and potential MRAs.

Recommendation: Select the framework most appropriate for your institution’s size, complexity, and risk profile. NIST CSF 2.0 provides a broadly recognized, flexible foundation. The CRI Profile offers financial-sector-specific diagnostic statements with built-in regulatory mappings and impact tiering scaled to institution size. CISA CPGs provide a practical, prioritized starting point for institutions seeking to establish or strengthen baseline controls. CIS Critical Security Controls offer prescriptive, implementation-focused guidance organized by priority. Many institutions are using a combination—for example, NIST CSF 2.0 or the CRI Profile as the primary framework with CISA CPGs mapped as supplemental benchmarks. Map existing controls from your CAT assessment to identify gaps, update Board reporting and examination documentation, and complete the transition before your next scheduled examination.

Recognizing Help Desk Impersonation & Collaboration Platform Attacks

The Scattered Spider cybercrime group and similar threat actors have demonstrated that social engineering through help desk impersonation and collaboration platforms like Microsoft Teams is now a primary attack vector. These attackers impersonate IT support personnel to trick employees into resetting credentials, approving MFA prompts, or installing remote access tools. This training module is designed to be shared with all staff and provides guidance on recognizing and reporting these attacks.

What We Used to Teach

  • IT support calls are always legitimate
  • MFA prompts mean someone is trying to help
  • Internal char messages are trustworthy
  • Help desk can reset passwords by phone

What We Teach Now

  • Attackers impersonate IT support convincingly
  • Never approve MFA prompts you did not initiate
  • External Teams messages can be spoofed to look internal
  • Verify all credential request through a separate channel

5 Actions Every Employee Must Take

VERIFY: Confirm IT Requests Through Known Channels

If you receive a call, email, or Teams message from someone claiming to be IT support, do not provide credentials, approve MFA prompts, or install software. Instead, contact your IT department through a known phone number or walk to their office. Attackers are skilled at creating urgency—a legitimate IT request will still be valid after you verify it.

NEVER APPROVE: Unsolicited MFA Prompts

If you receive an MFA push notification or authentication prompt that you did not initiate, deny it immediately and report it to your IT/Security team. MFA fatigue attacks work by repeatedly sending prompts until the user approves one out of frustration. Approving a single fraudulent prompt can give an attacker full access to your account.

INSPECT: Check External Collaboration Messages

When you receive a Teams message, Slack message, or other collaboration platform communication, check whether it’s from an external user. Look for “External” tags or unfamiliar domain names. Never click links or download files from external collaboration messages without verifying the sender through a separate channel.

REPORT: Flag Suspicious IT Contact Immediately

If someone contacts you claiming to be from IT or a vendor and asks you to reset your password, install software, or share a verification code, report it immediately even if you are not sure it’s malicious. Early reporting of social engineering attempts can prevent a full breach. Use your organization’s incident reporting procedures.

PROTECT: Secure Your Identity

Use unique, strong passwords for every system. Never share your password or MFA codes with anyone, including people who claim to be IT support. If your institution offers hardware security keys or passkeys, use them—they are resistant to phishing, SIM-swapping, and MFA fatigue attacks. Enable account lockout notifications where available.

Add a vCISO to your team today

Let’s see how we can help meet your cybersecurity and compliance goals

Get a Quote

Resources

FFIEC IT Examination Handbook: ithandbook.ffiec.gov
CISA Alerts & Advisories: cisa.gov/known-exploited-vulnerabilities-catalog
CISA Scattered Spider Advisory: cisa.gov/news-events/cybersecurity-advisories/aa23-320a
FS-ISAC Threat Intelligence: fsisac.com
NIST Cybersecurity Framework 2.0: nist.gov/cyberframework
CRI Profile (Cyber Risk Institute): cyberriskinstitute.org/the-profile
CISA Cybersecurity Performance Goals: cisa.gov/cross-sector-cybersecurity-performance-goals
CIS Critical Security Controls: cisecurity.org/controls

Tags
Feel free to share our content.

Related Posts