Top-Level Takeaways
- The biggest cyber threat at Shoreline comes from scams targeting its members, not its systems.
- Strong cross-departmental communication helps the credit union catch fraud before it hits.
- Monthly phishing tests, layered security tools, and third-party audits keep defenses sharp.
At Shoreline Hometown Credit Union ($141.3M, Manitowoc, WI), size isn’t a barrier to cybersecurity. In a landscape dominated by billion-dollar institutions with sprawling IT budgets, Shoreline shows how small credit unions can fight fraud effectively by focusing on what matters most: behavior, vigilance, and smart use of tools.
“Fraud follows people,” says Nathan Grossenbach, president and CEO. “So, we start by understanding our members — that’s where the threat lives.”
Scammers don’t need high-tech tactics to do damage; they just need the trust of their mark. That’s why Shoreline, which serves nearly 8,000 members across nine Wisconsin counties, leans heavily on internal awareness, low-cost security tools, and tight coordination across teams to stop fraud before it hits.
Scammers regularly pose as celebrities, long-lost friends, or relatives in trouble to exploit the emotions — and finances — of members. Grossenbach, who’s been CEO since 2017, says his credit union has prevented what could have amounted to hundreds of thousands of dollars in fraudulent transactions that stemmed from these types of manipulations.
Internal Controls
At the institutional level, phishing attacks continue to dominate the threat landscape. Although many are poorly crafted, staff can’t rely solely on those markers and must remain ever-vigilant of attempts to gain access to the credit union’s systems. With each employee juggling more than 25 logins, the risk increases when credentials are stored insecurely. To counter the internal threats, Shoreline rolled out KeePass, an encrypted password manager that’s tied to each user’s Windows login and protected with multi-factor authentication.
Grossenbach says this increases security while making credential management more efficient, especially during offboarding. Plus, the open-source password manager comes at a nice price point: It’s free.
Shoreline also upgraded its email security by adopting Microsoft Purview for encryption and outbound filtering.
“It’s far better than our prior solution,” Grossenbach says.
The credit union is now exploring optical character recognition (OCR) within Purview to scan images for sensitive content — think Social Security number and birthdates — that might otherwise slip past filters.
Shoreline also has moved to Microsoft E5 licensing, investing an extra $10 per employee each month to access stronger risk controls, analytics, and advanced protection tools, along with business intelligence and compliance features.
Collaboration Detects What Automation Might Miss
Outsourcing perimeter protection doesn’t mean setting it and forgetting it.
“Our IT manager and I still get involved and spot check the tools,” Grossenbach says.
The credit union learns things that way. For example, during a recent IT-managed services provider (MSP) transition, the team discovered security tools that weren’t functioning properly. So, Shoreline created its own test data to ensure the environment triggered the appropriate alerts.
For example, it designed a custom data loss prevention (DLP) lexicon to catch phrases like “account 12345” and tested whether such messages would raise red flags. In one case, it didn’t, and that helped the team identify a configuration issue that needed fixing.
Grossenbach encourages credit unions of all sizes to build internal testing into their routine and not rely solely on vendors. This hands-on strategy helps detect gaps that automated monitoring might overlook. Shoreline also conducts monthly social engineering tests, mostly via email, to keep employees alert.
“It took maybe a handful of hours to set up the program,” Grossenbach says.
Today, ongoing management is largely automated with affordable campaigns that come with educational modules for staff who fall for the bait.
Not Taking The Bait
Cross-functional coordination is also key. Grossenbach points to an incident in which the credit union caught a fraud attempt thanks to communication across departments. A member asked about Apple Pay on social media, then requested an online banking password reset and contacted accounting soon after.
The pattern seemed harmless in isolation, but when pieced together, it raised red flags. The member’s personal information — including account numbers and transaction history — had been stolen. It wasn’t the member after all. Because the staff shared details quickly, Shoreline stopped $7,000 in fraud before it occurred.
To reinforce these efforts, Shoreline has deployed a few targeted steps.
- A security code process for members, sending codes to their phone when no passcode is set.
- Investing in stronger CRM tools to track member interactions across all channels, not just at the front line.
- Working with local authorities, anti-fraud groups, and FinCEN 314(b), while using Verafin to flag suspicious activity.
Audits Over Assessments, Action Over Paperwork
Shoreline isn’t waiting for regulatory prompts to evaluate its security posture. It had been using the now-sunsetted FFIEC Cybersecurity Assessment Tool (CAT), but the credit union won’t miss that.
“As a small credit union, we did the CAT, but I don’t know that it had a ton of value for our organization,” Grossenbach says. “It was simple enough to complete, but it did not provide guidance or tools to improve.”
Shoreline instead is using third-party IT audits every 12 to 18 months. That’s not cheap, but Grossenbach says the audits have provided more actionable insight than any self-assessment could.
The audits are comprehensive and go far beyond checklists or surface-level reviews:
- General Controls Review — Evaluates current policies and controls for data protection and physical access.
- Internal Vulnerability Scan — Assesses patch status, operating systems, and other basic internal security standards.
- External Vulnerability Scan — Probes the network perimeter for entry points; one scan found a misconfigured ISP certificate. (Security misconfigurations all too often lead to cybersecurity incidents, including data breaches.)
- Internal Penetration Test — Tests how far an attacker could get using admin credentials post-phishing. Grossenbach says these results were eye-opening.
A particularly impactful discovery came when an external scan revealed that certificate issue on Shoreline’s ISP velo-cloud, something that otherwise would have gone unnoticed. That kind of hidden vulnerability underscores the value of deep, outside-in scrutiny, the Shoreline chief executive says.
More External Behavioral Data, Smarter Internal Behavior
Looking ahead, Shoreline is integrating more behavioral data into its fraud detection systems and continues to build partnerships that go beyond tech.
Being small doesn’t mean being soft. Shoreline is proving that proactive, hands-on defense — not expensive software alone — is what closes the gap. Its approach blends practical audits, open-source tools, and cross-staff accountability and teamwork.
“You don’t need a huge budget to get this right,” Grossenbach says. “You need to stay engaged, test your assumptions, and keep your people sharp.”
As cyber threats grow more complex, Shoreline’s aim is to outsmart, not outspend, the problem. That’s a playbook any credit union, no matter the size, can follow.