• Sat, May 24 2025
  • Contact Us
  • Advertise
Subscribe
CU Daily – theCUDaily.com logo

BEC: The Hidden Threat Credit Unions Keep Overlooking

Charles Nerko

Opinion – Charles Nerko

It starts with a puzzled phone call: “Hey, did you mean to send this email?” The caller—a vendor, a longtime member, or even a peer at a neighboring credit union—sounds confused. You don’t remember sending the email. And it’s not in your sent mail folder. But something feels unsettling. A few days ago, you received a similar email from someone else. That’s when the dread sinks in.

By the time most credit unions realize they’ve been hit by a business email compromise (BEC) attack, the damage has already been done. The hacker has had days, sometimes even weeks, to quietly lurk in an account, exfiltrate data, and manipulate emails to dupe your contacts into installing malware or funneling money into accounts that will be drained before anyone catches on. Attackers often delete sent and incoming emails, frustrating detection.

These attacks are pervasive, and many credit unions still don’t grasp the full scope of the threat. It’s human nature to look for a quick fix and believe that a BEC is just another tech glitch. Many times, credit unions fall back on the same inadequate responses: call tech support, reset the account’s password, run a virus scan, and move on.

They’re wrong. And that’s exactly why credit unions make such lucrative targets.

Myth #1: Running a Virus Scan and Changing the Account’s Password Is Sufficient

A common knee-jerk reaction to discovering a compromised email account is to run a virus scan and change the password. Logical, but wholly inadequate. Attackers, anticipating this response, often establish persistence by implementing email forwarding rules. These rules allow the attacker to automatically redirect incoming messages to an external account, ensuring the attacker can continue to monitor emails even after a password change. 

Without a thorough forensic review, hackers can maintain access even after the password is changed.

This means scrutinizing activity logs, checking for unauthorized forwarding rules, and investigating whether sensitive information was or is still being accessed. Simply changing a password and running a virus scan is like locking the front door while leaving the windows wide open.

Myth #2: Technical Controls Alone Can Stop BEC

Many credit unions pour resources into advanced email security tools and assume they’ve closed the door on BEC. They haven’t. These defenses mitigate, not eliminate, risk. Attackers sidestep them by stealing legitimate credentials or infiltrating email threads.

Requests to make wire transfers or change a vendor’s payment address should never be approved based solely on emails. Verification should require a second channel—such as a phone call to a known contact—before funds are moved or payment instructions are changed. Since hackers can easily spoof Caller ID and mimic a trusted contact’s voice with AI, never rely on a well-timed incoming call from a familiar voice to “verify the email I just sent.” 

Instead, initiate those verification calls to a validated phone number.

Myth #3: BEC Is a Technical Problem, Not a Legal One

BEC is not only an IT problem but also a legal risk that could threaten a credit union’s safety and soundness. A compromised inbox may expose member information to hackers, leading to identity theft, extortion, or fraud. NCUA regulations require credit unions to report security incidents like BECs, and state laws may also require notification to state authorities and impacted consumers. 

These breaches often spark regulatory investigations and legal claims. Members, employees, and business partners may sue the credit union for exposing sensitive information, and card networks can make claims for PCI-DSS violations when card information is compromised.

Legal support is critical. Engaging counsel early ensures compliance, protects attorney-client privilege for sensitive discussions, and positions the credit union to handle potential investigations. Moreover, the credit union’s board plays a key role in cybersecurity oversight and should be briefed on any BEC. 

Legal counsel helps put these incidents into perspective—providing strategic guidance, navigating regulatory duties, and reinforcing the institution’s compliance and resilience.

Myth #4: Our Tech Support Can Handle This

A compromised network presents an immediate dilemma: who investigates and remediates the breach? Many credit unions turn to their own IT teams. But doing so can underserve the credit union and give rise to conflicts of interest.

If security controls fail under your IT team’s watch, your IT team may downplay their shortcomings, distort the root cause, or be inadequately equipped to respond. Worse, credit unions must also account for insider threats, which are rarely examined with appropriate rigor unless an outside forensics team is brought in.

Cyber insurance is a valuable resource, covering legal fees, independent forensic investigations, remediation, regulatory notifications, consumer disclosures, and even crisis PR support. However, securing these benefits requires thoughtful claim management and advocacy. While insurers may provide legal counsel to assist a credit union, that attorney may lack the independence to fully advocate for the credit union against its insurer to secure the maximum available cyber insurance benefits.

Big Hit for a Small CU

A small credit union hit by BEC can easily face five or even six figures in costs for investigation, remediation, and notifications. With the right legal strategy, much of those costs shift to a cyber insurer. Independent counsel ensures the insurer pays what it should. 

Many credit unions retain their own attorney early to manage the claim and push the insurance company for coverage. Later, an insurer-appointed attorney takes over the investigation—an approach that may seem redundant, but often leads to savings by shifting more costs away from the credit union by maximizing the insurance company’s financial and resource contribution.

BEC doesn’t come with alarms or flashing warnings. It seeps into routines, preys on trust, steals sensitive data, alters transactions, and barely leaves a trace. 

What Really Matters

What matters isn’t whether an attack happens, but how a credit union reacts. A botched response amplifies the damage—deepening financial losses, inviting regulatory scrutiny, and shaking member confidence. The credit unions that recover best are those that treat cybersecurity as a legal and business risk, not simply an IT concern; pull in outside experts; and act decisively. 

When these incidents happen, a well-prepared response makes all the difference.

Charles Nerko leads the data security litigation team at Barclay Damon LLP. He advises credit unions on cybersecurity, data incident response, third-party vendor management, and litigation. He can be reached at [email protected].

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CU Daily – theCUDaily.com logo

Never miss any important news. Subscribe to our newletter today!

Subscribe Now
Copyright 2025 The CUDaily. All Rights Reserved.