Compliance: NCUA issues email compromise fraud risk alert

August 6, 2019

NCUA issued a risk alert (19-RISK-01) this week describing the increasing frequency of, and losses related to, business email compromise fraud scheme. The alert consists of a description of the attack, how to report to law enforcement, how law enforcement generally responds and ways to prevent, report and recover from business email compromise fraud.

“Credit unions can take steps to prevent this type of fraud and should report such fraud, when it occurs, to the FBI’s Internet Crime Complaint Center,” NCUA Chairman Rodney Hood notes. “Credit unions that report incidents to the Internet Crime Complaint Center promptly increase their opportunity to recover funds that have been wired under fraudulent pretenses.”

Business email compromise occurs when a criminal uses email to impersonate a legitimate business or person in order to request or access fraudulent payments. The Internet Crime Complaint Center’s goal is to quickly identify and freeze suspicious wire transfers before funds are transferred or removed from a suspect’s account.

Credit unions can take the following steps to help prevent business email compromise fraud:

  • Never make a payment change without verifying the change with the intended recipient
  • Verify the accuracy of email addresses when checking mail on a mobile device
  • Use a two-step verification process to verify wire requests with members, and use information from previously known email addresses and phone numbers rather than what is provided in the wire transfer request
  • Require staff to investigate and verify changes to members’ personal information or business practices of the credit union’s vendors or member business accounts
  • Know the routines of members’ wire activity and contact them with any changes or concerns before sending a wire transfer
  • Verify transaction details with the recipient bank before sending a suspicious wire transfer
  • Use email spam filters to quickly identify potential fraudulent or spoofed emails
  • Create rules in the credit union’s intrusion detection system to flag emails with extensions that are similar, but different to, your credit union or members
  • Use caution posting information on social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details
  • Implement multi-factor authentication (MFA) for corporate e-mail accounts that requires at least two pieces of information to login (something a user knows, such as a password, and something a user has, such as a dynamic PIN)

More self-protection strategies are outlined in Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber Incidents.”