How phishing attacks are spoofing credit unions to steal money and account credentials

Attackers are impersonating local credit unions to capture personal information and extract money, says Avanan.

Image: iStock/jauhari1

Phishing emails work by masquerading as seemingly legitimate messages from well-known or essential companies and businesses. The goal is to trick the recipient into sharing account credentials and other sensitive data associated with the spoofed company. A report released Thursday by email security provider Avanan reveals how a new phishing campaign is taking advantage of credit unions to steal money and information.

SEE: Mobile device security policy (TechRepublic Premium)

Since February 2022, Avanan has seen a dramatic increase in phishing emails impersonating local credit unions. This trend follows an earlier statement from the National Credit Union Administration advising credit unions to adopt a heightened state of awareness about threats amid the current geopolitical climate.

All banks and financial institutions should be alert. But credit unions are especially vulnerable as many lack the proper email security to defend against phishing attacks, according to two studies from 2021, one from March and another from June. Credit unions also typically rank higher than large banks for customer satisfaction, so members may be more likely to trust messages from their local credit unions.

The phishing campaigns analyzed by Avanan use a few different methods for compromise, ranging from wire transfer codes to payment notifications to document alerts. But the goal is the same—convince the recipient to enter their account credentials and conduct banking activities.

One phishing email invites the recipient to click on a link to view their account statements and documents online. Another email contains a link that claims to relate to an important notice. A third actually requests money to stop an alleged wire transfer. And a fourth claims to offer an ACH debit.

In each case, the link in the email takes the user to a phony sign-in page impersonating the credit union. Any credentials entered on the page are captured by the attacker and used to compromise the account and steal funds.

To protect yourself and your organization from emails that appear to come from your bank or credit union, Avanan offers several recommendations.

  • Scrutinize the sender’s address before you respond to an email from your credit union.
  • Be cautious of any personal banking emails sent to your business email address, especially if you’ve never shared your business email address with your credit union.
  • Hover over any URL in the email to examine where the link resolves. Avoid clicking on the URL if the resulting page doesn’t match your credit union’s website.
  • Call your bank or credit union directly if you’re unsure whether an incoming email is legitimate.
  • For businesses, make sure you have advanced cybersecurity defenses that not only comply with financial regulations but can mitigate social engineering attacks aimed at web applications. Also, be sure to protect against internal threats as many attacks against financial institutions use compromised employee access.