Dear Boards of Directors and Chief Executive Officers:
The on-going conflict in Ukraine has raised concerns about potential cyberattacks in the U.S., including those against the financial services sector. All credit unions and vendors, regardless of size, are potential targets for cyberattacks, like social engineering and phishing attacks, and must remain vigilant. Your credit union should report any cyber incidents to the NCUA, your local FBI field office (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or the Internet Crime Complaint Center (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and the Cybersecurity and Infrastructure Security Agency (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .
This Risk Alert reminds credit unions of the ongoing threat of social engineering and phishing attacks and reiterates the continued importance of educating your employees and members on how to avoid these threats.1
What Is Phishing?
Phishing is a technique that uses email or malicious websites to solicit personal information or to get victims to download malicious software by posing as a trustworthy entity. Another variant of phishing, known as smishing, uses SMS or other text messaging applications to get victims to click on malicious links to achieve similar goals to email phishing.
What Are Common Indicators of Phishing Attempts?
- Suspicious sender’s address that may imitate a legitimate organization;
- Generic greetings and signature, and a lack of contact information in the signature block;
- Spoofed hyperlinks and websites that do not match the text when hovering over them; some web addresses may also look official but include a subtle change, for example, 0 instead of O, or suffixes like .com instead of .gov for government websites;
- Misspelling, poor grammar or sentence structure, and inconsistent formatting; and
- Suspicious attachments or requests to download and open an attachment.
How Do You Avoid Being a Victim?
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes clicking on or following links sent in email.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the entity directly, by another means, such as the phone.
- Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser.
- Use and enforce the use of multi-factor authentication.
The NCUA encourages credit unions to review the Cybersecurity and Infrastructure Security Agency’s Shields-Up website (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , which provides information about cybersecurity threats, including several resources and mitigation strategies.
The NCUA recently created the Automated Cybersecurity Evaluation Toolbox or ACET, for federally insured credit unions to use when evaluating their levels of cybersecurity preparedness. The ACET is a downloadable, standalone app developed to be a holistic cybersecurity resource for your credit union. ACET incorporates appropriate standards and practices established for financial institutions and across the cybersecurity discipline, like the Federal Financial Institutions Examination Council’s IT Examination Handbooks and the National Institute of Standards and Technology’s Cybersecurity Framework.
The ACET is an excellent resource — especially if your credit union is small or has limited resources. It is available to you from the NCUA at no cost and credit unions can find the tool on the agency’s website at www.ncua.gov/cybersecurity.
Also, know that the NCUA will never call, text, or contact you on social media to ask for money, personal information, or your login credentials for systems, like MERIT or your credit union’s network.
I encourage you to review this letter and to contact your NCUA Regional Office or state supervisory authority if you have any questions on this subject.
Todd M. Harper
1 The National Institute of Standards and Technology (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) provides multiple definitions for social engineering, including “[a]n attempt to trick someone into revealing information (e.g. a password) that can be used to attack systems or networks.”