By Sarah Milovich, Credit Union Times
Click here to read the entire article.
For decades, the credit union movement was defined by its localism. Success was measured by how deeply an institution could serve a specific factory, municipality or county. But as we move through 2026, the strategic imperative has shifted. To remain competitive against fintech disruptors and national banking giants, credit unions areexpanding beyond traditional footprints at a record pace, often through mergers, acquisitions and digital-first lending models that extend well beyond their historical footprints.
We are seeing this play out in real time. The Massachusetts-based Hanscom Federal Credit Union recently signaled its intent to expand into Maryland through the acquisition of The Peoples Bank, and Michigan’s Zeal Credit Union is pushing its footprint into Wisconsin. Regardless of the approach, the goal is scale.
This movement reflects a broader industry shift: Geographic localism is no longer a competitive strategy. In an environment where fintech leaders operate nationally from day one, credit unions that remain constrained to narrow geographic footprints risk falling behind institutions built to scale digitally.
The Shift in Credit Union Strategy
Historically, expansion required a physical presence, including new branches, local staffing and incremental operational build-out. Today, digital lending models allow credit unions to enter new markets far more quickly, reaching members wherever they live rather than where the institution historically operated.
This strategic shift is not just about growth for its own sake. It is about remaining relevant in a financial services landscape where competition increasingly comes from institutions without geographic boundaries.
As digital-first competitors continue to capture market share, scale has become essential for credit unions seeking to remain competitive in lending, payments and member acquisition.
Click here to continue reading.
By Kevin Townsend, Security Week
Click here to read the entire article.
You can no longer recognize a phishing email by simply counting the typos. And you will get caught if you simply respond to a genuine-looking email without thinking.
Analysis of almost 800,000 email attacks across more than 4,600 organizations shows attackers moving away from exploiting technical vulnerabilities in favor of targeting behavioral and organizational weaknesses. In short, email attackers are now targeting their victims with tailored tactics that exploit trusted relationships and routine workflows.
The three primary email attack methods are phishing, business email compromise (BEC) and vendor email compromise (VEC). Phishing remains predominant, accounting for 58% of all attacks. BEC comprises 11% of attacks, while VEC (a subtype of BEC) accounts for more than 60% of all BEC attacks. Details are provided in Abnormal AI’s 2026 Attack Landscape Report.
Phishing varies by target.
File-sharing lures are concentrated on industries and roles where document exchange is common and expected. Brand impersonation aligns with the complexity of the target’s software footprint. In both cases, the lure is designed to blend into the workflows and tools that employees use. “The same structures, workflows, and relationships that define how an organization operates also define where an attack can blend in undetected,” says the report.
More than 20% of phishing attacks use redirect chains to obscure the final malicious page from both users and their security tools. Just over 10% of these use link shorteners, with tinyurl (31.6%) and t.co (26.6%) dominating. Tinyurl is a free service, while t.co is automatically and freely applied by X/Twitter to outbound links. In both cases the URL can appear legitimate and security teams are reluctant to impose automatic blocks.
BEC is less frequent, involves more attacker craftsmanship, and is more impactful.
BEC and VEC are less frequent but potentially more impactful than phishing. (BEC targets employees within an organization, while VEC relies on a compromised vendor account to then target the vendor’s customers or suppliers.)
In BEC, VIP impersonation is used in 43% of attacks at small enterprises, but only 7% at large enterprises. Lateral attacks within an organization, where one compromised account targets another account, is the reverse: less than 1% at small organizations rising to more than 23% in large organizations. Noticeably, higher education is especially susceptible to such lateral attacks, where 33% of the BEC attacks are lateral, “Highlighting,” writes Abnormal, “how open, high-turnover environments create ideal conditions for internal spread.”
Click here to continue reading.
By Nicole Volpe, Contributor at The Financial Brand
Click here to read the entire article.
For banks and credit unions, cash incentives are a powerful way to lower the effective price of a checking account to gain market share — provided of course that the lifetime value of the customer or member exceeds the total cost of acquisition. But with other acquisition channels drying up, more institutions are reaching for the same lever — and many are doing so without a clear strategy.
