{
	"id": "fbc74cdc-ab21-4087-a9ed-07fbd95f87f6",
	"created_at": "2026-04-06T00:10:39.822923Z",
	"updated_at": "2026-04-10T03:21:47.489659Z",
	"deleted_at": null,
	"sha1_hash": "fc888f3316eca44a2796deafded60987c1d662fb",
	"title": "Phishers Target Anti-Money Laundering Officers at U.S. Credit Unions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89245,
	"plain_text": "Phishers Target Anti-Money Laundering Officers at U.S. Credit\r\nUnions\r\nPublished: 2019-02-10 · Archived: 2026-04-05 18:49:20 UTC\r\nA highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week.\r\nThe missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at\r\ncredit unions, and many credit union sources say they suspect the non-public data may have been somehow\r\nobtained from the National Credit Union Administration (NCUA), an independent federal agency that insures\r\ndeposits at federally insured credit unions.\r\nThe USA Patriot Act, passed in the wake of the terror attacks of Sept 11, 2001, requires all financial institutions to\r\nappoint at least two Bank Secrecy Act (BSA) contacts responsible for reporting suspicious financial transactions\r\nthat may be associated with money laundering. U.S. credit unions are required to register these BSA officers with\r\nthe NCUA.\r\nOn the morning of Wednesday, Jan. 30, BSA officers at credit unions across the nation began receiving emails\r\nspoofed to make it look like they were sent by BSA officers at other credit unions.\r\nThe missives addressed each contact by name, claimed that a suspicious transfer from one of the recipient credit\r\nunion’s customers was put on hold for suspected money laundering, and encouraged recipients to open an attached\r\nPDF to review the suspect transaction. The PDF itself comes back clean via a scan at Virustotal.com, but the body\r\nof the PDF includes a link to a malicious site.\r\nhttps://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/\r\nPage 1 of 3\n\nOne of the many variations on the malware-laced targeted phishing email sent to dozens of credit unions across\r\nthe nation last week.\r\nThe phishing emails contained grammatical errors and were sent from email addresses not tied to the purported\r\nsending credit union. It is not clear if any of the BSA officers who received the messages actually clicked on the\r\nattachment, although one credit union source reported speaking with a colleague who feared a BSA contact at their\r\ninstitution may have fallen for the ruse.\r\nOne source at an association that works with multiple credit unions who spoke with KrebsOnSecurity on\r\ncondition of anonymity said many credit unions are having trouble imagining another source for the recipient list\r\nother than the NCUA.\r\n“I tried to think of any public ways that the scammers might have received a list of BSA officers, but sites like\r\nLinkedIn require contact through the site itself,” the source said. “CUNA [the Credit Union National Association]\r\nhas BSA certification schools, but they certify state examiners and trade association staff (like me), so non-credit\r\nunion employees that utilize the school should have received these emails if the list came from them. As far as we\r\nknow, only credit union BSA officers have received the emails. I haven’t seen anyone who received the email say\r\nthey were not a BSA officer yet.”\r\n“Wonder where they got the list of BSA contacts at all of our credit unions,” said another credit union source.\r\n“They sent it to our BSA officer, and [omitted] said they sent it to her BSA officers.” A BSA officer at a different\r\ncredit union said their IT department had traced the source of the message they received back to Ukraine.\r\nThe NCUA has not responded to multiple requests for comment since Monday. The agency’s instructions for\r\nmandatory BSA reporting (PDF) state that the NCUA will not release BSA contact information to the public.\r\nOfficials with CUNA also did not respond to requests for comment.\r\nA notice posted by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) said the\r\nbureau was aware of the phishing campaign, and was urging financial institutions to disregard the missives.\r\nUpdate, 11:13 a.m. ET: Multiple sources have now confirmed this spam campaign also was sent to BSA contacts\r\nat financial institutions other than credit unions, suggesting perhaps another, more inclusive, entity that deals with\r\nfinancial institutions may have leaked the BSA contact data.\r\nUpdate, 5:26 p.m. ET: The NCUA responded and released the following statement:\r\nUpon learning of the recent spear phishing campaign targeting Bank Secrecy Act officers at credit\r\nunions, the NCUA conducted a comprehensive review of its security logs and alerts. This review is\r\ncompleted, and it did not find any indication that information was compromised.\r\nThe most recent information available indicates the campaign extends beyond credit unions to other\r\nparts of the financial sector.\r\nThe NCUA encourages all credit union staff to be wary of suspicious emails, and credit unions may\r\nreport suspicious activity to the agency. Additional information about phishing and other information\r\nsecurity concerns is available on the agency’s Cybersecurity Resources webpage.\r\nhttps://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/\r\nPage 2 of 3\n\nAlso, the Treasury Department responded to requests for information about this event, stating:\r\nFinCEN is aware of the phishing attempts and we’re examining the circumstances. There is no\r\nindication that any FinCEN systems were compromised.\r\nHere is some information on 314(b) from our website\r\nNote that the 314(b) system is designed so that individual compliance officers (registered with FinCEN)\r\ncan find and directly contact each other. It provides no access to any type of broad financial database.\r\nOriginal story: The latest scam comes amid a significant rise in successful phishing attacks, according to a non-public alert sent in late January by the U.S. Secret Service to financial institutions nationwide. “The Secret\r\nService is observing a noticeable increase in successful large-scale phishing attacks targeting unsuspecting victims\r\nacross industry,” the alert warns.\r\nThe Secret Service alert reminds readers that we in the United States are entering tax season, which typically\r\nbrings a large spike in scams designed to siphon personal and financial data. It also includes some helpful\r\nreminders, including:\r\n-Never click on links embedded in emails or open any attachments from unknown or suspect fraudulent email\r\naccounts.\r\n-Always independently verify any requested information originates from a legitimate source.\r\n-Visit Web sites by entering the domain name yourself (for sensitive sites, preferably by using a bookmark you\r\ncreated previously).\r\n-If you are contacted via phone, hang up, look up the number for the institution at that institution’s Web site, and\r\ncall back. Do not give out information in an unsolicited phone call.\r\nSource: https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/\r\nhttps://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/2019/02/phishers-target-anti-money-laundering-officers-at-u-s-credit-unions/"
	],
	"report_names": [
		"phishers-target-anti-money-laundering-officers-at-u-s-credit-unions"
	],
	"threat_actors": [],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc888f3316eca44a2796deafded60987c1d662fb.pdf",
		"text": "https://archive.orkl.eu/fc888f3316eca44a2796deafded60987c1d662fb.txt",
		"img": "https://archive.orkl.eu/fc888f3316eca44a2796deafded60987c1d662fb.jpg"
	}
}