For credit unions, it is not just about protecting the vault alone, it is about shielding sensitive information from determined and increasingly innovative cybercriminals, who continuously probe external defenses and devices.

When it comes to external fraud threats, the size of the financial institutions does not matter.

“Credit unions are faced with the same threat of external fraud as the regional and big banks,” Brian Reinger, workflow developer at the $8.6 billion Chicago-based Alliant Credit Union, said.

However, the data footprint does matter. Many financial services organizations don't know what, how much or where personally identifiable exists on their networks, including financial and credit card data, social security numbers and healthcare information.

“Sensitive data footprints are becoming hot topics, especially at the executive level, and organizations in all industries are concerned about how much sensitive data they have,” former ethical hacker and CEO of New York City-based Identity Finder Todd Feinman explained.

Organizations have to protect all sensitive data that in the wrong hands could lead to identity theft. In the case of credit unions, that includes member data such as social security numbers, addresses, drivers’ licenses and birth dates.

Internal fraud will always be a problem, but are a limiting number of insiders who normally have direct data access, Eldon Sprickerhoff, chief security strategist at the Canadian firm eSentire, maintained.

“On the other hand, the threat from external attackers, thanks to the increase in organized criminal interest/activity, is still significantly greater,” he said.

It is not just the hacker living across the globe looking to attack the infrastructure that financial institutions need to worry about, but also the third parties such as those that service IT and ATMs, Dodi Glenn, vice president at the Sioux City, Iowa-based PC Pitstop, suggested.

“In some ways, smaller financial institutions are at greater risk of external fraud than the mega banks because they lack the resources and breadth of data to detect these attacks,” Agari Field CTO John Wilson pointed out.

Dusan Petricko, the digital forensics and cybersecurity manager at New York City-based LIFARS, noted some smaller financial institutions lack the technology, knowledge, and resources to protect themselves adequately.

Sprickerhoff warned of a few broad categories of externally based fraud where cybercriminals desire access to users’ accounts.

• With a lean approach, they exploit individual account holders. This puts primary onus on the individual account holder to prevent loss of credentials (either email and/or account credentials) and the financial institution to detect unusual behavior within the account.
• With a broad approach, the external attacker gains access through weaknesses within the financial institution’s security stance to obtain a large number of individual accounts.
• Another common approach comes via business email compromise, where a wire transfer request comes through a faked email account that looks legitimate.

The Anti-Phishing Working Group just announced that the number of observed phishing attacks in Q1 2016 hit a new high since it began tracking these statistics in 2004. The APWG noted a 250% increase in phishing sites between October 2015 and March 2016 — and the 2016 uptick indicates an alarming trend.

Read the full story of external fraud threats in the June 15 issue of Credit Union Times.

Join us at Credit Union Times' Fraud: Don’t Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.