Employees key to phishing defense

Orange County’s Credit Union makes staff an invaluable part of the security process.

November 30, 2020

Phishing attacks can leave credit unions vulnerable to security leaks, especially because the attacks often prey on the emotions of an employee or member to gain access to valuable information.

In phishing attacks, scammers use email or text messages to trick recipients into giving them confidential information. This is why regular and thorough staff training is crucial to protect members’ information.

One Santa Ana, Calif., credit union has made huge strides in this effort.

Orange County’s Credit Union has implemented an anti-phishing program that makes staff an invaluable part of the security process.

Orange County’s information security team involves all employees in regular phishing tests and connects them with resources about phishing and how to avoid scams.

“We also reach out to associates after the phishing test emails and do one-on-one training with them,” says Kevin Hill, information security manager at the $2 billion asset credit union. “We show them anything they might have missed and what a typical phishing email might include.

“We want this to be a collaborative approach to maintaining and improving security,” he continues. “This approach works by reinforcing to associates they are an important part of the security team.”

It’s working. Orange County’s phishing email failure rate is well below the industry average of 2.4%, Hill says.

Accountability is another reason testing is successful. Security testing is part of all employees’ performance appraisals to ensure staff takes security seriously and stays vigilant.

Typical signs of a phishing email include inconsistencies in email addresses, links, or domain names; poor grammar and misspellings; and suspicious attachments.

But scammers are getting more sophisticated, Hill says.

“For instance, there are fewer phishing attacks with typos and poor grammar compared to a couple years ago,” he says. “One thing you almost always see is a sense of urgency. Scammers want to prey on the recipients’ emotions to force a quick action and make them act irrationally.”

With this sense of urgency in mind, Orange County’s advises members to carefully read all messages from the credit union and contact the credit union directly if there is any question of validity.

Orange County’s educates members that staff can assist them with next steps, payments, or other measures to keep them in good standing and protect their assets, and that it will never ask members to verify their PINs, Social Security numbers, account numbers, or other confidential information via email.

Hill advises other credit unions to test employees often and to not underestimate the value of staff in the fight against fraud.

“Our associates have made a big difference in the security of our credit union,” he says. “Having a dedicated staff committed to cybersecurity is part of our promise to take care of members.”