Institutions seeking growth recognize the market forces that are driving the action. Account balances grew strongly in the pandemic but have since fallen as inflation and spending rose. Meanwhile, as Fed hikes level off and head down, CD and savings rates are less effective for new account acquisition. And competition from fintechs, neobanks, and money market funds is only intensifying. Over the past three years, campaign volume has grown 24%, checking-account incentives 57%, and average spend per campaign 75%, according to a Vericast analysis of Mintel/Comperemedia data.
“An institution that is willing to offer a competitive cash incentive will always outperform, all things equal, an identical institution that does not offer a cash incentive,” said Fred Cadena, Head of Client Strategy at Vericast. “The cash is so prevalent in the market that you are going to hinder your competitiveness by not offering one.”
But many institutions choose not to, Cadena said — whether because they don’t believe in paying to acquire, or because they haven’t been able to make a good business case, or because they’ve been burned in the past. For institutions reconsidering their position, what follows is a framework for getting it right.
Misconception 1: Chase is Driving the Arms Race
Perhaps because Chase offers show up in so many of our mailboxes, many institutions might assume it’s the incentive pacesetter. But the biggest spender isn’t the country’s biggest bank.
It’s the tier just below: large nationals in the $250 billion to $1 trillion asset range, which offer average incentives of $484, according to Vericast, versus the $410 that Chase and other trillion asset-plus mega banks field on average.
Another mega bank specter haunting small-institution strategists is Wells Fargo, which was freed last year from the regulatory growth cap it had operated under since 2018.
Misconception 2: Credit Unions Don’t Need to Offer Big Incentives
The conventional wisdom is that credit unions don’t need to out-bid banks for new accounts — their inherent cost advantages make up the dollar difference, and they tend to be more conservative about acquisition in general.
That may still be true.
Click here to continue reading.
Gabrielle Saulsbery, Banking Dive
Click here to read the entire article.
OpenAI has acquired personal finance fintech Hiro, further entrenching itself in the financial realm.
The deal, announced on Hiro’s website, will shut down the Hiro application for users April 20. Users can export their data through settings until May 13, Hiro said. Hiro, launched by Digit founder Ethan Bloch, billed itself as an “AI personal CFO” and said it helped clients manage more than $1 billion in assets.
OpenAI confirmed the deal to TechCrunch, which first reported it, but hasn’t made further public statements. Terms of the deal were not disclosed. As the Hiro app is shuttering and the entire Hiro team is joining OpenAI, TechCrunch called it an “acqui-hire.”
“For decades, personalized financial guidance has been too expensive, too generic, or too hard to access. ChatGPT is finally changing that,” Bloch wrote on LinkedIn.
This is OpenAI’s second fintech purchase, following its acquisition of personal finance app Roi in October. Altman told Federal Reserve Vice Chair for Supervision Michelle Bowman last year that financial firms were some of OpenAI’s earliest adopters.
“Morgan Stanley, Bank of New York, these are major partners of ours that we’re doing fantastic work with. And we were kind of like, ‘Are y’all sure?’ and they were like, ‘Yeah, we really want to do this,’” he recalled at the time.
Those institutions and others figured out how to use the technology, and “how to structure it enough that they can rely on it” for critical processes, he said. “Personal finance has been one of the most talked-about use cases for generative AI since the beginning, and this deal reinforces that,” Pitchbook fintech analyst Rudy Yang told American Banker.
But a key difference between AI financial advisers and human advisers is fiduciary duty – or lack thereof.
Click here to continue reading.
ByJoshua Goldfarb, Security Week
Click here to read the entire article.
Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions.
Unfortunately, we have a problematic and unstable neighbor. Without getting into details, he often yells obscenities, threatens physical harm, threatens property damage, and other such undesirable things. Sadly, involving the police from time to time and getting two restraining orders did not discourage this neighbor from his outbursts and threats.
The police and courts explained to us that a healthy person is afraid of the law. This is logical – most of us don’t commit crimes, and this is partly because we are afraid of the consequences. But when a person is unstable and believes that they can talk their way out of anything as long as it is your word against theirs, there is little recourse. In other words, if a person is careful to behave badly only when there is no record of that behavior, it is very difficult for the police and courts to do much about it.
