By Josh Shaul
Even as more banks and other financial institutions take steps to boost their budget allocations for improved cybersecurity, the risk of an attack continues to grow.
According to IBM’s most recent report, the average cost of a data breach is $4.35 million per company. Cyber threats have become so pervasive that annual global cybercrime costs are estimated to grow to $10.5 trillion by 2025.
These troubling statistics spell bad news for credit unions, which are particularly vulnerable. According to somereports, 66% of credit unions and 88% of their associated vendors lack the proper security to prevent attacks. This year has also been the worst phishing year yet withmillions of unique phishing websites launched in the second quarter.
Worse yet, phishing scams are becoming increasingly sophisticated, even stealing two-factor authentication codes from consumers and employees.
Out of all the present threats, one of the most insidious is brand impersonation, involving fake websites that can lure victims into entering their credentials where they will be stolen and compromised. For credit unions of all sizes, it is now more important than ever to not only educate employees and members on these dangers, but to also take additional steps to proactively seek out and destroy phishing scams impersonating their brand.
At least 20 percent of credit unions experienced an online brand impersonation attack in the first 90 days of 2022.
Understanding Brand Impersonation
As defined by the Federal Trade Commission, brand impersonation is a type of phishing scam, usually executed through SMS or email, in which an unsuspecting victim is lured into sharing highly sensitive information with a cybercriminal impersonating a recognizable brand.
These impersonators will often have an air of authority and warn of dire consequences should victims not comply, such as having their funds locked unless they do as they are told. Targets are typically directed to click on a provided URL that will take them to a fake site that, on the face of it, can look very convincing. Even just clicking the URL can trigger a malware download on a victim’s device that immediately compromises their security. It is estimated that the median individual loss for individuals (in your case, credit union members) who fall prey to these attacks is $1,000.
Becoming More Sophisticated
While most of these brand impersonation scams tend to employ a scattershot approach of sending out millions of messages in the hope that some recipients will comply, some scammers are employing far more sophisticated methods.
For instance, free and low-cost phishing toolkits make it very easy for scammers to craft a fraudulent website that looks very similar, if not identical, to a legitimate one. These fake sites include convincing logos and log-in fields, all of which make it very difficult for recipients to distinguish a scam email from a real one.
Why Credit Unions Are Vulnerable
Until now, credit unions may have assumed they were not big enough to attract the attention of cybercriminals. Depending on their size, CUs typically have fewer cybersecurity resources, all while their members are completely unaware that they may be in the crosshairs.
Recently, NCUA corrected this assumption when the organization put out a warning on the heightened risk of phishing attacks targeting federally insured credit unions. Cybercriminals know that many credit unions are vulnerable and are increasingly deploying their more sophisticated targeting methods against unassuming credit union employees and members.
The challenge for credit unions, particularly small ones, lies in finding room in their annual budgets to increase the scope and efficiency of their cybersecurity protocols. Many financial organizations are currently undergoing a shift towards greater digitalization in how they carry out their operations. While increasing the services available through digital channels can greatly improve the member experience, it can also increase the potential for brand impersonation when action is not taken to protect the brand online.
Tips for Preventing Brand Impersonation
In the meantime, there are some practical steps that credit unions can begin implementing right now that will help in their fight against brand impersonation.
Start with the following:
- Educate and Mitigate. Inform all new and current members that you will never solicit confidential or sensitive member information via email, SMS, or random calls. Send out periodic reminders to all members to only engage with you via your official website by typing in the URL themselves or via phone numbers listed on their payment cards.
- Create a Unique Brand and Register Any and All Related Trademarks. Impersonation fraud is harder to pull off when the target has distinctive, trademarked logos. Having a unique, trademarked logo also makes it easier to enforce a site takedown when an impersonated site is detected, since you can more easily prove that forgery has taken place.
- Establish a Strong 0nline Presence. Ensure that you take ownership of accounts associated with your brand on various social media platforms, even if they’re not priorities in your marketing strategy. Also, create social media accounts for your top executives across all the major social media sites. Scammers have been known to create fake social media accounts impersonating employees to dupe unsuspecting victims.
- Build a Strong Monitoring and Response Strategy. To proactively find and mitigate online brand impersonation attacks, credit unions need to deploy a monitoring and response strategy for dealing with impersonation sites. For smaller credit unions that don’t have the time or expertise to handle this internally at scale, partnering with an online brand protection provider that can automate their monitoring and responses strategy should be considered. Each provider will have its own protocols for dealing with a site takedown request, and without a trusted relationship already built with the provider, takedowns can take longer, thus enabling fraud to persist.
Final Thoughts
Brand impersonation fraud can be incredibly costly for credit unions, resulting in not only lost money but also a damaged reputation that can take years to recover from. Follow the above tips and begin making plans for a more systematic overhaul of your cybersecurity protocols for the next annual budget meeting. You owe it to your members to take every precaution to protect their funds and personal information.
Josh Shaul is CEO of Allure Security and author of Practical Oracle Security.