In February, the National Credit Union Administration (NCUA) put out a statement noting that, due to the geopolitical climate, credit unions should “adopt a heightened state of awareness and to conduct proactive threat hunting.”

Beyond the geopolitical climate, banks and financial institutions have seen a dramatic increase in attacks. 


This is particularly relevant for credit unions. More than 66% of credit unions lack proper email security to protect against phishing, according to a report. Another study found that 92% of credit unions don’t have proper security. 

Hackers are taking advantage of this lack in email security by spoofing credit unions in order to obtain credentials from end-users. 

Starting in February 2022, Avanan researchers have seen a significant uptick in spoofs of local credit unions, all with the goal of taking funds and credentials from end-users. In this attack brief, Avanan will analyze how threat actors are impersonating local credit unions to get into the inbox. 


In this attack, hackers are spoofing credit unions.

There are a number of variations, ranging from wire transfer codes to incoming payment notifications to document alerts.  

The idea is for the end-user to see a notification from their bank, click and enter credentials and do other banking activities. 

  • Vector: Email
  • Type: Credential Harvesting, Financial Scam
  • Techniques: Impersonation
  • Target: Any end-user



In this attack, threat actors are spoofing local credit unions. 

Email Example #1


This email appears to the end-user as a document notification. Notice that the link does not go to the credit union website. 


Email Example #2

This email is another notification from a credit union–again, the URL is off. 


Email Example #3

This is a more aggressive tactic, where the spoofer asks for money to stop a transfer.


Email Example #4:

This email showcases an incoming debit. 



In this attack, hackers are spoofing credit unions to steal personal information and extract money.

They are using a variety of lures–a document alert, an incoming payment notification and more. All of these are designed to get the user to act.  When the user clicks the lure, they are taken to a fake sign-in page that imposters the credit union.  Once the user types in their credentials, the phisher gains all the information they need to access the user's account.  From the recipient's perspective, it appears that the website is unresponsive after they type in their username and password.

What makes these attacks interesting is that credit unions are among the most trusted in the financial sector. During the height of the pandemic in 2020, 73% of credit union customers rated being happy with their bank; credit unions consistently outrank big banks in customer satisfaction and trust.

When that trust is abused–in this case by malicious actors– everyone suffers. The financial risk for credit unions can go as high as $1.2 million per attack.

Add in the fact that financial institutions are among the most impersonated in phishing attacks, and that phishing attacks against financial sectors increased by 22% in 2021, and this rise in credit unions spoofs is not surprising. 

With limited email security in place at many credit unions, the rise of these spoofs spells trouble for the unions and for consumers.


Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Check sender address before interacting with any email from your credit union
  • Be wary of personal banking emails going to your business email address, especially if you've never given your business email address to your credit union
  • Hover over URL to see where the link is headed; do not click if the URL is not your credit union's
  • Call bank directly or directly visit credit union website (i.e., type website into your browser) if unsure about the legitimacy of an email