The arms race of AI versus AI will continue, so we’re investing in tech that supports scalable, automated response — things like phishing takedowns and fraud detection in loans.
Cyber threats are evolving fast. So are the defenses credit unions use to stop them and the regulatory expectations and tools at their disposal.
From phishing attacks powered by generative AI to increasingly sophisticated social engineering schemes, bad actors are escalating their tactics, prompting financial cooperatives to respond with new tools, stronger policies, and tighter collaboration across departments.
Leaders from 11 credit unions talk about tackling today’s top cybersecurity and fraud threats, what cross-functional strategies help them scale security, and how they’re adapting to changing regulations like the end of the FFIEC Cybersecurity Assessment Tool (CAT).
Enjoy reading all of the insights across this two-part series, or click to skip to insights from: Bay Federal , BCU, Credit Union 1, MariSol FCU , MSUFCU, Royal Credit Union, Seattle Credit Union, Shoreline Hometown Credit Union, Sunward FCU, Teachers FCU, and UVA Community Credit Union
The Cornerstone Of Cybersecurity
Richard Roark joined Bay Federal Credit Union ($1.8B, Capitola, CA) in 2016 and leads the organization’s technology and information security departments, the project management office, and the business intelligence area.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Richard Roark: Financial institutions like ours are high-value targets, and attackers are now using AI to generate highly convincing emails, texts, and even voice scams that make it harder for employees and members to detect fraud.
We’ve built a layered defense strategy. Our Vulnerability Extermination Team (VET) focuses on eliminating critical and severe vulnerabilities using the CISA framework to prioritize based on real-world exploitability. We also run nightly internal/external scans and bring in third parties to conduct penetration testing and social engineering exercises throughout the year, ensuring we’re not just checking boxes but actively validating our defenses.
AI and automation play a central role in our response. We’re using AI-driven tools to enhance anomaly detection, cut down on false positives, and speed up response times. Just as importantly, we’ve expanded cybersecurity training to include our board and supervisory committee while continuing regular phishing simulations and fraud awareness campaigns
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
RR: Collaboration is the cornerstone of cybersecurity. It can’t live in a silo — every department has a role to play. Our VET pulls in people from across our organization, making security a shared responsibility and solving issues faster with perspectives from across the organization.
For smaller credit unions with fewer resources, my advice is to build your own mini task force, even if it’s just one person each from IT, operations, and compliance. Focus on staff and board training — it’s one of the most cost-effective defenses. Lean on peer groups and industry collaboratives to share intelligence. And, finally, prioritize ruthlessly. Not every vulnerability is critical. Use a risk-based approach and tackle the ones that really threaten your members and your institution.
How are you adapting your fraud prevention strategy in response to regulatory changes?
RR: With the sunset of the FFIEC Cybersecurity Assessment Tool, we’ve shifted to a more dynamic, risk-based approach. At Bay Federal, we now align with the CISA framework from the Cybersecurity & Infrastructure Security Agency, which maps better to today’s evolving fraud threats.
We treat NCUA exams as opportunities, not just audits. When findings come in, we use them to drive new initiatives. That has included our VET and expanded information security training for board and supervisory committee members.
On the fraud side, we’re leveraging our systems, layering in real-time tools with our payments partners and building cross-department collaboration so fraud isn’t fought in silos.
2 Distinct Strategies
Stephenie Southard has been with BCU ($6.2B, Vernon Hills, IL) for six years and has 15 years of experience in chief security officer and chief information security officer roles.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Stephenie Southard: We approach cybersecurity and fraud with distinct strategies, though both aim to prevent unauthorized access and harm. Cybersecurity focuses on threats like phishing, social engineering, and ransomware, whereas member fraud concerns digital account takeovers, identity theft, and organized schemes.
By investing in human-centered recovery, member education, and intelligence sharing, credit unions can address evolving risks. Effective solutions include AI-powered anomaly and synthetic identity detection, automated transaction monitoring and MFA, advanced identity verification, human-AI collaboration, predictive analytics, compliance, and ongoing member engagement. This comprehensive strategy improves speed, accuracy, and resiliency and maintains a member-focused approach.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
SS: Collaboration within cybersecurity has become essential for effective defense strategies. As the threat landscape grows increasingly sophisticated, attackers exploit technical, operational, and human vulnerabilities. The absence of collaboration can lead to organizational silos, resulting in communication issues, overlooked risks, and delays in incident response.
