Attackers impersonate local credit unions to capture personal information and extract money, Avanan says.

Image: iStock/jauhari1

Phishing emails work by impersonating seemingly legitimate messages from well-known or essential companies and businesses. The goal is to trick the recipient into sharing account credentials and other sensitive data associated with the impersonated company. A report released Thursday by email security provider Avanan reveals how a new phishing campaign is taking advantage of credit unions to steal money and information.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Since February 2022, Avanan has seen a dramatic increase in phishing emails impersonating local credit unions. This trend follows an earlier statement by the National Credit Union Administration advising credit unions to adopt a state of heightened threat awareness in the current geopolitical climate.

All banks and financial institutions need to be vigilant. But credit unions are particularly vulnerable because many lack the proper email security to defend against phishing attacks, according to two 2021 studies, one from March and one from June. Credit unions also generally rank higher than big banks for customer satisfaction, so members may be more likely to trust messages from their local credit unions.

The phishing campaigns analyzed by Avanan use different methods of compromise, ranging from wire transfer codes to payment notifications to document alerts. But the goal is the same: to convince the recipient to enter their account credentials and conduct banking activities.

A phishing email instructs the recipient to click a link to view their account statements and documents online. Another email contains a link purporting to relate to an important notice. A third actually asks for money to stop an alleged wire transfer. And a fourth claims to offer ACH debit.

In each case, the link in the email directs the user to a fake login page posing as the credit union. All credentials entered on the page are captured by the attacker and used to compromise the account and steal funds.

To protect you and your organization from emails that appear to come from your bank or credit union, Avanan offers several recommendations.

  • Check the sender’s address before responding to an email from your credit union.
  • Beware of personal banking emails sent to your work email address, especially if you have never shared your work email address with your credit union.
  • Hover over any URL in the email to examine where the link resolves. Avoid clicking on the URL if the resulting page does not match your credit union’s website.
  • Call your bank or credit union directly if you are unsure whether an incoming email is legitimate.
  • For enterprises, ensure you have advanced cybersecurity defenses that not only comply with financial regulations, but can also mitigate social engineering attacks targeting web applications. Also, be sure to protect yourself against insider threats, as many attacks against financial institutions use compromised access for employees.