Cyber-Enabled Fraud
Last Reviewed: November 2024
Additional information on cybersecurity and cybersecurity resources can be found in the Security Channel.
Cyber-Enabled Fraud: Cybercrime
The Federal Financial Institutions Examination Council (FFIEC) shares critical information regarding cybersecurity. The FFIEC defines cybersecurity – “the process of protecting information by preventing, detecting, and responding to attacks.” Credit unions must manage internal and external threats and vulnerabilities to protect their information and infrastructure against cyber-based attacks. Cyber-enabled crime is carried out or facilitated by electronic systems and devices.
Common attack methods and examples include:
- Account takeovers
- Business email compromise (BEC) - fraudsters attempt to obtain information or funds by leveraging and impersonating another person's status
- Compromised accounts
- Hacking - unauthorized intrusion of a system by a party with the intent to commit a future crime, such as insider trading and identity theft
- Impersonation techniques - including phishing and spoofing
- Installation of malicious software - such as malware and ransomware
- Payment card fraud
- Social engineering - manipulation of a target to obtain sensitive information, often done through digital communication and online programs
- Fraudulent wire transfers
According to the Cybersecurity & Infrastructure Security Agency (CISA) good security habits include the following items below. Educate employees and members on these security habits, enforcing them when possible, to mitigate cyber risk.
- Improve password security – mandate strong passwords; use a password manager, multifactor authentication (MFA), and security questions; create individual accounts, setting only access and permissions needed for each user
- Chose secure networks and implement cybersecurity software
- Keep electronic device software current
- Be suspicious of all unexpected emails – avoid clicking on unrequested links, downloading unrequested files, and sharing personal information
- Implement automated preventative controls for user access and permissions
The FFIEC created the Cybersecurity Assessment Tool, which credit unions can use to measure their cybersecurity preparedness. Credit unions, for example, should have the following cybersecurity controls to protect their assets, infrastructure, and information and improve risk management:
- Preventative controls – infrastructure management, access management, device and end-point security, and secure coding
- Detective – threat and vulnerability detection, anomalous activity detection, event detection, and system irregularity alerts indicating a potential incident
- Corrective – patch management and remediation of issues identified in vulnerability and penetration testing
The FFIEC also prepared a Cybersecurity Resource Guide for Financial Institutions, which outlines resources to assist credit unions in strengthening their resilience to cyber threats.
Cyber-Enabled Fraud: Phishing Attacks
The OCC created a guide on Phishing Attack Prevention, a type of cyber-enabled crime. Internet fraudsters will send a seemingly legitimate email containing links to a phony website. Typical warning signs an email is a phishing attempt include:
- A sense of urgency and pressure to act immediately
- Requests for payment
- Requests for sensitive information for verification purposes, including your social security number, account number, passwords, and other personal information
To prevent phishing, follow these tips:
- Do not provide personal information over the phone or Internet following an unsolicited request.
- Verify the sender’s legitimacy by initiating contact with the organization yourself, such as using the phone number and website provided on your financial institution’s monthly statement.
- Do not provide passwords over the phone or Internet.
- Review account activity regularly for unauthorized transactions.
If you are a victim of a phishing attack, call your financial institution immediately, as well as one of the three credit bureaus (Equifax, Experian, TransUnion).
Cyber-Enabled Fraud: Additional Resources
Cyber-Enabled Fraud: Model Policies
CU PolicyPro contains the following model content which can be used to help you craft your own policies and guidance on this topic:
- Model Policy 1645: Fraud
- Model Policy 2290: Wire Transfers
- Model Policy 2615: ATM/Debit Cards
- 2615.10: Electronic Fund Transfers
- Model Policy 4100: General Security Procedures
- Model Policy 4120: Information Security
- Model Policy 4125: Incident Response
- Model Policy 2220: E-Commerce
- 2220.10: Website
- Model Policy 2222: Electronic Communications: Acceptable Use
- Model Policy 2225: Digital Banking
- 2225.10: Anti-Phishing
- Model Policy 2227: Electronic Signatures
- Model Policy 4200: Security Devices
- Model Policy 4340: Remote Access
- Model Policy 4350: Cloud Computing
- Model Policy 4300: Computer Security and Control
- Model Policy 4315: Firewalls
- Model Policy 4320: Computer Hardware and Software Acquisition
Click to login if your credit union subscribes to CU PolicyPro.
If you're not sure if your credit union subscribes, contact policysupport@cusolutionsgroup.com for assistance.