The same AI tools boosting our productivity are also helping bad actors. This has escalated the cat-and-mouse game between us and them. To stay ahead, we’ve created a dedicated AI role to ensure member protection remains central as AI evolves.
Cybersecurity threats are growing sharper, faster, and more sophisticated. From AI-powered phishing to deepfake scams, credit unions are facing an arms race where every vulnerability matters.
To stay ahead, cooperatives are combining smarter tools, layered defenses, and cross-functional collaboration. Across the industry, smaller and larger institutions alike are rethinking traditional strategies, embracing AI as both a risk and a solution, and transforming cybersecurity from a technical requirement into a core part of organizational resilience.
Leaders from 11 credit unions talk about tackling today’s top cybersecurity and fraud threats, what cross-functional strategies help them scale security, and how they’re adapting to changing regulations like the end of the FFIEC Cybersecurity Assessment Tool (CAT).
Enjoy reading all of the insights across this two-part series, or click to skip to insights from: Bay Federal, BCU, Credit Union 1, MariSol FCU, MSUFCU, Royal Credit Union, Seattle Credit Union, Shoreline Hometown Credit Union, Sunward FCU, Teachers FCU, and UVA Community Credit Union.
Defense In Depth
Carmen Waugh is the information security officer at Royal Credit Union ($5.6B, Eau Claire, WI). She joined the cooperative just more than three years ago and has been leading information security programs for more than 25 years.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Carmen Waugh: The most pressing cybersecurity threat is persistent social engineering that might lead to business email compromise, account takeovers, and third-party compromises. Bad actors’ efforts have now amplified with the use of generative AI to craft highly convincing attacks including the use of deepfakes that make phishing harder to detect.
To address these threats, our information security program requires a defense-in-depth approach including hardening email fraud defenses, enforcing strong authentication methods, continuous monitoring utilizing risk-scoring and analytics to identify abnormal activity, and education and awareness for both team members and members through our cybersecurity champions group.
AI is part of both a problem and the solution. We apply AI-assisted detection to these threats to accelerate identification, investigation, and containment.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
CW: Cybersecurity is a business risk that requires our teams — information security, fraud, information technology, risk, compliance — to collaborate and align with our organization’s risk appetite while supporting our business goals. Embedding these functions in business processes enables better risk management and more efficient execution.
This collaboration is key to our cybersecurity readiness and resilience to ensure that we can adapt quickly, maintain operational integrity, and safeguard member trust even in the face of evolving threats.
For smaller credit unions, my advice is to focus on mastering the basics. Concentrate on controls that mitigate the biggest risk for your organization. Use the NCUA’s Automated Cybersecurity Evaluation Toolbox (ACET) to baseline maturity, identify gaps, and plan improvements. Lean on trusted partners to extend your team and overall coverage. Join information-sharing communities, and designate champions across your organization to help promote a strong cybersecurity culture.
How are you adapting your fraud prevention strategy in response to regulatory changes?
CW: We’re aligning our program to NIST CSF 2.0 and continuing to use the NCUA’s ACET, which keeps our assessments actionable, refreshing our maturity targets and updating our internal KRIs and KPIs.
In parallel we remain aligned to the NCUA’s Information Security Examination (ISE) procedures and 2025 Supervisory Priorities, with special attention to the 72-hour cyber-incident reporting rule.
Everyone Has A Seat At The Security Table
Dave Means joined Seattle Credit Union ($1.1B, Seattle, WA) in April 2022 as the credit union’s chief information officer and has more than a decade of experience in senior information and security roles with financial institutions.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
DM: Phishing is the most pressing cybersecurity threat our credit union is facing. We rigorously train our employees from their first day of employment on how to spot phishing attempts, and we have monthly phishing campaigns to test and train our employees. We have invested in a platform that allows our own network security engineers to create different phishing testing campaigns.
We take a layered security approach, and our first line of defense is our staff and how they handle messages. We have an AI-powered security operations center that is 24x7x365 monitoring our entire environment. We have tools for detecting ransomware attempts and tools to prevent malware from impacting our systems.
We also have data immutability (nobody can tamper with your backups) in place to help prevent bad actors from accessing our backups in case we need to restore our data after a cyber-attack.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
DM: Security is everyone’s responsibility. We collaborate with all business lines at the credit union to ensure that business needs are met while security is maintained and prioritized. Smaller credit unions should take a similar approach in their communication and make sure everyone has a seat at the security table. It is every employee’s responsibility to operate the credit union in a safe and sound manner.
How are you adapting your fraud prevention strategy in response to regulatory changes?
DM: ACET is a new tool built on FFIEC and NIST principles for self-assessment and examination. ACET is actively supported and updated by the NCUA to align with modern standards like NIST CSF 2.0. As the CAT tool is being sunsetted, we are adopting ACET at our credit union moving forward to ensure that we continue to safely and soundly manage the credit union.