A collaborative approach offers distinct advantages. Involvement from HR, finance, legal, operations, and communications teams enhances comprehensive threat identification and enables holistic risk assessment through varied perspectives. Accelerated incident response is facilitated by shared expertise, well-defined roles, and cross-functional coordination, ensuring prompt action and continual reduction of human error. Such teamwork fosters trust, collective responsibility, and heightened awareness of security among all personnel.
Cultivating a culture of security awareness empowers employees to actively contribute to organizational resilience. Participation in threat intelligence sharing further strengthens capabilities beyond internal capacity. By adopting these practices, organizations — regardless of size or resources — can enhance their security effectiveness, minimize risk, and proactively address emerging cyber threats.
How are you adapting your fraud prevention strategy in response to regulatory changes?
SS: BCU began transitioning from the CAT [FFIEC’s Cybersecurity Assessment Tool] a few years ago after hearing initial reports of changes. Many credit unions, including us, have updated their cybersecurity strategies to maintain compliance and address evolving risks.
This shift involves moving from a compliance-based approach to a risk-informed, resilience-focused cybersecurity framework. Adaptations include adopting alternative frameworks such as NIST Cybersecurity Framework (CSF 2.0), Cybersecurity Risk Information (CRI), or CIS Critical Security Controls, which provide guidance on threat modeling, risk assessment, and mitigation, supporting the development of structured cybersecurity practices.
This evolved process at BCU includes increasing the use of risk-based assessments through routine security evaluations of systems, third-party vendors, and cloud environments; conducting service and privileged account audits to identify vulnerabilities; and performing penetration testing and third-party risk evaluations to simulate attack scenarios.
From a fraud and member data perspective, BCU has implemented additional biometric authentication, behavioral analytics, and personalized security alerts to protect member digital platforms and data. BCU continues to follow NCUA guidance, maintain vendor partnerships, seek industry feedback, and participate in intelligence sharing communities like NCU-ISAO to make sure we understand the requirements of our regulators.
AI Vs. AI Arms Race
Mark Burgess joined Credit Union 1 ($1.5B, Anchorage, AK) seven years ago as the cooperative’s CTO. He has been president and CEO for the past three years. He says he consulted with his assistant vice president for enterprise security, Steven Greenbaum, on these answers.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Mark Burgess: The biggest evolving threat we face is AI used by attackers to create fake account documents, launch smarter phishing campaigns, and target our systems. We’re responding with AI-powered defenses like next-gen firewalls, antivirus, fraud detection, and loan origination tools. The arms race of AI versus AI will continue, so we’re investing in tech that supports scalable, automated response — things like phishing takedowns and fraud detection in loans.
Vendor cyber risk is also rising. We’re using AI to vet vendor documentation and pushing partners to meet our security standards. Sometimes that means reworking how we integrate their tech.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
MB: Cybersecurity takes everyone from infrastructure to help desk to security and risk teams sharing intel and aligning efforts. Training employees and tracking fraud trends also require coordination.
For smaller credit unions, prioritize training and simplify your security processes. Partner closely across departments and invest strategically. Your size is an advantage. Faster response and less complexity can help deter attackers, especially if you raise the cost of targeting your members.
How are you adapting your fraud prevention strategy in response to regulatory changes?
MB: The FFIEC CAT helped us get started, but it’s too generic for our risks as an Alaskan credit union. We moved to tailored cybersecurity models and built custom control evaluations using out-of-the-box tools layered with input from different teams.
Now, our strategy uses tech-specific risk platforms, tailored controls, and more precise threat assessments, giving us a stronger fraud and cybersecurity program. Frameworks like CAT are just a starting point. They need to evolve with the organization.
The 3 As: Articles, Acronyms, And Assessments
Robin Romano took the helm of MariSol Federal Credit Union ($49.4M, Phoenix, AZ) in 1999 after eight years as a principal examiner with the NCUA.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Robin Romano: Ransomware continues to concern us. We have created additional training for our management staff. We created tags for all computers that say, “pull me in case of an attack.” We created tags in our computer room for easy shutdown. Disconnection is a primary step in dealing with this type of attack.
