13 minutes
Understanding human nature is key to protecting your credit union and members from cyberattacks.
The list of companies, institutions and individuals hit by hackers in the last several years is long and varied, from members of Congress to small municipalities in Texas to gasoline pipelines to a Canadian online book seller. It’s not a list you want your credit union to be on, although many are.
The challenge of protecting your credit union and your members’ personal information continues to grow and become more complex. These days, hackers are even using artificial intelligence to focus their efforts and ensure their phishing emails no longer have the weird typos that made them easy to spot just a couple of years ago.
When COVID-19 hit in 2020, the number of cyberattacks swelled as criminals realized that both employees and employers were vulnerable as they transitioned to remote work. Barracuda reports that phishing attacks jumped from 218,000 in January 2020 to 500,000 in March. That April, Google blocked 18 million malware and phishing emails about COVID.
At this time last year, cyberattacks were actually down, though not for a good reason. According to a report by Recorded Future’s Insikt Group, when Russia attacked Ukraine, the fighting led to a dramatic drop in online fraud attempts because both countries had active hackers who were pushed offline, at least for a while. But by the end of 2022, the total number of people affected by hacks had risen almost back to the 2021 level, in large part because in December Twitter acknowledged that the data of about 221 million of its users had been stolen, reports the Identity Theft Resource Center.
Capitalizing on Human Error
You may be surprised to learn that your biggest cyber-risk is human nature, so your best defense is psychological, not technological. But that knowledge doesn’t make protecting your data much easier since the hackers are experts in understanding people.
“It all comes down to people,” says Al Pascual, SVP/enterprise risk solutions for TransUnion, which provides identity-theft protection. “Eight times out of 10, a data breach happens because of human error. Someone clicked on something they shouldn’t have or shared information or reused a password too many times.”
Pascual says financial institutions spend a lot of money either directly or through third-party vendors to manage technical risks—and they should. But they also need to understand “those investments are not necessarily going to bear fruit because the criminals are targeting the employees of the credit union and they’re also targeting the members.”
This means that credit unions need to focus on what they can do to mitigate risk, knowing that “people are going to make mistakes,” says Pascual. “They’re going to exhibit bad behavior, unknowingly. What I would really advise credit unions to do is figure out ways to effectively manage the human risk.”
Education and training about best cybersecurity practices for staff and members is a first step, but training alone is not sufficient.
“Cybercriminals are creating more sophisticated attacks that use automation, artificial intelligence and other advanced technologies to make their attacks more effective and their payloads more damaging,” says the “2022 Digital Safety and Security Report for Financial Services” from Sontiq, a TransUnion company.
Phishing is the most common form of cybercrime, with an estimated 3.4 billion spam emails sent every day. Almost 50% of emails sent in 2022 were spam. Google blocks around 100 million phishing emails daily, but billions get through. It’s estimated that one in 12.5 million draws a response from the receiver. That’s enough to generate billions in revenue for the hackers every year. The global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027, says Statista’s Cybersecurity Outlook.
Regulatory Moves
The battle against hackers starts at the top. In his last personal meeting with Russian President Vladimir Putin in 2021, President Joe Biden raised the issue of Russian hackers attacking American institutions and companies. That conversation helped slow things down, until Putin invaded Ukraine and the relationship took a turn for the worse.
In March 2023, the Biden administration released a National Cybersecurity Strategy that aims to increase the pressure on the big tech companies to counter the hacking tsunami. The strategy says it will shift the burden of preventing attacks from individuals and small businesses to the large institutions and governments that have the power to act effectively.
“Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense,” Biden wrote in a foreword to the strategy report.
But the effectiveness of the administration’s cybersecurity strategy has been questioned, since many regulatory changes will require the cooperation of the Republican-controlled U.S. House of Representatives.
Closer to home for credit unions, the National Credit Union Administration announced in February that starting this September credit unions will have to report within 72 hours any cyber incident that disrupts business operations, vital member services or a member information system. This is part of an effort to get a better handle on attacks and monitor any new efforts, although it is double the time banks have to report similar incidents.
“Ransomware, social engineering and phishing are but a few of the known examples of the cyber threats we all face,” said NCUA Chairman Todd Harper in a February speech at the 2023 Governmental Affairs Conference. “What worries me more are the countless threats we do not know about.
