In late January and early February, U.S. credit unions became the target of a massive malware-laced phishing campaign, aimed specifically at the contacts credit unions have named as Bank Secrecy Act (BSA) officials overseeing money laundering information under the direction of the USA PATRIOT Act.
The act requires all U.S. financial institutions to designate at least two BSA contacts, who are responsible for flagging and reporting suspicious transactions that may be associated with money laundering, explains the Krebs on Security blog. U.S. credit unions are required to register those BSA officers with the National Credit Union Administration.
At the end of January, BSA officers at many U.S. credit unions began receiving phishing emails designed to look like they were sent by BSA officers at other credit unions, Krebs on Security further reports.
“The missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit union’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached PDF to review the suspect transaction. The PDF itself comes back clean via a scan at Virustotal.com, but the body of the PDF includes a link to a malicious site,” Krebs on Security’s post states.
The campaign eventually made its way to BSA contacts at other financial institutions, not just credit unions.
At the time, the NCUA conducted a review of its security logs and alerts but did not find any indication that information was compromised. The association asked all credit unions to be wary of any suspicious emails and referred anyone interested in learning more to its Cybersecurity Resources webpage.
Who’s at Risk for Email Fraud?
Proofpoint surveyed more than 2,250 IT decision-makers in eight countries in January 2018 (see “Understanding Email Fraud: A Global Survey of IT Leaders in the U.S., the U.K., Australia, France, and Germany.”) It found that email fraud “is pervasive, disruptive, and in many cases, catching businesses unprepared.” Only 40 percent of respondents said they had “full visibility into email fraud threats in their environment, and even fewer have controls in place to stop them.”
More than half (55 percent) of respondents said their finance team is most at risk for email fraud, the report goes on to state. It’s no surprise, then, that financial institutions themselves are under such relentless attack.
CDW’s Cybersecurity Insight Report, published in 2018, found that when compared to malware, viruses, data tampering and unauthorized access to financial data, fraud was considered a lesser threat, “often ignored — even though it has become the top cause of security breaches.”
The report outlines how focusing on people better helps organizations mitigate such risks.
“We believe that making security awareness personal helps instill good practices,” writes Mike Pflieger, vice president of enterprise information management and CISO for CDW. “Organizations can’t expect each employee to read and understand a comprehensive security policy. They can, however, extract those parts which are important and apply to them. Through targeted communication, training and handbooks, we can educate employees on their specific role-based responsibilities when it comes to protecting data.”
Proofpoint’s survey also found that more than half of respondents (57 percent) offer an end-user awareness program on phishing, and 32 percent planned to deploy one. Among industries, 66 percent of finance and professional services companies train employees on how to spot phishing emails.
4 Steps Credit Unions Can Take to Fight Email Fraud
That’s a good start. What else can credit unions do to better protect their data and networks? This recent EquITy blog post highlights advice from Karen Scarfone, principal consultant for Scarfone Cybersecurity:
- Protect vulnerable sessions. When email client software establishes a session with a server, it’s often not protected. Credit unions and other businesses have a couple of options here: Transport Layer Security (formerly known as Secure Sockets Layer) protects all sessions using email protocols, including IMAP, POP and SMTP. Second, a web-based email service instead of locally installed email client software ensures TLS will protect the web traffic. Both options also require strong passwords and multifactor authentication.
- Check out modern anti-malware. New solutions incorporate artificial intelligence and other tools that can detect and protect against as-yet-unknown malware and help users stay a step ahead.
- Monitor the health of all email client devices. Automated health checks will flag problematic accounts and identify emerging security problems, such as end-user systems that use weak security settings or lack OS and email client software patches.
- Incorporate data loss prevention tools. “Cyberthieves commonly use email as a preferred mechanism for exfiltration — the unauthorized transfer of sensitive information outside the business or organization,” Scarfone writes. “Malicious insiders often use their email accounts to forward sensitive data files to other email addresses, and attackers use compromised accounts similarly. Data loss prevention technologies can detect and stop these threats.”
“Whenever possible, DLP tools should be used to monitor email servers and any client devices with access to sensitive data that might be an enticing target,” she continues.
Common DLP tools include Symantec’s Data Loss Prevention Network Monitor and Network Prevent for Email and IBM InfoSphere, among others.