LOST PINES, Texas–A pair of cyber security experts offered credit union leaders gathered here advice, strategies and more for defending themselves.
In remarks titled, “Threat Vectors: Protecting Your Institution and Members from Security Threats Macro to Micro,” attendees at Catalyst Corporate’s Strategic Summit heard from Tyler Wood, former defense intelligence agency cyber deputy division chief, and Jordan Riek, SVP-deputy chief ISO, Comerica Bank, who addressed everything from AI to training to where there are gaps in credit union security.
Approximately 70% of credit unions have experienced different types of cyber attacks this year, such as credential stuffing (when someone is using the same password for multiple accounts, such as a member who uses the same password for their account and for Netflix), according to Wood.
Credit Unions Not Alone
And credit unions are not alone, she said, citing data indicating 80% of financial institutions have reported at least one AI-related incident in 2025.
“AI and hackers have adopted,” said Wood. “But the defensive side has also adapted.”
Specifically, bad actors have moved past generative Ai to agentic AI, which has the ability to think and make decisions on the fly.
“These are much more dangerous. They can evade and pivot if threats are showing up on your systems. It’s polymorphic in nature. You need to know what APIs you are connected to and what the software is on these APIs. When audited, I’ve seen people get dinged on this over and over again.”
Zero Trust
Wood recommended credit unions adopt a zero-trust model.
“It’s a concept that states anything coming into your organization is not trusted until it proves it is trusted. And the same holds true for anything inside your organization. This significantly ups your cybersecurity posture.”
What Hasn’t Changed
And yet for all the threat changes brought about by AI, Wood said cybersecurity is about people as much as it is technology—and AI has simply made phishing attacks even more believable and dangerous.
Wood said she has a friend who does white-hat phishing attacks on companies to test their security, and he has been successful every time but once, in this case a publishing company where employees weren’t tricked. What did the company do so well?
According to Wood:
- All employees were trained far more than at most firms
- The company had recently gone through a very strict compliance audit and had just put in all the recommended remedies
- The company implemented multifactor authentication
- The company had very good incident response policies and had enacted them
- The company has very strict contracts with their third party vendors
- The company did very good auditing
Threats to Individuals
As an aside, Wood noted that posts in social media may seem innocent and be incremental, but hackers are able to create a digital footprint using all that individual information and then use Ai to aggregate it to create a very good profile of an individual. It can also be used against friends and family of the individual, she said.
“Algorithms can even determine political leanings, even if an individual has never posted anything political in the past,” said Wood, who previously did digital forensics work for the Department of Defense. “Sometimes we don’t realize just what we’re posting and how dangerous it can be.
“Your smartphone is a treasure trove for hackers,” Wood cautioned. “All of your (Internet of Things) devices connect through your phone. Losing your phone is much scarier than losing your wallet. Go to settings. Turn off unneeded services when not in use. I think you will be surprised just how much data you are sharing with companies. Some apps ask for all your contacts and they don’t need it.”
Ransomware
Woods asked for a show of hands from her audience for the credit unions that had been hit by ransomware attacks, and was surprised when no hands were raised.
She said that of those companies that have been hit by ransomware, 63% of organizations in recent incidents refuses to pay.
“One reason is more organizations have backed up data and have tested for it and are able to recover more quickly,” she said, before adding, “The other issue with ransomware is that when hackers…take data and can hold that for ransom, as well. The playing field has changed dramatically. It’s no longer about locking you out.”
Thousand-Plus Incidents
Following Wood to the stage, Jordan Riek, SVP-deputy chief ISO with Comerica Bank, pointed to NCUA data showing that during 2024 there were more than 1,000 cyber incidents reported to the agency, and that doesn’t count all those that weren’t reported, he said.
“That’s one-in-four credit unions,” he said. “The reason for the high number of incidents is that it used to be that you had fairly in-depth technical exposures on the perimeter of your network…The new order of the day is that they are bringing that threat exposure to third parties and through your people. What attackers have realized…is the weakest part of your organization is actually the people that work there…The help desk can be just too helpful.”
When it comes to protecting against deepfakes, Riek urged credit unions to train their staff to always ask if the request being made, such as for a transfer of funds, is the normal procedure.
Defending against Ransomware
Reik urged CUs to fight ransomware by:
- Adapt zero trust
- Enforce MFA everywhere
- Backup and test restore
- Monitor for anomalies. This is a continuous monitoring process of looking for things like a log-in from Egypt, for example, Riek said.
- Train staff on phishing
- Coordinate with vendors
Not Minding the Gap
Reik said common gaps in credit union security programs include:
- Outdated or incomplete asset inventories
- Lack of network segmentation and MFA gaps
- Weak vendor oversight
- Insufficient social engineering training
- Overreliance on insurance or checklists
- Insufficient testing and response procedures
Use of AI
To safely use AI, Reik offered this advice, below.
