From large to small, the financial services sector is often the target of email phishing schemes and other malicious attacks, and credit unions are no exception. The FBI reports that Business Email Compromise or Email Account Compromise (BEC/EAC) has seen a surge in those types of attacks, now a “$26 billion scam.” These exorbitant losses have prompted the FBI and law enforcement to become highly versed in the nature of these scams and how they are perpetuated. Still, fraudsters are always using more cunning methods to successfully access sensitive information.

Business Email Compromise is on the rise

Account takeovers are a part of this influx in Business Email Compromise, though some also speculate that these account takeovers include data gathering, which is then used to create ACH files. The Association for Financial Professionals (AFP) survey reports that ACH credit scams using BEC rose from 12 percent in 2017 to 33 percent in 2018. 

BEC is a robust effort on the part of fraudsters, who target those in companies with financial credentials access through a variety of measures. This may include social engineering, or grooming, combined with network intrusions. It’s a patient effort and one that continues to rapidly develop as these efforts continually seek to evade law enforcement. These fraudsters can cultivate the appearance of a relied vendor or another business, and exploit those with access to financials to provide sensitive information.

Fraudsters do their homework

It would seem that most phishing scams are obvious and avoidable, but the ingenuity of hackers and the development of new technologies and tactics indicate that companies need to stay on their toes through protection and cybersecurity education. Those seeking to infiltrate accounts and information will take the time to even look at social media accounts and other marketing to understand the culture of a company.

Email fraudsters have become savvier at making payroll fraud schemes appear to be official direct deposit submission forms, and might include an email with details requesting changes to direct deposit information. When that information is provided, the information points to another account, often a prepaid card. For example, one type of email scam includes a link to a spoof login page. When employees input their credentials to this page, the fraudster can use this information to access other employees’ personal information. 

In other cases, the fraudster might not request a transfer of funds. Rather, they are looking to obtain W-2 forms and Personally Identifiable Information.

Even while fraudsters are developing new methods of getting in, they’re also developing new methods of getting away. Domestic wire transfers have become more common than international ones, as law enforcement is now savvier at detecting those transactions when they are international since there is a slight delay in processing. During that lag in time, law enforcement is able to step in and stop the transfer. 

In 2018, Operation WireWire, involving the efforts of the Department of the Treasury, U.S. Postal Inspection Service, and the Department of Homeland Security, a six-month mission which resulted in dozens of arrests across the globe, and helped to recover $14 million worth in fraudulent wire transfers. 

Steps for prevention

The efforts of fraudsters have a significant impact on the global economy. Learning how to stop these malicious attacks on your business not only helps to ensure your members’ well-being but contributes to a greater purpose.

Educate your employees: 

Give employees clear, actionable instructions for looking out for the following:

• Mismatched emails or URLs that don’t represent the business or person it claims to be sent from;
• Any misspellings or unfamiliar URLs should be an immediate red flag;
• Get versed in the most common leading BEC email keywords used in 2018;

Steps you can take:

• Enable two-factor authentication or use another channel to verify requests for account changes.
• Monitor finances and note any irregularities, especially missing deposits. 
• Update all systems and keep software patches on. 

Being the victim of BEC can be an enormous financial loss and blow to a company.

In our compatibility with various types of credit union software, we provide an advantage to a wider berth of credit unions. We help you to provide a sense of security to your customers. 

If you’d like to learn how you can stay protected against financial cybercrime, get in touch.

Read more about why credit unions are a common target of email scams.