Credit unions need to take steps to thwart email, wire fraud, risk alert asserts

Use of cloud-based email services is proving to be a target for cybercriminals, and credit unions need to take steps to thwart any exploitation and take preventative steps, the federal credit union regulator said Tuesday.

In a “risk alert,” the National Credit Union Administration (NCUA) said phishing emails designed to steal account credentials through cloud-based email services have proven to be among the most effective types of business email compromise (BEC) scams. The agency said that action occurs by cybercriminals using phishing kits to target victims on cloud-based services, analyze accounts, impersonate email communications, fraudulently demand (and receive) payments, compromise address books, send more phishing emails – and more.

The risk alert listed 12 methods credit unions may use to prevent BEC fraud; the top three are: enable multi-factor authentication for all email accounts; disable basic or legacy account authentication that does not support multi-factor authentication; use caution when posting information on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.

The risk alert also notes wire transfer fraud incidents are also increasing, as more transactions through virtual environments have tilted that way. The alert lists a number of operational, transactional, and physical and logical controls for limiting wire fraud risk and incidents.

NCUA Risk Alert (21-RISK-01): Business Email Compromise through Exploitation of Cloud-Based Email Services