Email security provider Avanan revealed in a Thursday report that a new phishing campaign exploits local credit unions to steal money and data. According to Avanan’s research, phishing emails are masqueraded as legit messages from high-profile companies/businesses. They are sent to lure the recipient into sharing login credentials and sensitive data of the spoofed company.
A dramatic rise in Credit Union Spoofing Phishing Campaigns
Check Point firm Avanan claims that since February 2022, there has been a dramatic increase in phishing campaigns impersonating credit unions. The same was observed by the National Credit Union Administration (NCUA), which even advised credit unions to stay cautious about emerging new threats amid the ever-changing geopolitical situation.
Referring to CISA’s advisory in January regarding Russian state-sponsored cyber threats to critical US infrastructure, NCUA noted that the risk of cyberattacks on US institutions has two-fold.
Hackers Exploiting Undeveloped Email Security
Although all financial and banking institutions are vulnerable to spoofed phishing emails but local credit unions are particularly vulnerable to such attacks due to insufficient security measures, researchers claim.
Reportedly, 92% of the credit unions mainly lack proper security, while 66% lack adequate email security, which makes them at risk of phishing campaigns. Furthermore, credit unions generally rank higher than larger banks, so their members are far more likely to trust messages/notifications from them. This has led to an uptick in local credit unions spoofing phishing campaigns.
Threat actors frequently use tactics like document alerts, wire transfer codes, and incoming payment notifications. The goal, however, is the same, which is to compel the recipient to enter account credentials and perform banking activities.
According to Avanan’s blog post, attackers use several different ways to obtain account details. In one of the phishing emails, the recipient was invited to click on a link for viewing their account statements and documents online.
Another email contained a link related to an important notice, while a third one interestingly requested money to stop wire transfer. The fourth one offered an ACH debit. In all the cases, the link provided in the email redirected the victim to a fake sign-in page supposedly belonging to the credit union. The user enters credentials on that page, which are sent to the attackers, and they use them to compromise the account and steal funds.
From the recipient’s perspective, the website appears unresponsive after they type in their username and password.
It is worth noting that credit union attacks like these could have substantial financial repercussions as the risk goes as high as $1.2 million for larger credit unions.