Protecting Your Credit Union from Phishing Attacks

Over the past number of years, phishing and ransomware campaigns are responsible for the majority of the value of claims analysed across all industry sectors.

As a financial institution, Credit Unions arguably hold more personally identifiable information than many other types of organisations. Examples may include sensitive customer information, credit card details and information on property titles. An attacker would have ample amounts of data to access, exploit and monetise if your organisation was successfully phished.

Phishing - The Most Widely Used Form of Cyber Attack

Phishing isn’t a new phenomenon; it is one of the most widely used forms of cyber attacks, quite simply because it is easy to set up and it’s highly effective. In 2021, over 94% of all cyber attacks began with a phishing email, with the primary goals likely being sensitive information compromise, or the delivery of ransomware onto the victim’s network.

What is a Phishing Attack?

Phishing is traditionally one of the most popular ways for an attacker to gain a foothold in an organisation.

Phishing is the act of enticing someone to perform some kind of action or divulging confidential information. The purpose of these is generally to get users to:

1. Give up their login credentials
2. Inadvertently install malware
3. Provide credit card details or other sensitive information

The Cost of a Phishing Attack for Cyber Criminals

Phishing attacks are a relatively inexpensive exercise for malicious actors. The availability of tools, information and cheap resources has made it easier for attackers to increase their effectiveness.

Using modern technologies, the infrastructure and tools needed to set up a simple phishing campaign can be as little as €20. These tools may include:

• A phishing domain name, similar to the target
• A tool to clone a commonly used web page e.g. company login portal
• An SSL certificate (to make the web page HTTPS)
• Web hosting for your fake website
• Setup time, to create the infrastructure

The Cost of Being a Victim of a Cyber Attack

All it takes is one employee falling for a phishing scam for your entire organisation's infrastructure to be breached and held to ransom by malicious actors.

Being the victim of a cyber attack can be costly, and can result in the following impacts to the following:

• Loss of revenue
• Loss of customer confidence
• Loss of brand reputation
• Regulatory Fines.

Spotting a Phishing Attack

Spotting a phishing email is not an exact science as malicious actors are continuously changing their techniques. However, below is some guidance that will help you root out the majority of malicious emails.

Call to action

Attackers will often include some element of urgency in order to get the user to comply with their requests. Common examples include threatening the user with legal action, requesting an important document or providing a receipt or delivery docket for something that the user has not purchased.

Suspicious links

One of the easiest ways to identify a phishing email is to determine if the link they have sent the user is valid. This can be accomplished by holding your mouse over the URL, and not clicking it. This will display the destination of the URL in the bottom left corner of the screen. There are some immediate red flags to watch out for:

• Misspellings of common URLs - goodle, faceboook, anazon.co.uk
• URL shorteners - Bitly, TinyURL, etc.

Suspicious Attachments

Attackers will often send out emails containing files that execute malicious code when they are downloaded and opened. These will commonly take the form of business documents, invoices, delivery notices and more. We recommend that users are extremely wary when opening files from unknown sources.

How Secora Consulting Can Help

One of the best ways to reduce the likelihood of a successful attack is through experience.

At Secora Consulting, we offer tailored Phishing Simulations to determine how effectively your Credit Union can identify incoming phishing attacks.

The simulation not only measures failures within staff awareness, but also provides you with an insight into what an attacker might be able to achieve once inside your organisation.

Get in touch if you have any questions or would like to learn more about our tailored Phishing Simulations.