MADISON, Wis.–It’s no secret that it isn’t just the number of fraud attempts to a credit unions that is the threat, but the increasing sophistication—including the growing ability to penetrate two-factor authentication—according to several experts.
Ken Otsuka, risk management senior consultant, and Andrea McKay, claims manager with Beazley Insurance Services, which provides cyber insurance to many credit unions, shared with TruStage’s Discovery 2025 virtual conference a number of insights that should have CU leaders rethinking security.
In Otsuka’s case, the first point he touched on was how artificial intelligence is really fueling social engineering fraud attempts (and successes) at credit unions, along with other developing threats.
Bad actors are using AI to expand their phishing, smishing and vishing (voice phishing) attacks, he said, often succeeding in getting around two-factor authentication.
Automated Tools
“Fraudsters are using automated tools such as one-time passcode bots, or OTP bots, as well as sophisticated phishing kits to achieve scale,” he explained. “When up to 1,500 members can be targeted you know the fraudsters have to have some sort of automated solutions at their at their fingertips like OTP bots. Those are designed to steal one-time passcodes. It’s software that’s made available on the dark web.”
Man-in-the-middle attacks remain prevalent, Otsuka added, as do phishing emails and smishing text messages containing links to spoof sites made to appear like the credit union’s online banking login page.
“You would not believe the number of members that would click on that link and enter their credentials to the spoof site,” Otsuka said, noting tools available to fraudsters can immediately send the two-factor authentication codes and other credentials to fraudsters, who can just as quickly begin transferring funds out of accounts.
BEC Fraud
Although not new and despite awareness and training initiatives by TruStage, credit unions and others, Otsuka said business e-mail compromise (BEC) schemes and related wire fraud losses continue and “tend to be very, very large, very severe in dollar amount.”
“It typically starts with the bad actors compromising the CEO’s e-mail account and what they end up doing is they send a spoofed e-mail to someone like the CFO…to request a wire either to pay a vendor or to make a purchase,” Otsuka said.
A second piece of the BEC threat involves combing through email to access s sensitive information to also steal funds.
“What I’m really, really worried about with the BEC scams is the use of deep fake technology, where they can mimic the CEO’s voice in a live voice call or they can mimic the CEO in a live video conference call,” Otsuka added.
Penetrating Two-Factor Authentication
But it’s the ability by fraudsters to penetrate two-factor authentication systems—which he noted many credit unions believe gives them strong protection—that Otsuka said should actually have everyone worried.
“The fraudsters’ tactic is to say, ‘Mr. Member, I need to verify your identity, I need to verify that I am speaking to the real Ken Otsuka, so I am going to send you a passcode and you’re going to have to read it back to me,” he explained. “So, the fraudster initiates some sort of transaction like targeting the ‘forgot password’ feature that triggers a passcode to me. I get it, I read it back over the phone to the fraudster, and now the fraudster can successfully reset my online banking password.”
Adjusting Microsoft 365 Settings
Derek Laczniak, senior insurance and risk advisor with M3 Insurance, reminded that for credit unions that have migrated to Microsoft 365, it can be set-up to delineate what a bad actor has looked at in a penetration of an email inbox. That helps to reduce some of the legal issues and costs, as well as the notifications that must be provided, he said.
Hitting the Jackpot
If all the other threats weren’t enough, Otsuka also cautioned credit unions to be aware of the increasing incidence of jackpotting, where fraudsters are able to inject malware into an ATM or multiple ATMs and then get the machines to dispense cash.
He said TruStage saw approximately 45 claims in 2024 related to cases of jackpotting.
“These attacks are going to be launched during non-business hours, usually late night, on the weekends,” Otsuka said. “They can literally empty machines in a matter of minutes.”
Some Optimism, Some Pessimism
Andrea McKay, claims manager with Beazley Insurance Services, which provides cyber insurance to many credit unions, said the company is seeing incidents of BEC fraud, although the number has reduced over the last few years.
She said she’s hopeful the slowing trend is the result of all the training that has taken place.
Where the company has seen an almost doubling of fraud instances is in ransomware, according to McKay.
“I think what’s most concerning is that we’ve had some really large ransomware payments to threat actors in the credit union space that have been very costly, and on the team I work on, the small business team, our policy limits are relatively low—one or two or sometimes $3-million, which a lot of times is not enough,” McKay said. “Sometimes, there’s a very large ransomware payment and then you also have a class action arise out of it. That’s the kind of stuff that keeps me up at night.”
The Vendor Breach Threat
McKay added that while there hasn’t been a recent incident, vendor breaches also remain a big concern.
“I fear that insureds don’t always understand what their contracts say, what kind of data they’re holding for their vendors, what kind of data their vendors are holding for them, and who is responsible when that data is breached on either side,” McKay said. “I just worry that companies aren’t aware enough of what is in their contracts and who’s liable. There is a limitation of liability. I just want all of our insureds, including our credit unions, to really be thinking about what data their vendors are holding that belongs to them and what happens if there is a breach.”