By: David Bryant, Chief Information Security Officer, Velera

October has been recognized as Cybersecurity Awareness Month since 2004. This month serves as an annual reminder about the importance of cybersecurity and protecting your employees and credit union from online threats. 

In today’s increasingly digital world, cyber threats have evolved into sophisticated schemes designed to exploit people, as well as technology. Chief among these, phishing and cyber extortion have become prevalent tactics used by cybercriminals to steal sensitive information or extort money. Understanding how to detect these threats is crucial to safeguarding personal and financial information, in order to protect your employees and credit union. Quickly identifying phishing attempts and recognizing the signs of cyber extortion is key to staying safe.

Understanding Phishing

Phishing is a cyberattack in which criminals attempt to deceive individuals into revealing personal information, such as login credentials, credit card numbers or other sensitive data. Typically, this is done by masquerading as a trustworthy entity through email, text messages or even phone calls. Here are key indicators to detect phishing:

• Suspicious Sender Addresses:  Phishing emails often come from addresses that appear legitimate at first glance but have subtle differences. For example, an email might come from "support@financia1.com" instead of "support@financial.com." Always inspect the sender's email address carefully. Remind employees to be on the lookout for hard to spot typos and attempts to confuse by using numbers instead of letters, as in the previous example.
   
• Generic Greetings:  Cybercriminals often use generic greetings like "Dear Customer" instead of an actual name. Legitimate companies usually personalize their communications.
   
• Urgent or Threatening Language:  Phishing attempts often create a sense of urgency or fear, pressuring recipients to act quickly. For instance, someone might receive a message claiming their account will be suspended unless they take action to verify their personal information immediately. It may also attempt to scare recipients by threatening police or FBI action. The cybercriminals may also use the same tactics over voice channels as well (which is commonly referred to as “vishing”).
   
• Unsolicited Attachments or Links:  Employees and members should be wary of emails with attachments or links, especially if they are unsolicited. These may contain malware or lead recipients to a fraudulent website designed to steal personal information. Cybercriminals will often steal usernames and passwords with attacks like these —often under the guise of retrieving a secure message from a known contact or business. Another popular scheme is to use an attached file that claims to be an important document, but is in fact a malware file designed to steal data.
   
• Mismatched URLs:  Remind employees to hover over links to see the actual URL before clicking. If the URL doesn’t match the context or seems suspicious, it’s best to avoid clicking on it.

Recognizing Cyber Extortion

Cyber extortion involves threats or demands made by cybercriminals, usually for financial gain. The most common form of cyber extortion is ransomware, where attackers encrypt data and demand a ransom for the decryption key. Here’s how to spot signs of cyber extortion:

• Pop-Up Warnings:  Cyber extortionists often use pop-ups to inform that a system has been compromised. These pop-ups typically demand payment in exchange for restoring files or stopping a supposed attack.
   
• Unexpected Email or Messages Demanding Money:  Remind employees to be on the lookout for emails or messages that demand payment to avoid a negative consequence, such as the release of compromising information or decryption of files. These are classic signs of cyber extortion.
   
• Claims of Possessing Sensitive Information:  In some cases, cybercriminals may claim they have obtained sensitive information and threaten to release it unless a ransom is paid. These threats may come via email or through other communication channels.

Steps to Protect Your Employees

Now that your employees know what to look out for, how do they protect themselves?

• The first step is to stay educated. Provide educational materials or training sessions to regularly update employee knowledge on the latest phishing techniques and extortion schemes. Awareness is always the first line of defense.
   
• Require employees to implement strong, unique passwords for each of their accounts. Consider allowing the use of a vetted and approved password manager to keep track of them.
   
• Consider using two-factor authentication everywhere you can. Two-factor authentication adds an additional layer of security, making it harder for cybercriminals to access an account even if they have the password. This usually involves getting a code or using a commercial authentication app (Microsoft Authenticator, for example). Employees should never share this code with anyone. There are no good reasons why someone would need that code unless they are trying to get into personal information.
   
• Work with your IT team to require employees to regularly update their operating system, antivirus software and other applications to protect against the latest threats. Staying current on patches and security updates is a fundamental way to prevent bad things from happening.
   
• Keep backups of critical data and test them often. In the case of a ransomware attack, having backups of your credit union’s data can be a lifesaver, allowing you to restore your system without paying the ransom.
   
• Verify any request for sensitive information. Build this step into processes. If an employee receives an unexpected request for personal information, they need to verify the request by contacting the company directly using a known, legitimate number or email address.

Phishing and cyber extortion are serious threats that can have devastating consequences if not recognized and addressed promptly. By staying vigilant and following the tips outlined above, you can significantly reduce the risk of your employees and credit union falling victim to these cybercrimes. Remember, the best defense is a combination of awareness, proactive measures and a healthy dose of skepticism when it comes to unsolicited communications. Stay safe online!

As Velera’s Chief Information Security Officer, David Bryant is responsible for the systems and processes that protect Velera and Member data. He leads the teams that implement and support information security technology and architecture as well as technology focused compliance programs. David also develops Information Security strategy for Velera to reduce and manage risk and integrate cyber protections into business functions. His teams publish and maintain all security policies, standards and processes, as well as measure the effectiveness of the programs on a regular basis. 

David has worked in the Information Security space for over 20 years in a variety of positions both in operations, strategy and architecture for several large, multi-national companies in a variety of industries with a focus on financial services. He has certifications as a Certified Information Security System Professional (CISSP), Certified Pen Tester (CPT) and Certified Ethical Hacker (CEH), among others. David has spoken at several large Information Security focused events and participates in multiple industry security forums and advisory boards.