4 min read
Fraud is on the rise. In 2023, 80% of organizations reported being targets of payments fraud activity, up from 65% in 2022, according to the 2024 AFP Payments Fraud and Control Survey Report.
Learn more about the cybersecurity landscape and how Community Development Financial Institutions (CDFIs) can safeguard against fraud with training and other centralized efforts.
What makes CDFIs vulnerable to fraud
CDFIs can be susceptible to fraud for many reasons. While they share vulnerabilities with other businesses and financial institutions, CDFIs’ mission-driven focus and community-oriented goals can amplify certain risk factors.
- Volume: Like all financial institutions, CDFIs possess a significant amount of capital, assets and data, naturally making them targets for bad actors. According to the Federal Reserve’s 2023 CDFI Survey, 3 out of 4 CDFIs reported increased demand for their products. A similar share of CDFIs anticipates that this growth will continue. “As there’s more lending and more payments, just by percentage, there are going to be more fraud attempts,” said Sam Collis, Global Cybersecurity and Technology Controls Attack Simulation, JPMorganChase.
- Service-oriented culture: CDFIs are focused on helping their communities. Like other financial institutions, CDFIs’ eagerness to help can make them vulnerable to social engineering attacks, such as business email compromise and phishing, smishing and vishing, that involve impersonating clients or vendors. Fraudsters can quickly translate those social engineering efforts into credential harvesting, leading to widespread issues.
- Risk-reward balance: As mission-based organizations, CDFIs should promote the work they’re doing. But these financial institutions should be mindful of how such publicity could expose them to fraud. “Sharing good work also has risks associated with it,” said Michael Rhodes, Executive Director, Community Development Banking Intermediaries Lending, JPMorganChase. For instance, a CDFI’s marketing team may want to send a press release or post to social media about a recently funded community project. Although these announcements can successfully promote the CDFI’s work, they can also make the organization more vulnerable. “The CDFI needs to balance its desire to advertise good news with publicizing a major transaction and potentially making the organization a target for bad actors,” Rhodes said.
- Size: CDFIs range in size, from smaller institutions to major financial players with millions of dollars in assets. Both large and small CDFIs have vulnerabilities. The level of technical maturity and investment in cybersecurity varies among different organizations. Smaller CDFIs may have limited resources—translating to fewer staff members and limited budget for technology and training. Meanwhile, larger organizations—those with annual revenue of at least $1 billion—are more susceptible to payments fraud attacks than are smaller ones: 83% compared to 74%, according to the 2024 AFP Payments Fraud and Control Survey report.
How CDFIs can safeguard against fraud
CDFIs should take fraud-protection measures, including:
- Practice cyber hygiene: Cyber hygiene refers to the practices and procedures organizations use to maintain the security of data, networks and systems. To mitigate cyberattacks, CDFIs and other organizations should ensure segregation of duties, limit and control account access, document procedures and use multifactor authentication, among other measures.
- Maintain up-to-date systems: CDFIs should apply all software updates as soon as they are available. “Because cyber criminals are actively seeking to exploit known vulnerabilities within systems,” Collis said. He cited recent cyberattacks on casinos and healthcare systems. “Those successful attacks involved social engineering that turned into credential harvesting, and then the attackers were able to utilize other weaknesses in the environment.”
- Invest in comprehensive, ongoing employee training: Cybersecurity and fraud education and training are paramount for CDFIs. Training should cover how employees can spot suspicious emails, plus potential check fraud and wire fraud. “Having training on strong procedures, and then executing those procedures every time, can help CDFIs identify and prevent fraud,” Rhodes said. CDFI trainings should also detail robust callback procedures. “That extra step of making a simple call to confirm payment amounts and recipients, is some of the best defense,” he said.
- Engage JPMorganChase treasury services: Our treasury services team can conduct a fraud analysis to identify what security and controls CDFIs may be missing and find solutions, whether that’s installing new software or honing in on any vulnerabilities during training sessions.
The bottom line: By identifying vulnerabilities, implementing robust cybersecurity measures, and participating in ongoing, comprehensive training, CDFIs can safeguard against fraud.
JPMorgan Chase Bank, N.A. Member FDIC. Visit jpmorgan.com/cb-disclaimer for disclosures and disclaimers related to this content.
The information is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided is intended to help you protect yourself from cyber fraud. It does not provide a comprehensive list of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices. You or organization are responsible for determining how to best protect against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs.
