Current Threat Intelligence
Active threat patterns targeting CFIs, SLTT organizations, and Non-Profits in 2025–2026.
Email Authentication Exploitation — CFI Sector
Analysis of phishing campaigns targeting credit unions and community banks in 2025–2026 confirms that the majority exploit weak or missing DMARC enforcement. Campaigns spoofing CFI domains to request member credential verification have increased significantly, with attackers specifically targeting institutions with DMARC policies of "none" — where spoofed email is delivered without restriction.
Recommended control: DMARC p=reject at pct=100. Institutions with p=quarantine at partial pct are still vulnerable to the percentage of mail outside coverage.
Government Impersonation — SLTT Sector
Phishing and social engineering threats against state and local government accounted for approximately 90% of successful breaches in 2024, per MS-ISAC NCSR data. The attack pattern has shifted from external infrastructure compromise toward impersonation of legitimate government communications — particularly payment instructions, grant notifications, and public alerts.
Recommended control: CISA BOD 18-01 full compliance. DMARC at p=reject closes the primary delivery vector for these campaigns.
BEC Against Non-Profits — NPO Sector
Business Email Compromise losses reported to the FBI totaled $2.95 billion in 2023 and $2.77 billion in 2024, with non-profits increasingly targeted due to their donor relationship infrastructure and typically weaker email authentication posture. AI-generated phishing content has made impersonation campaigns significantly more convincing — reducing the effectiveness of user training as a primary defense.
Recommended control: Email authentication enforcement (SPF -all, DMARC p=reject) combined with DKIM selector verification.
Lookalike Domain Activity — All Sectors
Certificate transparency log analysis continues to show active registration of lookalike domains targeting all four institution categories VouchCore serves. Common patterns include character transposition (firstbank → firtbank), TLD substitution (.org → .com, .gov → .gov.co), and subdomain spoofing (login.yourcu.org styled as yourcu-login.com).
VouchCore's Brand Defense module monitors these patterns continuously for enrolled nodes.
Staying Current
This briefing is updated quarterly. For sector-specific threat intelligence relevant to your organization, request an Institutional Briefing — we'll review the active threat patterns targeting your specific domain surface and organizational profile.