October is National Cybersecurity Awareness Month and a perfect opportunity to ensure your credit union is buttoned up against the latest fraud and cybersecurity threats. Particularly as we approach election season and the holidays, when fraud attempts tend to ramp up, credit unions and members will need to be extra vigilant about protecting their personal and financial information. In the last three months alone, the Better Business Bureau has reported over 16,000 scams across the United States.1
As custodians of their members’ financial wellness, credit unions have a duty to be prepared for the latest fraud, phishing and cybersecurity threats, and to provide regular and detailed communication to members.
To help you in that effort, here are the three biggest fraud and cybersecurity trends to watch for in the final quarter of 2020:
Phishing attacks have been the biggest source of fraud throughout COVID-19, according to a new TransUnion study.2 Preying on consumers’ financial vulnerabilities, fraudsters have been targeting them with emails and text messages that trick them into clicking links that install malicious software or fool them into divulging personally identifiable information.
Fraudsters are even using popular social media platforms like WhatsApp and Facebook to send fake messages that appear to originate from major corporations like Pepsi, Whole Foods and Target, offering consumers money via grants, giveaways and food coupons.
“These attacks are only going to become more common as we look forward in 2020,” said CO-OP Chief Information Security and Privacy Officer Paul Love. “Often messages are spoofed to appear like they were forwarded by a friend. However, these messages are fake and designed to get recipients to provide personal information or click a link that installs malware on the user’s computer.”
What Should Credit Unions do:
“Remind your members never to click on or share any suspicious emails or links that are not from a credible/known source,” said Love. “Think of your personal and financial information like the door to your house; you wouldn’t let just anyone in without first verifying who they are. This is also a good time to remind your employees about the risks associated with phishing, as fraudsters often look to exploit cybersecurity vulnerabilities within financial institutions.”
Election and Holiday Scams
Fraudsters are opportunists, which means they will fully attempt to capitalize on the upcoming election and holiday shopping season. One cybersecurity firm has already uncovered 75 fake websites registered over the summer related to mail-in voting.3 The Better Business Bureau recently issued a warning about phony robocall scams designed to trick Americans into donating to their candidate.
The holidays are also a prime opportunity for fraudsters; and with so many members now shopping online or doing curbside pickup, the potential for card-not-present or even “friendly” fraud is much higher.
What Should Credit Unions do:
As with phishing, these scams tend to rely on consumers not practicing good data hygiene or willingly sharing their information.
“It just takes one wrong click and suddenly members’ financial accounts are compromised,” said Love. “Regularly posting about the importance of cybersecurity, either on your website or social channels, may just provide that voice in the member’s head that makes him or her think twice about clicking an email or sharing their credit card information.”
“It’s really important to involve your members in the fight against fraud,” adds Ashley Town, CO-OP’s Vice President of Fraud Services. “One way to do that is by encouraging them to sign up for fraud text alerts, so that they can instantly respond if a suspicious transaction shows up on their account. Another is to support them with card controls, so that they can actively monitor and control their spending. This way, if fraud does occur, a member can quickly spot it and shut off their card before losses spiral out of control.”
Tightening Up Internal Security
Don’t forget about your own credit union’s security vulnerabilities, particularly if your workforce is remote, says Love.
“Even if you think things are generally okay, it’s always worth going back and reviewing audit logs on key financial systems to confirm that anomalies haven’t happened or asking your internal audit team to perform targeted reviews of critical systems. If you want greater assurances, you might hire a penetration tester or a compromise assessor. A penetration tester will look for security vulnerabilities that might allow someone to access your data or your IT systems, and a compromise assessor will look for indications that an attacker has accessed or is currently accessing your systems or data.”
He adds that remote workers should be reminded that their workstation at home should have in place the same protections it would have at the office:
- A secure computer, equipped with the latest malware and virus protection software
- A secure data connection across an encrypted WiFi network
- A secure workplace, where he or she can take calls in provide and no one else has access to their computer screen.