A loan officer sees a LinkedIn invitation waiting in her inbox. The name looks somewhat familiar, and the loan officer, assuming its someone she met at a conference, clicks "accept."

Only it wasn't a real LinkedIn invitation.

It was a spear phishing email that loaded malware onto the loan officer's computer. Within another day, the employee's credentials had been compromised. She never reported it to the information technology (IT) department because she never knew what happened.

Cyber criminals often set their sights on credit unions' weakest security link-employees. Fortunately, credit unions have many options to address this issue.

Tom Kuang, vice president of technology/chief technology officer at $1.8 billion asset Schools Financial Credit Union in Sacramento, Calif., says these breaches follow a simple pattern. Criminals identify a target, peruse LinkedIn accounts for familiar names, and make slight changes.

The idea is to create a fake profile that seems legitimate enough to overcome an employee's doubt when they cannot recall exactly who this person is and how they know them.

"You can protect your credit union as best you can. You can install the best security, Kuang says. But any employee can still click on a link and download malware unintentionally."

A common and far-reaching scam

This kind of scam is common and far-reaching. The Radicati Group, a technology research firm, estimates that employees receive more than 120 emails per day on average. And in its most recent Internet Security Threat Report, Symantec states that one of every 131 emails is malicious. That means an employee screens multiple malicious emails every week.

Despite financial institutions' security controls, Symantec estimates industry losses topped $3 billion in the past three years due to these attacks.

Bonnie Ortiz, executive vice president for professional services at $156.2 million asset The Partnership Federal Credit Union in Arlington, Va., pays close attention to security trends and research. Despite evolving threats, new criminal tactics, and emerging technologies, one thing about credit union security has held constant over the course of her career.

"The single weakest link is your human capital," she says.

That's because people make thousands of decisions and take thousands of actions each year in the course of...