Consumers are not the only ones who have to watch out for phishing scams, businesses including credit unions are now being targeted. Business Email Compromise (BEC) phishing has increased over 2,370% in the past two years, according to the Federal Bureau of Investigation. Between October 2013 and December 2016 there has been more than $5.3 billion in losses in the U.S. from over 40,000 incidents that have occurred. It comes down to the users in your credit union, you can have the best security software your budget will allow but one or two clicks from an employee and the workstation they are using can be infected. Hackers are now in, and you have an expensive data breach or even worse, a data heist on your hands.
One of the best defenses against phishing is to educate your employees about the different lures hackers use. They are commonly in the form of a message requiring some urgent action. If the message is composed correctly, it will pass through all of the credit unions cyber security. It then works on the human psyche and the desire to receive something you didn’t know about, the need to act before something is lost, or the need to prevent something from being taken away.
Scare tactics are the most common form of phishing. They threaten to delay a service or disable an account to pressure you into providing sensitive information. They attempt to trigger an immediate reaction from you or your employees with phrases like “your account has been compromised” or “urgent action required” or even “your account will be closed” in order to get you to click on a link.
Some other examples of what the subject lines in phishing emails may look like:
Revised PTO Policy
A Delivery Attempt Was Made
All Employees: Update your Health Care Info
Change of Password Required Immediately
Urgent Action Required
An example of a classic case that was very successful and affected a reported 2,000 victims occurred back in 2008. This phishing scam targeting executives nationally with an official looking email informing them that they had been subpoenaed and offered an attachment to view the full subpoena. When they clicked on the attachment it downloaded and installed a keystroke logger and other malware that allowed remote control of their PC. This is what is known as spear phishing, the practice of attacking the really big fish or corporate executives. Could your executives fall prey to such a scheme?
The bottom line is that your employees are being targeted. You can invest heavily in security for your data but you may be missing the human factor. Part of your cyber security strategy has to include proper training of your employees and educating them about their role in protecting the credit union’s data, they are your human firewall and your last line of defense.