“All of us must improve our cybersecurity practices,” he continued. “That’s why, starting this year, the NCUA will use our new Information Security Examination procedures. This new supervisory initiative is tailored to your credit union’s size and complexity to help you prepare for, withstand and recover from cybersecurity threats.”
Harper noted one challenge that NCUA faces—it has no authority over credit union service organizations nor third-party vendors. This leaves a hole in the financial system’s defenses, making the credit union system more vulnerable to exploitation, he added.
This lack of regulatory authority over CUSOs and other vendors also puts credit unions at a competitive disadvantage, since bank agencies make public the results of their vendor examinations. “Credit unions, especially small ones, don’t have the same ability to access information about their vendors, even if they offer the same services to both credit unions and banks,” Harper said.
With the new cyber incident notification rule in place, “the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” Harper said.
The Cost of Keeping Quiet
Transparency and incident reporting help companies and authorities track and understand the cybersecurity landscape, but tracking has become challenging over the past few years, according to the Identity Theft Resource Center. In 2021, federal courts in different parts of the U.S. ruled that actual harm, not potential harm, is required for an individual to file a damage claim against a company that suffered a data breach. These rulings have pushed many companies to delay or restrict notifying their constituents when incidents occur. (This may soon change, however. In September 2022, the Third Circuit Court of Appeals remanded for consideration a previously dismissed class action lawsuit. The suit was filed against a biopharmaceutical company by a former employee whose information was leaked to the dark web after the company fell victim to a ransomware attack. The reversal of the suit’s 2021 dismissal suggests that risk of future harm may indeed justify a claim.)
Eva Velazquez, CEO of the Identity Theft Center, says incomplete reporting of breaches has made the available data less helpful.
“The result is individuals are largely unable to protect themselves from the harmful effects of data compromises, which are fueling an epidemic—a ‘scamdemic’—of identity fraud committed with stolen or compromised information,” she observes.
IBM’s Cost of a Data Breach 2022 study found the median number of days to identify a breach was 207 and the average cost of a data breach in the U.S. was $9.4 million. Phishing and related exploits remain the No. 1 cyberattack vectors that lead to data breaches, followed by ransomware, the report says.
But IBM also found information is being withheld. “Details in data breach notices are decreasing while the number of data breach announcements (issued by website posts and news releases) is increasing,” the report says. “As a result, consumers or businesses may not receive a direct notification of a data breach with actionable information so they can take steps to protect themselves.”
Another report, IBM Security X-Force Threat Intelligence Index 2023, notes that phishing, fraudulent emails seeking personal information and spear phishing, which targets key individuals, were the main ways in for hackers in 41% of the cases it responded to in 2022. The second route was via an organization’s public website at 26% of incidents, down from 31% in 2021. In third place at 16% was abuse of valid accounts.
The report says its study of phishing techniques showed that targeting credit card information occurred 29% of the time in 2022, down from 61% in 2021. “Lower instances of phishing kits seeking credit card data indicate that phishers are prioritizing personally identifiable information (PII), which allows them broader and more nefarious options,” the report concludes.
Prime Targets What are Hackers After?
“The most sought-after data types were names, Social Security numbers, dates of birth, current addresses, health information and drivers’ licenses—the kind of PII that can have serious consequences for both the individual who is compromised and their financial institution,” Sontiq’s 2022 Digital Safety and Security Report for Financial Services report says. “This kind of personal data is in high demand, being sold and traded on the dark web and online forums used by identity thieves. That’s because those compromised details can be used in both traditional identity fraud and synthetic identity fraud schemes.” A synthetic identity is created from a combination of potentially valid and fabricated credentials, such as a real SSN coupled with a fake name or date of birth. (Read more about synthetic identity fraud below.)
On the dark web, hackers can pay $250 for banking or debit card information, $18 for passport numbers, $27 for a driver’s license or $30 for Amazon account details, according to a recent Statista report.
Pascual of TransUnion says credit unions need to understand what it is about their staff or members that puts them at risk so they can better protect their PII.