Phishing fraud remains an issue. We have messages on our website and send emails to members that warn them against such threats.
We have seen an uptick in fraudulent account opening combined with loan applications. Perhaps AI could help with recognizing these applications, as we have found they come in groups and often use similar phone numbers and addresses.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
RR: Communication is always the key. For the past four years, we have held monthly meetings to go over all things related to IT, which include patch management, exceptions to policy, penetration testing, firewall reports, and more.
Our credit union league also has quarterly meetings for small credit unions. At the last meeting, it shared information on fraud and AI that was relevant and useful and recommended that a group from each of our league’s states create a fraud group and share information. We hope that happens.
Internally, MariSol has made it a priority to increase compliance classes on cybersecurity and fraud. We are doing more frequent training in all-staff meetings, it is a part of weekly manager meetings, and we share threats and concerns internally through staff meetings and emails.
MariSol belongs to several smaller groups, such as the Credit Union Women’s Leadership Alliance (CUWLA), that share information regarding issues with cybersecurity and fraud. We share that information with all members of the management team.
How are you adapting your fraud prevention strategy in response to regulatory changes?
RR: Honestly, it’s keeping up with all the relevant articles, acronyms, and assessments that’s hard for a small credit union.
MariSol has joined NCU-ISAO. The goal of the organization is “to advance credit union-specific cyber resilience.” To meet that lofty goal, there are a number of reports issued during the month, some daily, and a schedule of meetings for networking and information sharing.
So far, our review of its reports has led to useful information. It provides daily, monthly, and periodic email briefings on cybersecurity. There are also online calls and tabletop exercises. It’s a great way to deepen the credit union’s knowledge.
Business Strategy Integration
Jim Hunsanger is strategic enablement officer at Michigan State University Federal Credit Union ($8.2B, East Lansing, MI). He joined the world’s largest university-sponsored credit union in 2011 and has led risk management and multiple other areas over the years, most recently adding the cyber security department.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Jim Hunsanger: Social engineering and phishing attacks continue to pose a significant risk to both our credit union and the members we serve. These threats are evolving rapidly, with adversaries targeting not only our organization directly but also our members.
The consequences of a successful phishing campaign are real and impactful, ranging from financial losses to reputational damage. Threat actors are now leveraging artificial intelligence to craft highly convincing, targeted messages that are difficult to distinguish from legitimate communications.
In addition to being part of the problem, AI is also a critical part of the solution. Many of the advanced security controls we deploy today incorporate AI and machine learning to establish behavioral baselines and detect anomalies in real time. These technologies enable us to identify and respond to suspicious activity faster and more effectively.
Alongside advanced tools for detecting and reporting suspicious activity, the credit union places strong emphasis on regular training, testing, and communicating with employees about potential risks and appropriate responses. Well-informed employees are a vital part of our overall fraud prevention strategy.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
JH: Cybersecurity is most effective when integrated with business strategy. Modern security leadership balances risk management with enabling innovation, agility, and growth.
This requires strong relationships between security leaders and business stakeholders, built on trust, transparency, and shared accountability. When security is embedded in decision-making, it serves as a catalyst rather than a constraint.
Smaller credit unions face unique resource and staffing challenges, but their lean structures enable more direct communication and faster alignment between security and business priorities. By leveraging specialized vendors and tools aligned with their goals, these institutions can strengthen fraud prevention while maintaining operational efficiency.
How are you adapting your fraud prevention strategy in response to regulatory changes?
JH: Our fraud prevention strategy continues to work toward a holistic approach to monitoring, mitigation, and controls. This includes using data and analyzing activity not just related to transactions, but also access, identity, and authorization. Using this approach brings more precise alerting and quicker handling times.
We continue to evaluate the fraud experience, digesting and responding to existing and known threats, while also partnering with peers and vendor partners to understand other threats. Protecting our members’ funds is of utmost importance. We also aim to educate and equip our members to safeguard not only their finances but also their identities and other personal information.
Interviews have been edited and condensed.
Don’t Stop Here. Read “Cybersecurity Is Under Fire And Credit Unions Are Fighting Back (Part 2)” to hear from Royal Credit Union, Seattle Credit Union, Shoreline Hometown Credit Union, Sunward FCU, Teachers FCU, and UVA Community Credit Union.