Even given this, we have, thankfully, had several months of quiet. How so? We found something that the troublesome neighbor did fear – being caught on camera.
We installed home security cameras, and nearly instantly, we had complete quiet. We went from constant unpleasantness to total quiet overnight. In fact, one of the first videos we collected on one of our home security cameras was of our problematic neighbor approaching our door, realizing we had installed a home security camera, and then quietly walking away rather than launching into a tirade. Since then, quiet.
Why am I sharing this story? I believe that there is an important security lesson we can learn from this. Namely, the importance of visibility – not merely for compliance, audit, security monitoring, and other reasons that we are likely all familiar with. But beyond that, like in the case of our troublesome neighbor, visibility keeps people and teams honest, and that can bring huge benefits for the security organization.
Before getting into the benefits for the security organization, it is worth clarifying what I am referring to when I mention visibility. When thinking about visibility, it is important to remember the need to see what is happening at all layers. Beyond just the network, endpoints, and access logs, but also the application layer. This includes detailed insight into both traffic traversing the API infrastructure, as well as traffic leveraging AI capabilities.
Click here to continue reading.
Published in CUToday
Click here to read the entire article.
The Trump Administration is moving to block Illinois’ swipe-fee law from applying to national banks, adding a major new federal preemption twist to the industry’s already fast-tracked Seventh Circuit appeal and potentially strengthening the broader fight being waged by banks and credit unions against the state’s Interchange Fee Prohibition Act (IFPA).
Bloomberg Law first reported the move, saying the Office of the Comptroller of the Currency on Tuesday filed an interim final rule with the White House that would preempt Illinois’ law for national banks as the appeal continues.
The development comes just two months after CUToday.info reported that Chief U.S. District Judge Virginia M. Kendall largely upheld the core of the IFPA—allowing Illinois to bar interchange on the tax and gratuity portions of card transactions—while striking down the law’s separate data-usage restriction on preemption grounds. In that Feb. 10 ruling, Kendall declined to extend federal preemption to federal credit unions, leaving CUs exposed to the interchange restrictions absent relief from the appellate court.
In February, America’s Credit Unions, the Illinois Credit Union League, and the other plaintiffs filed an appeal with the U.S Court of Appeals for the Seventh Circuit. The IFPA is scheduled to become effective July 1, and would ban financial institutions, including credit unions, payment networks, and other entities, from charging or receiving interchange fees in Illinois on the portion of a debit or credit card transaction attributable to tax or gratuity.
Click here to continue reading.
By Fintech Global
Click here to read the entire article.
Fingerprint, a leader in device intelligence for fraud prevention, has announced the addition of AI-powered recommendations to its Suspect Score solution, marking a significant step forward in adaptive fraud detection.
Static scoring models have long struggled to keep pace with increasingly dynamic, traffic-specific fraud patterns. Fraud teams frequently lack the time and resources needed to continuously analyze signal interactions and manually tune model weights to suit their unique operational needs. Fingerprint’s latest enhancement directly addresses this gap, enabling fraud teams to eliminate manual tuning, preserve valuable time and resources, and deploy fraud detection that adapts to evolving threats.
Fingerprint provides device intelligence solutions designed to help organizations identify and prevent fraud. Its platform is built around Smart Signals — actionable, real-time device intelligence insights — that deliver powerful fraud indicators to enterprise fraud and security teams. The company’s Suspect Score solution sits at the center of this offering, giving customers a consolidated fraud risk signal drawn from a broad range of device and behavioral data.
The enhanced Suspect Score introduces a production-ready machine learning (ML) system that customers can train on their own labeled fraud data. Enterprise teams can upload this data through the Fingerprint dashboard, enabling the system to intelligently analyze it alongside Smart Signals to generate optimized signal weights tailored to their specific fraud patterns. The updated solution also adjusts signal weights based on patterns observed in a customer’s fraud data to reduce false positives while maintaining accuracy. Before any changes are applied, customers receive a full preview of all recommendations, allowing them to review and approve updates with a single click — preserving complete visibility and control over their scoring configuration.
