February 11, 2019

FIs' BSA officers targeted by phishing scam

phishing scamBank Secrecy Act (BSA) officers at credit unions and other financial institutions have been targeted in a phishing campaign, indicating a possible leak of BSA contact data. Under the USA Patriot Act, financial institutions are required to appoint at least two BSA contacts and register these officers with the appropriate regulator.

The NCUA issued a release Friday saying it had conducted a comprehensive review of security logs and alerts, and had not found any indication that information on its systems had been compromised. The agency directed credit unions to report suspicious activity, and to use its Cybersecurity Resources webpage.

KrebsOnSecurity first reported on the campaign and said emails began arriving Jan. 30. The article also mentions a notice from the Financial Crimes Enforcement Network (FinCEN) indicating its awareness of the phishing campaign and urging financial institutions to ignore the targeted emails.

As part of the scam, emails appear to be sent from BSA officers at other institutions claiming a suspicious transfer was put on hold because of money laundering concerns. The emails include a PDF, which itself is not malicious but does include a bad link.

NAFCU will continue to monitor this developing story and keep credit unions updated.

In December, KrebsOnSecurity reported on bomb scare hoaxes that were also targeting financial institutions in an attempt to extort money. The IRS also warned of an uptick in tax-related phishing scams.

NAFCU has cybersecurity compliance resources available online, including a cybersecurity assessment tool workbook; a webinar available on-demand also details how to identify cybersecurity risks and vulnerabilities.