NAFCU Services Blog

Produced by Jay Slagel, VP of Risk Management at Allied Solutions

Due to a general lack of awareness, fraudsters are often successful in obtaining your account holders’ private information using various social engineering methods.  Because of this, it is essential that you raise awareness among your employees about the causes of social engineering fraud and the prevention measures your financial institution has in place to combat these attacks.

Social engineering fraud occurs in a variety of ways:

• Phishing attacks via email or phone, where the fraudster claims to be a person of authority to obtain confidential and personal information.
• Impersonation of a fellow employee, friend, or vendor to gather personal and confidential account information.
• Obtaining personal and confidential information from digital storage devices (such as thumb drives, phones, or CDs) or paper documents that were not discarded properly.
• Offering prizes or gifts via phony emails or calls in exchange for private information and/or money.
• Baiting is when a person leaves an infected storage device, like a thumb drive or CD, at a location where someone would likely find it to entice the individual to load the infected device onto their computer.
• Phone phishing where the fraudster uses an interactive voice response system (IVR) to duplicate a message from the person’s financial institution, directing the account holder to input their confidential and personal information.

Credit unions can defend against social engineering fraud by changing their corporate culture through education and training. Employees should know how to recognize methods of social engineering and how to combat those attacks.

Actions your financial institution should take to combat social engineering include:

1. Determine which employees have access to sensitive information, and may be targeted.
2. Educate employees about ongoing threats.
3. Verify that deposited checks clear before permitting a withdrawal or transfer.
4. Establish a multi-level authentication process for financial transactions or account change requests that are not performed in person.
5. Never open attachments or links in emails received from untrusted sources and do not forward these emails.
6. Tell employees to be wary of any prizes or offers made over the phone or through email, especially those that offer to update, correct, or solve a computer issue or problem.
7. Protect private information on documents or storage devices no longer needed before shredding or destroying.
8. Conduct tests to determine where system vulnerabilities exist and promptly address those areas of weakness.
9. Monitor social media outlets to reduce the chance of sensitive information being posted.

It is likely that one or more of your employees will be the target of a social engineering scheme, but taking proactive steps early and often will help your financial institution to remain protected from these fraud attempts.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at www.nafcu.org/allied