Credential Management Risk Is Real
Nathan Grossenbach has been president and CEO at Shoreline Hometown Credit Union ($141.3M, Manitowoc, WI) since 2017. He joined the Wisconsin shop as accounting manager in 2013.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Nathan Grossenbach: Our top concern remains member behavior. We’ve intercepted hundreds of thousands in fraud tied to scams involving “celebrities,” “imprisoned relatives,” or “friends needing help.”
Phishing targeting staff also remains prevalent. Many attempts are still easy to spot, but with employees juggling 25-plus logins, credential management is a real risk — especially with widespread browser-based password storage.
We’ve implemented KeePass (free, open-source software) for secure, MFA-protected credential storage. On the email side, we upgraded to Microsoft Purview for stronger encryption and content filtering and are exploring OCR-based DLP to flag sensitive info in scanned images.
We also moved to Microsoft E5 licensing, adding advanced analytics, protection, and risk control capabilities for about $10 more per user monthly.
Social engineering testing happens monthly via automated tools that also provide reporting and training. We’ve expanded testing to include chat, inbound calls, and social media scenarios.
We’re also more selective with vendors, ensuring they’re based in trusted countries. Since many users reuse passwords, we assume any breach could create cross-platform exposure.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
NG: We outsource perimeter protection, but we still manually test tools to ensure they work. During an MSP [managed services provider] transition, we found some DLP policies weren’t triggering correctly. For example, emails with account numbers should’ve flagged our lexicon but didn’t, and that underscored the need for internal validation.
We promote app-based MFA over SMS/email for better security.
Cross-team coordination is essential. One recent fraud attempt involved a member reaching out via social media, front line, and accounting. Each interaction seemed benign on its own but collectively revealed a breach attempt. It wasn’t actually our member. We stopped the fraud in time, but it led us to:
- Implement code-based phone authentication.
- Invest in a stronger CRM for better communications tracking.
- Deepen engagement with local authorities, fraud networks, and Verafin.
How are you adapting your fraud prevention strategy in response to regulatory changes?
NG: As a small credit union, we did the FFIEC CAT but I don’t know that it had a ton of value to our organization. The tool was simple enough to complete, but it did not really provide guidance or tools to improve.
We have instead engaged with third-party auditors that perform a wide range of IT assessments for us every 12 to 18 months. It is costly, but they have driven far more value to the organization than a self-assessment would.
A Game Of Cat And Mouse
Zachary Hill is senior vice president of technology at Sunward Federal Credit Union ($4.3M, Albuquerque, NM). He joined the Land of Enchantment cooperative in 2023.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Zachary Hill: A large portion of our membership is not well equipped to navigate the pressures of social engineering and modern cybersecurity attacks. This means we must constantly adapt our cybersecurity practices to maintain the delicate balance of member experience, training, fraud analysis, and cybersecurity.
What’s become increasingly apparent is that AI has increased the rate at which our members are targeted by bad actors. The very same AI tools we use today to increase our own productivity are also used by bad actors to gain a similar edge.
The same AI tools boosting our productivity are also helping bad actors. This has escalated the cat-and-mouse game between us and them. To stay ahead, we’ve created a dedicated AI role to ensure member protection remains central as AI evolves.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
ZH: Cross-functional teams and collaboration make up the foundation of our cybersecurity strategy. Cybersecurity can no longer be a checkbox, a tool you plug in to your technology, or a siloed team.
We’ve adopted something known as “DevSecOps,” a new cybersecurity framework for our credit union. It places cybersecurity at the center of everything we do. Whether it’s onboarding a new product or building out a new process, we make sure that cybersecurity has a seat at the table, first and foremost.
From there, DevSecOps involves leveraging processes and tools to implement our cybersecurity policy within the technology itself, effectively creating a safety net. Our teams can then be sure that no matter what gets created, our platforms are managing the risks automatically by blocking poor cybersecurity practices.
My advice to smaller credit unions is to find good partners — those who offer insights and ideas — while also implementing and managing tools. Then, it’s about getting good at the simple things like patching, vulnerability management, asset management, and vendor due diligence. Don’t be afraid to embrace small but mighty teams that will adopt modern toolsets.
How are you adapting your fraud prevention strategy in response to regulatory changes?
ZH: Over the past two years, we’ve adopted the NIST Cybersecurity Framework and its coinciding Maturity Assessment to better understand how we compare to fraud and cybersecurity industry standards.
We’ve also adopted a new enterprise risk management framework to empower and educate employees against the variety of risks that exist internally and externally — transactional, people, processing, and cybersecurity. Lastly, we use more modern approaches with things like threat modeling, purple teams, and Continuous Integration/Continuous Deployment (CI/CD) pipelines within cybersecurity.
The results speak for themselves: We’ve hit high marks in our examination, audits, and cybersecurity KPIs, and we’ve transformed into a proactive team that can identify and squash risks quickly.
Tech To Catch What Humans Miss
Suresh Renganathan has been chief technology officer at Teachers Federal Credit Union ($9.9B, Hauppauge, NY) since February 2020. His role encompasses enterprise IT, cybersecurity, digital, and enterprise program management.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Suresh Renganathan: We face threats on two fronts — cybersecurity and fraud — which are increasingly interconnected.
