By Karl Appel
It was the middle of November 2024, and I was in the thick of a grueling schedule, clocking over 80 hours a week, with Thanksgiving soon approaching. Exhaustion wasn’t just a feeling; it was my baseline, managing a new retail business I started while simultaneously working as the lead software developer on my own startup. That is exactly when the phone rang.
The experience that followed is a lesson for not just credit union professionals and staff, but also board members, many of whom use personal email accounts to manage their credit union-related business.
The call I received came from an unknown number with a Palo Alto area code—the home of Google. Normally, I screen these calls, but they had left an intriguing message about my business email account that piqued my curiosity. When I called back, a gentleman answered. He was polite, professional, and seemingly helpful. He sounded exactly like a support technician should sound. He knew details about me, effectively using them to build immediate rapport and trust. He claimed there was an issue with the payment method on my gmail account and that he could help me resolve it quickly.
The Friendly Façade Crumbles
Then came the pivot. In order for him to help me, he said he needed the two-factor that I had just received on my phone to verify my account.
In that instant, the friendly facade crumbled, and I was hit with a sudden wave of panic. I realized exactly what was happening: he was trying to get me to hand over my two-factor authentication code. The implication was terrifying—if he was at the stage where he needed that code, it meant he already had my password. He wasn’t verifying my identity; he was trying to bypass the final security layer that I had set up. He had picked the lock, and now he was trying to trick me into opening the deadbolt.
Even in my sleep-deprived state, a warning bell went off in the back of my mind. As someone with a background in tech, I knew the golden rule: legitimate support agents never ask for your verification code. That code is for you and you alone.
I hung up immediately.
Damage Control Mode
After severing the connection, I went into immediate damage control. My first move wasn’t to investigate, but to lock everything down. I prioritized the most critical assets first:
I immediately changed the passwords for my credit union and financial accounts—the places where the damage could be catastrophic. Next, I secured any account with spending power or stored payment methods, followed by every service where I held a subscription. Finally, I went through and reset the credentials for every single remaining account. With my digital perimeter re-secured, I ran a virus scan on my MacBook—something I hadn’t done in a while—and the results were sobering. I found malicious software lurking on my system, which I traced back to a website link I had mistakenly clicked recently.
Human Error Opens the Door
I had done everything right on the infrastructure end, but human error, compounded by extreme fatigue, had opened a door. It’’s a lesson for credit union leaders everywhere, for themselves and their staff, their personal accounts and their professional ones.
In my case, the attackers had used that malware to scrape my credentials. They had the username. They had the password. But they hit a brick wall: Two-Factor Authentication (2FA) or, as some of you may call it, “the code”.
Without that second layer of defense, my exhaustion would have been their payday. They would have logged in, changed my recovery settings, and locked me out before I even finished my coffee. From there, the hackers would have likely hit all my bank accounts, service accounts, and even impersonated me for their own financial gain. It would have been a disaster that I would still be dealing with years later.
The Terrifying Reality
The terrifying reality of this incident isn’t just that my email was threatened; it’s what that email unlocks.
In the world of credit union boards and corporate governance, we often rely on platforms like Onboard to manage sensitive documents, strategic plans, and confidential correspondence. However, many board members still use their personal email addresses (Gmail, Yahoo, etc.) as their login credentials for these high-security portals.
This creates a single point of failure. Your personal email is the “Master Key” to your digital identity. If an attacker compromises your email, they don’t need to hack your Onboard account directly. They simply go to the Onboard (or a similar platform) login page, click “Forgot Password,” and use the reset link sent to your compromised inbox, bypassing the 2FA all together or using your email as your 2FA.
Once they reset that password, they have access to everything: board packets, sensitive member data, strategic financial discussions, and personal information to the detriment of yourself and your credit union.
So, You Think You’re Safe?
Some of you might be thinking, “I’m safe; I have security measures in place.” But are you?
Many of us hold on to older email accounts from the early days of the internet. Like many people, I used to have a password that contained a combination of family member names, years, and phone numbers, and I used that same password for multiple sites. Google and other providers are getting better at enforcement, but they don’t yet universally mandate 2FA for every legacy account. These older accounts often have less security measures that hackers target and you will need to manually enable these security measures.
Thankfully, after reviewing the dozens of accounts I have, none seemed to have been hacked or compromised. My story is a cautionary tale of how close a “tech-savvy” software engineer can come to a breach when life gets busy. Security isn’t just about being smart or knowing tech; it’s about having fail safes for when you are tired, distracted, or overworked.
One Takeaway, Two Factors, Three Steps
If you take one thing away from my experience, let it be this: Enable Two-Factor Authentication on your personal email immediately.
- Check your settings: Go to your Gmail, Yahoo, or Outlook security settings today.
- Turn on 2FA: Ensure it is active. If possible, use an authenticator app (like Google Authenticator) rather than SMS text messages, as they are more secure, however both will work.
- Setup recovery info: Make sure the backup email addresses listed are also secured with 2FA.
In today’s society, your email is not just a mailbox; it is your identity. It is the gatekeeper to your finances, your business, and your reputation. Don’t leave the gate unlocked.
Karl Appel is a Senior Software Engineer at the NY Bureau of Vital Records, where he leads legacy-to-cloud migrations under strict HIPAA compliance. He brings his experience in credit-union oversight and governance with more than seven years of board and supervisory committee service, pairing deep familiarity with regulated financial controls to modern technology. He can be reached at [email protected]
