NCUA Alerts Credit Unions on Heightened Risk of Phishing

At the end of March 2022, the NCUA published a new risk alert titled Heightened Risk of Social Engineering and Phishing Attacks. Citing the ongoing conflict in Ukraine and concerns about potential cyber-attacks against the United States' critical infrastructure, the NCUA guidance reminded credit unions to remain vigilant in the face of increased phishing and other social engineering attempts. 

What is Social Engineering and Phishing? 

According to the FFIEC Information Security Booklet, social engineering is "a general term for trying to trick people into revealing confidential information or performing certain actions." Social engineering comes in many flavors, including phishing (via email), smishing (via text message), and vishing (via phone call). 

Phishing emails are currently the most prevalent form of social engineering. However, the NCUA risk alert warns credit unions to be on the lookout for smishing attempts, as well. 

Five Indicators of Phishing 

The NCUA alert provides five common clues associated with phishing attempts. 

1. Suspicious email addresses
2. Generic greetings and signatures
3. Spoofed hyperlinks
4. Poor grammar and inconsistent formatting
5. Suspicious attachments 

In short, if you notice these things in an email and your spidey-sense starts tingling, it might be phishing. 

Six Ways to Avoid Falling for Phishing 

The NCUA goes on to provide six tips to help you avoid becoming a victim. 

1. Be suspicious of unsolicited requests. In general, if someone asks you for information about employees or your credit union, verify first. Trust later.
2. Do not share personal information via email. This is a good rule for life. Email is inherently an insecure form of communication. As such, it is best to avoid sending personal information or financial information via email.
3. Verify email legitimacy through another method. If someone sends you a suspicious email, give them a call or go to your account to verify if it is legitimate. The extra few minutes it would take to check is much less time than it would take your credit union to respond to an incident.
4. Use technical controls like anti-virus, firewalls, and email filters. Limit the amount of scam and phishing emails you receive by using technical controls, when possible. While you can't block all of them, you can certainly reduce your exposure.
5. Use anti-phishing features supported by your email client. Certain email clients, like Office 365 and Gmail, now have anti-phishing features built into the program. Start using these features to stay ahead of the game.
6. Use multi-factor authentication (MFA). While MFA will not reduce the likelihood of becoming a victim of phishing, it may help reduce potential damage if your credentials become compromised as a result of a phishing attack. 

Report Cyber Incidents 

If your credit union does become a victim of phishing, or any kind of cyber incident, the risk alert recommends reporting the incident to: 

• The NCUA 
• Your local FBI field office or the Internet Crime Complaint Center (IC3)
• The Cybersecurity and Infrastructure Security Agency (CISA) 

For more information about reporting incidents to CISA, check out our blog on the New Cyber Incident Reporting Act. 

Train Your Teams on Phishing 

The NCUA risk alert reinforces the "continued importance of educating your employees and members on how to avoid these threats." 

If you are looking for a way to train your teams on phishing, check out Tandem Phishing. This do-it-yourself tool allows you to send simulated phishing campaigns, obtain status reports, and provide follow-up training to your teams on how to avoid phishing in the future.