As threats continue to evolve, organizations can retrain their scoring models with up-to-date data, ensuring detection remains aligned with real-world fraud behavior. Sophisticated AI agents and bots are increasingly capable of bypassing static detection models, and the growing adoption of privacy tools such as VPNs among legitimate users has further complicated traditional signal weighting. Fingerprint’s AI-powered approach is designed to meet these challenges head-on, shifting fraud detection from a static model to a continuously adaptive one.
Click here to continue reading.
By Michelle Faverio and Emma Kikuchi; Pew Research Center
Click here to read the entire article.
Artificial intelligence (AI) has become part of everyday life for many Americans – at work, at school, in health care and beyond. As AI spreads, the public remains cautious, but somewhat open to its potential benefits.
Drawing on five years of Pew Research Center surveys, here are 13 findings about how Americans use and view AI, and where they see promise and risk.
1. Americans continue to be wary of AI’s impact on daily life.
Half of U.S. adults say the increased use of AI in daily life makes them feel more concerned than excited, according to a June 2025 survey. Just 10% say they are more excited than concerned. Another 38% say they are equally concerned and excited.
More Americans are concerned today than they were when we first asked this question in 2021. Back then, 37% said they were more concerned than excited.
In contrast, concern is lower in many of the 24 other countries we’ve polled about AI.
2. U.S. adults are generally concerned about AI’s effect on creativity and relationships but are more open to using it for data analysis.
About half of Americans said in the June survey that AI will worsen people’s ability to think creatively and form meaningful relationships with others. Far fewer said AI will make these things better.
However, Americans tend to be more open to AI playing a role in data analysis tasks such as forecasting the weather.
Click here to continue reading.
By Jennie Boden and Christopher J. Jones; CreditUnions.com
Click here to read the entire article.
Credit unions face a new regulatory obligation in 2026 — one that formalizes succession planning as a baseline expectation, not a best practice.
The National Credit Union Administration’s final succession planning rule (12 CFR Parts 701 and 741, RIN 3133-AF42) went into effect on Jan. 1, 2026. The rule requires both federal credit unions and federally insured, state-chartered credit unions to establish written succession plans.
This article describes the key things credit union leaders need to know to comply with the letter of the new rule. For our thoughts about the opportunity available to credit unions that choose to be more strategic about their compliance efforts, read, “The Opportunity For Credit Unions In NCUA’s New Succession Planning Rule.”
What The New Succession Planning Rule Says
NCUA’s newly effective succession planning rule requires federal and federally insured, state-chartered credit unions to establish a board-approved, written succession plan consistent with their size, complexity, and risk of operations. Credit unions can leverage this NCUA video series for further clarification on what is required.
The agency has also provided a succession planning template for smaller credit unions that we find too limited to be of much strategic value. We offer suggestions in the next section for how to deliver a right-sized plan that stays strategic.
Credit unions with less than $100 million in assets and minority depository institutions of all sizes may also be eligible for assistance in a variety of areas, including succession planning, through NCUA’s Small Credit Union and Minority Depository Institution Support Program.
The rule sets forth that these credit union jobs, or their equivalents, must be included in the written succession plan, at a minimum:
- Members of the board of directors.
- “Management officials” and “assistant management officials,” as those terms are defined in Appendix A of the rule, if provided for in the federal credit union’s bylaws, and, to the extent not already covered, the senior executive officers identified in § 701.14(b)(2).
- Any other personnel the board of directors deems critical given the federal credit union’s size, complexity, or risk of operations. This includes new positions that may be required due to planned changes in operations, supervisory landscape, or corporate structure.
Click here to continue reading.
By John Bruggeman, CSO Magazine
Click here to read the entire article.
Your security is only as strong as your sketchiest vendor; since 35% of breaches start with partners, it’s time to worry about their firewalls, not just yours.
Over the last four years, I’ve watched organizations get blindsided by threats that originated in a third-party network. More than 35% of data breaches are caused by a compromised vendor or partner, not by any failure in the organization’s controls. While many organizations know that the biggest threats to their security come from forces entirely outside their control, that risk is accelerating this year.
Some of those forces come from beyond their network and even far beyond their region. International conflict is influencing attacker behavior in ways that are showing up far from conflict zones. AI-driven automation is reducing the effort required to exploit systems and people. Third-party risk continues to be the most common reason well-defended organizations still suffer serious incidents.
