Risk alert focuses on email, wire fraud

(Oct. 22, 2021) Speaking of cybersecurity: Use of cloud-based email services are proving to be targets for cybercriminals, and credit unions need to take steps to thwart any exploitation and take preventative steps, NCUA said this week.

In Risk Alert 21-RISK-01, the agency said phishing emails designed to steal account credentials through cloud-based email services have proven to be among the most effective types of business email compromise (BEC) scams. The agency said that action occurs by cybercriminals using phishing kits to target victims on cloud-based services, analyze accounts, impersonate email communications, fraudulently demand (and receive) payments, compromise address books, send more phishing emails — and more.

The risk alert listed 12 methods credit unions may take to prevent BEC fraud; the top three are: Enable multi-factor authentication for all email accounts; disable basic or legacy account authentication that does not support multi-factor authentication; use caution when posting information on social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.

The risk alert also notes wire transfer fraud incidents are also increasing, as more transactions through virtual environments have tilted that way. The alert lists a number of operational, transactional, and physical and logical controls for limiting wire fraud risk and incidents.


NCUA Risk Alert (21-RISK-01): Business Email Compromise through Exploitation of Cloud-Based Email Services