Our layered defense addresses both areas:
- Cybersecurity: We follow a Zero Trust model with continuous re-authentication, AI-driven behavioral analytics to flag unusual logins, and automated systems that disable suspicious accounts and isolate devices. A 24/7 security operations center monitors threats in real time.
- Fraud Prevention: We use real-time transaction monitoring, biometric MFA, cross-reference fraud consortium data, require dual approvals for large wires, and out-of-band verification for vendor changes.
- Human Element: Ongoing phishing simulations and training help staff and members recognize AI-enhanced scams and avoid relying solely on voice or video for verification.
The key is combining AI-driven detection with a trained workforce and shared intelligence — tech catches what humans miss, and vice versa.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
SR: At Teachers Federal Credit Union, cybersecurity is a team effort. Our Information Security Steering Committee brings together leaders from IT, risk, operations, compliance, and other departments, ensuring security is baked into every decision and every member interaction.
For smaller credit unions, I recommend:
- Build A Security-First Culture — Regular training reduces human error, often the weakest link.
- Leverage Partnerships — Credit union leagues, CUSOs, and managed security firms can deliver enterprise-grade tools for less cost than you can on your own.
- Focus On Fundamentals — Start with MFA, patch automation, and phishing detection. Use risk assessments to prioritize. Don’t try to fix everything at once.
How are you adapting your fraud prevention strategy in response to regulatory changes?
SR: The evolving regulatory landscape is an opportunity to strengthen our program. We’re aligning with the NCUA’s 2025 Supervisory Priorities and NIST Cybersecurity Framework 2.0.
Key areas include:
- Meeting the 72-hour incident reporting requirement.
- Enhancing third-party risk management, especially with vendor breaches on the rise.
We’ve implemented automated systems for real-time compliance monitoring, providing live data instead of static reports. This gives examiners up-to-date insights and shows continuous alignment with regulatory expectations. We also run regular tabletop exercises to test and refine our incident response.
The goal is clear: stay ahead of regulatory expectations as well as evolving threats while building true resilience – not just checking compliance boxes.
Advanced Technology + Heightened Awareness
Kevin Bivens joined UVA Community Credit Union ($1.6B, Charlottesville, VA) in August 2021 and is the cooperative’s vice president for information security. He was assisted in these answers by Chris Nelson, who joined UVACCU as its vice president for fraud prevention earlier this year.
What’s the most pressing cybersecurity or fraud threat your credit union is facing? How are you addressing it?
Kevin Bivens: Social engineering, particularly phishing and vishing scams, which threaten both our members and the organization with significant potential losses. Addressing this challenge requires balancing proactive defenses with strong awareness, both internally and externally. Our cybersecurity strategy uses a layered approach, combining email, network, and endpoint protections to create multiple barriers against attacks.
On the fraud front, we are investing in AI- and machine-learning tools that analyze transaction patterns in real time, identifying anomalies far more quickly than traditional rules-based systems. Yet we recognize that technology alone is not enough. That’s why we pair these innovations with continuous education campaigns for members and employees.
Ultimately, our strategy is about balance: advanced technology plus heightened awareness. By integrating the two, we’re not just reacting to fraudsters, we’re staying ahead of them.
What role do collaboration and cross-functional teams play in your approach to cybersecurity? How can smaller credit unions navigate these challenges with limited resources?
KB: Collaboration and cross-functional teamwork is critical to our cybersecurity and fraud prevention strategies. By bringing together IT, fraud prevention, compliance, front-line staff, and operations, we identify risks early and address them in a coordinated way. With limited resources, collaboration becomes our greatest advantage. Speed and alignment often matter more than scale. For smaller credit unions, I’d recommend focusing on the following:
- Leverage partnerships with CUSOs and industry groups to extend expertise and awareness of malicious trends and tactics of bad actors to better protect the organization and its membership.
- Educate your membership on cybersecurity risks, fraud tactics, and prevention.
- Make cybersecurity part of your culture so every employee feels responsible for protecting members. This includes recognizing associates for identifying, preventing, and reporting potential threats.
How are you adapting your fraud prevention strategy in response to regulatory changes?
KB: With the sunset of the FFIEC Cybersecurity Assessment Tool, we’ve shifted to a more risk-based, dynamic approach. We’re aligning with the Center for Internet Security (CIS) Critical Security Controls framework, enhancing continuous monitoring with analytics, and strengthening governance so our fraud controls map directly to regulatory expectations. Our periodic exams and risk assessments are treated as learning experiences to help us stay proactive and resilient rather than just compliant.
Interviews have been edited and condensed.
Don’t Stop Here. Read “Cybersecurity Is Under Fire And Credit Unions Are Fighting Back (Part 1)” to hear from Bay Federal, BCU, Credit Union 1, MariSol FCU, and MSUFCU.