This month, the National Credit Union Administration (NCUA) issued a Risk Alert (19-RISK-01) describing the increasing frequency of and losses related to business email compromise fraud schemes. This is the first Risk Alert issued by the NCUA in six years.

What is a Risk Alert?

Periodically, the NCUA provides letters to credit unions containing guidance, instructions, or other informational announcements. Each letter is categorized into one of seven types. One of these types is called a "Risk Alert." A Risk Alert is an informational publication detailing practices or external threats that present a potentially significant risk to the safety and soundness of the credit union system.

To learn more about Risk Alerts and other letters to credit unions, visit the NCUA's website.

What is Business Email Compromise?

Business Email Compromise (BEC) fraud is a criminal scheme which involves compromising the email accounts of credit union members for the purpose of:

  1. Sending fraudulent payment requests to financial institutions or other businesses.
  2. Causing data to be transmitted fraudulently to conduct financial fraud.

Why was the Risk Alert issued?

According to the NCUA's Risk Alert, BEC is a pervasive and growing threat to credit unions. According to an FBI report (FBI Alert I-071218-PSA), more than 78,000 incidents of domestic and international BEC occurred between October 2013 and May 2018. The Risk Alert was published to warn and provide resources for credit unions to help prevent and respond to this growing risk.

What steps can a credit union take to help prevent business email compromise fraud?

The Risk Alert recommends several steps for credit unions to follow to prevent BEC fraud. The steps can be summarized in three categories:

  1. Revisit and reinforce the importance of the credit union's Identity Theft Prevention (Red Flags) Program.

    • Use a two-step verification process to verify wire requests with members, and use information from previously known email addresses and phone numbers rather than what is provided in the wire transfer request.
    • Never make a payment change without verifying the change with the intended recipient.
    • Require staff to investigate and verify changes to members' personal information or business practices of the credit union's vendors or member business accounts.
    • Know the routines of members' wire activity and contact them with any changes or concerns before sending a wire transfer.

  2. Implement technical security controls to help prevent and/or detect BEC.

    • Use email spam filters to quickly identify potentially fraudulent or spoofed emails;
    • Create rules in the credit union's intrusion detection system to flag emails with extensions that are similar to, but different from, the credit union or members' email addresses.
    • Implement multi-factor authentication (MFA) for corporate email accounts that require at least two pieces of information to login.

  3. Regularly perform security awareness and policy training to encourage security best practices.

    • Verify the accuracy of email addresses when checking mail on a mobile device.
    • Verify transaction details with the recipient financial institution before sending a suspicious wire transfer.
    • Use caution when publishing information on social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details.

A great way to provide security awareness training is through Tandem's Phishing Security Awareness Software

What if one of the credit union's members is a victim of a business email compromise?

To request immediate assistance in recovering stolen funds, credit unions should:

  • File a complaint with the FBI's Internet Crime Complaint Center (IC3).
  • Contact the local FBI field office.
  • Contact the nearest USSA field office.
  • Complete a Suspicious Activity Report (SAR), if applicable.

It should be noted, successful recovery of lost funds from fraudulent wire transfers is greatly increased if reported to law enforcement within 24 hours.

Where can I learn more about business email compromise?