For example, a credit union’s security team members need to regularly check the list of passwords used by members for online banking and other digital services and match them with passwords that have been compromised elsewhere. “So rather than relying on just educating [members] on making smart decisions with how they handle passwords,” explains Pascual, success is about “being proactive and assuming that they’re going to make mistakes, they’re not going to follow these practices and they’re being targeted.”
Pascual notes that it’s not just members or top executives with their own valuable data who are targeted by hackers. “They’re going after people who are very low on the ladder, and that’s because they just want access. They want to find a way into the organization, so they’ll take any information that they can get.”
Once you assume that people will inadvertently give hackers access, it forces the credit union to focus on how to limit any damage that can be inflicted. “You need to then figure out what changes you need to make, what controls you need to institute, in order to limit that effect.”
Pascual suggests such simple actions as blocking automatic forwarding of emails, because hackers will sometimes gain control of an address and automatically forward incoming emails to external addresses so their activity isn’t visible.
The next step is to limit access to data and privileged access to systems, such as PowerShell, a key Microsoft program.
Synthetic Identity Fraud
A growing security problem is that hackers will often combine real data with fake information to create a synthetic identity. They’ll then use this realistic-looking identity to apply for credit cards or other products that can be used to form a credit history. This opens to door to larger, ongoing fraud opportunities.
The Federal Reserve estimates annual synthetic identity fraud losses at $20 billion in 2020, naming it the fastest-growing financial crime.
Fraudsters increasingly use synthetic identities to commit payments fraud, which can escape detection by today’s identity verification and credit-screening processes, the Federal Reserve says. Over time, fraudsters build up the creditworthiness of the synthetic identity, purchase high-value goods and services on credit and disappear. Because the identity was never real, it’s difficult, if not impossible, to find the perpetrators. Meanwhile, anyone whose Social Security number was used for fraud faces the time-consuming process of correcting their credit reports.
“Crime rings see attractive opportunities in synthetic identity payments fraud,” said Ken Montgomery, chief operating officer at the Federal Reserve Bank of Boston, in a 2019 press release. “Law enforcement officials, financial institutions, and other organizations recognize it as a growing concern. But unfortunately, many consumers don’t realize how it can hurt their access to credit or how to protect themselves.”
Pascual notes that even when consumers are given the tools to protect themselves, they don’t necessarily use them. “Credit unions mightily struggle with getting members to turn on two-factor authentication, to turn on card controls, to turn on alerts or notifications—all these things that they’ve already paid for, but no one uses,” he says.
He urges credit unions to help their members understand the security risks they face and prioritize their efforts to protect the usernames and passwords of their likely 50 to 100 online accounts. Turning on two-factor authentication is a great first step.
Beware the Ransomware Radar
The Q2 2022 Coveware Quarterly Report estimates that more than 70% of cyberattacks are against businesses with fewer than 1,000 employees. Hackers targeted vulnerable small to medium-sized businesses by demanding a ransomware payment. The average ransomware demand was $228,200 in 2022, but the median was only $36,000, indicating the hackers were targeting smaller companies.
“We have also seen an encouraging trend among large organizations refusing to consider negotiations when ransomware groups demand impossibly high ransom amounts,” the report says.
One high-profile Canadian company refused to pay a ransom demand in early February and was knocked offline for weeks. Indigo Books & Music Inc. said its network was hijacked via the well-known ransomware-as-a-service LockBit. The online book retailer eventually had to rebuild its website from scratch.
Indigo said none of its consumer data was compromised but later admitted that it had lost the personal information of thousands of current and former employees, according to a report from the CBC. The attackers threatened to post that information on the dark web.
The company did not pay the ransom. “The privacy commissioners do not believe that paying a ransom protects those whose data has been stolen, as there is no way to guarantee the deletion/protection of the data once the ransom is paid. Both U.S. and Canadian law enforcement discourage organizations from paying a ransom,” the company noted, according to SecurityWeek.
For credit unions working on their ransomware response plans, one consideration is purchasing cyberattack insurance to limit their losses. The Federal Financial Institutions Examination Council does not require cyber insurance but suggests it as an option.
“Cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure,” the agency said in a statement. “An effective system of controls remains the primary defense against cyber threats.”
But your best insurance may be to hire a psychologist and study human nature. cues icon
Art Chamberlain is a writer who reports on the U.S. and Canadian credit union systems.