These three factors are creating an environment that is heightening cybersecurity risk. I work with organizations that invest in security, quantify risk and take resilience seriously. Yet when something truly disruptive happens, it is rarely because a basic control was missing. Security is only as strong as the weakest link in a chain that extends far beyond an organization’s firewall — and those weak links are multiplying.
Geopolitics amplify cyber risk, particularly for OT networks
For a long time, geopolitical conflicts felt like a separate category of risk. If you did not operate in or near a conflict zone, it was easy to assume it posed little risk to your organization or your security posture. In my experience, that assumption no longer holds.
In my previous position, we had an office in Israel, so I was always alert and aware of tensions and conflicts in that area. What I see consistently is that techniques used in active geopolitical conflicts do not stay contained to that geographic area or digital environment. The techniques and tactics are tested, refined and then used by criminal groups and other threat actors. Eventually, they surface in environments that have nothing to do with the original conflict.
Click here to continue reading.
By Sergiu Gatlan, Bleeping Computer
Click here to read the entire article.
Google announced that the AI-powered Google Drive ransomware detection feature has reached general availability and is now enabled by default for all paying users.
Announced in September 2025, a beta version of this feature began rolling out to Google Workspace customers worldwide in early October.
Google Drive will immediately pause file syncing when it detects a ransomware attack, notifying users and IT admins of the breach and drastically minimizing the impact of such incidents.
While this will not prevent the files on the compromised computer from being encrypted, documents stored in Google Drive will be protected and can be quickly restored once the malware infection is resolved.
After an attack is blocked, users are also provided with detailed instructions for restoring corrupted files using the Drive restoration tool to undo ransomware changes.
“When ransomware detection is on, files are scanned for ransomware when they are synced from a desktop computer to Drive,” Google explains. “If ransomware-encrypted files are found, desktop sync is paused. The affected user gets an email alert and is notified in Drive, and an alert is created in the Google Admin console.”
“Compared to when the feature was in beta, we are now able to detect even more types of ransomware encryption and are able to do it faster. Our latest AI model is detecting 14x more infections, leading to even more comprehensive protection,” it added.
Google says the feature is now on by default for all users in organizations with business, enterprise, education, and frontline licenses, while the file restoration feature is available to all Google Workspace customers, Workspace individual subscribers, and users with personal Google accounts.
Click here to continue reading.
By Ryan Ermey, CNBC
Click here to read the entire article.
For most of my adult life, I’ve enjoyed a relatively straightforward tax situation. In most years, I merely made sure the income from my W-2 was correct and clicked through my preferred tax software’s questions to the end. No dependents, no side hustle income, no property in my name.
This past year was a little different. After years of buying stock through my company’s employee stock purchase plan, I sold the majority of my shares to begin raising funds for my upcoming wedding.
There are some relatively tricky rules around selling these shares, but the gist is, these plans allow employees to buy stock at a discount to the actual share price. So determining how much money you made (in which case you owe capital gains tax) or lost on the sale of your shares requires some calculations.
So I did what about 1 in 5 taxpayers are doing these days, per a recent survey from IPX 1031: I asked AI for help.
I did so skeptically. I’d seen enough stories about AI “hallucinations” — the industry term for when chatbots get things wrong — that I was half-expecting ChatGPT to make a mess of my taxes. Plus, it had only been three years since I’d put AI to the test on tax strategies and watched it flounder. It’s also worth noting that OpenAI’s usage policies caution against using its product to automate “high-stakes decisions in sensitive areas without human review.”
And yet, when I started chatting with the latest version of OpenAI’s large language model, I could feel my hesitation melting away. It not only answered my first question about how ESPP sales are taxed, but also broke things down into digestible bullet points and asked me if I was comfortable sharing more information.
Since I was using a corporate version of the software that does not use data to train OpenAI’s models, I uploaded the consolidated 1099 form from my brokerage firm.
“This is great — [your brokerage] actually gave us everything we need,” the bot told me. “Here’s what’s going on.”
What ChatGPT told me essentially boils down to: Your brokerage is using one number, which is being uploaded into your tax software. But you actually have to use a different number. I just had to check my last few W-2s to see that they included a certain line item.