County-City CU Employee Social Engineering Threat Test

The link you clicked on was part of a test to determine if credit union employees are vulnerable to fall victim to a social engineering attack.   Please use the information below to better protect yourself, the credit union’s computer system, and our member data from a social engineering attack.

WHAT IS A SOCIAL ENGINEERING ATTACK?
Social engineering attacks attempt to fool unsuspecting users or employees into taking action (such as downloading malware, sharing sensitive information, granting system access, or divulging a password) which can then be used by a cyber criminal to compromise our computer system, steal member data, or conduct other malicious activity.  The fraudsters often use social skills to trick victims into taking action by creating a false sense of urgency, importance, or relevance.

HOW COULD I HAVE KNOWN NOT TO TRUST THIS EMAIL?
The email you received had a yellow alert at the top indicating it came from outside of CCCU’s email network.  Emails truly sent by a coworker will not have that yellow warning. If the yellow banner appears on an email from a CCCU employee, it didn’t actually come from that employee – it was ‘spoofed’ by someone outside of the credit union to look like it came from someone you know.

WHAT SHOULD I DO DIFFERENT IN THE FUTURE?
1) Any time an email from a coworker has a link, attachment, or an unusual request, do not take action until you make sure it does not have the yellow banner at the top warning you it actually came from someone outside of our organization.

2) Emails coming from senders outside of the credit union are even trickier.  When those emails have a link, attachment, or request, make sure it was something you were expecting before taking action.  If you weren’t expecting the email, call the sender to verify it is legitimate.  Even if you recognize the sender’s name or email address, it is possible their email was hacked or spoofed.

3) Report any suspected scam emails to Beth right away so the rest of our team can be alerted.  Delete scam messages immediately.  Clicking on links or attachments could allow our system to be compromised.

OTHER SOCIAL ENGINEERING SCHEMES
Keep in mind social engineering can also be attempted by phone or even text message, so it is important to always verify who you are speaking with before releasing information or taking action.

I CLICKED THE LINK.  NOW WHAT?
Don’t panic if you clicked the link this time.  This was a test to make sure our team is properly trained and prepared to block attack attempts.  Please learn from this experience, and embrace your opportunity to now be more alert and enhance your email security practices.   My goal is to make sure we all “pass the test” when it really matters.

Thank you for helping us keep our system and member records safe.

Beth Krahn