NCUA data reveals substantial variation in member financial stress across states, a dimension of cyber risk that most frameworks ignore entirely.
Cybersecurity frameworks tend to treat threats as location-agnostic. In a narrow sense, they’re right: an attacker operating from Eastern Europe uses the same phishing techniques whether targeting a credit union in Wilmington or one in Manchester, and the credential harvesting page looks identical regardless of who lands on it. But the consequences of those attacks vary dramatically based on where your members live and what economic pressures they face. This dimension of risk rarely appears in vendor assessments or board presentations, yet NCUA data suggests it may be among the most important variables credit union leaders should understand.
The 3.6x gap
Credit unions serve geographically defined populations, which means their risk exposure is inseparable from the economic health of specific communities. When you map NCUA delinquency data by state, the variation is striking.
At the end of Q3 2025, the median delinquency rate for federally insured credit unions in Delaware stood at 134 basis points, while in New Hampshire and Rhode Island that figure was 37 basis points. The gap between the highest and lowest states isn’t marginal; it represents a 3.6x difference in the financial stress experienced by member populations across otherwise similar institutions.
These regional clusters persist across quarters and aren’t hard to trace. The Southeast consistently shows elevated stress, with Mississippi reaching 141 basis points in Q4 2024 and Louisiana at 127, while New England and parts of the Mountain West remain comparatively stable. These figures aren’t merely credit quality metrics for internal reporting; they’re maps of member vulnerability that have direct implications for how fraud campaigns perform against different populations.
Financial fragility and fraud susceptibility
Research from the FINRA Investor Education Foundation, which tracks financial capability across U.S. households, examined what makes individuals more susceptible to fraud in a February 2025 study. The research focused on adults classified as “financially fragile,” those who would struggle to cover a $2,000 emergency expense, and found they experienced more incidents of fraud victimization than those with financial cushion. The researchers noted that these individuals “might have unmet needs for financial security and be drawn to schemes that promise rewarding financial opportunities.”
Members in high-delinquency states are, by definition, experiencing elevated financial stress, which makes them more likely to respond to messages promising debt relief, emergency assistance, or account protection. Sophisticated phishing operations deploy lures that resonate with particular force among populations already under pressure: fake hardship programs, fraudulent loan pre-approvals, impersonation of the credit union’s own member services. An attacker doesn’t need to know individual member circumstances. The delinquency rate tells them everything they need about the population they’re targeting.
The stimulus hangover
State-level variation tells part of the story. The national trajectory tells the rest, revealing an environment that has shifted more than many risk frameworks account for.
The median delinquency rate across all federally insured credit unions reached 67 basis points in Q3 2025, a figure that requires historical context to interpret properly. In 2021, at the height of federal stimulus programs, national median delinquency fell to 38 basis points, a historic low that represented temporary suppression of financial stress rather than any fundamental improvement in member circumstances. As those programs wound down, delinquency climbed steadily through 47 basis points in 2022, 61 in 2023, and 69 by the end of 2024. Credit unions are now operating with member financial stress at or above pre-pandemic levels, but the fraud capabilities targeting those members have advanced considerably since 2019.
The phishing infrastructure of six years ago looked nothing like today’s operations. Basic typosquatting, obvious template emails, and domains that security tools could easily flag have been replaced by AI-generated lures, trusted platform abuse, and attack campaigns that cycle through infrastructure faster than blocklists can update. Many institutions built or refined their current risk frameworks during the stimulus-era trough, which means those frameworks assumed a baseline of member financial health that no longer exists.
Compounding pressures
Geography doesn’t just increase exposure; it compounds it. Delaware illustrates this convergence with uncomfortable clarity. The state’s credit unions show the nation’s highest median delinquency at 134 basis points while also experiencing asset declines of 2.0% in Q4 2024, the worst performance nationally. New Jersey shows a similar pattern, pairing elevated delinquency with shrinking balance sheets.
The result: institutions serving the most vulnerable members have the least margin to absorb incident costs, whether direct fraud losses, account takeover remediation, or the operational disruption that follows a successful brand impersonation campaign. The revenue impact of fraud, which Aberdeen Strategy & Research has documented at 2.7% to 11% for affected financial institutions, hits considerably harder when margins are already thin.
The number of federally insured credit unions declined from 4,499 in Q3 2024 to 4,331 in Q3 2025, a loss of 168 institutions in twelve months, continuing a long-running trend. A cyber incident that might have been absorbable five years ago could now accelerate discussions about merger or consolidation for institutions already operating at the edge of their capacity.
What this means for risk assessment
Standard cybersecurity frameworks don’t typically ask credit unions to weight their risk exposure by member geography or economic indicators. Vendor assessments evaluate technical controls rather than the financial stress profiles of the populations those controls protect, and board reporting focuses on incident counts and response times rather than the intersection of member vulnerability and institutional margin.
The data suggests these factors matter more than most frameworks acknowledge. A credit union serving members in a high-delinquency market faces a categorically different risk profile than one serving a financially stable population, even when their technical controls are identical. The same phishing campaign will produce different conversion rates, different loss amounts, and different downstream effects depending on where it lands.
This isn’t an argument for abandoning existing frameworks but for adding a dimension that most of them miss. Questions worth integrating into risk discussions include the delinquency trend in your field of membership geography, how current margins compare to five years ago, and how a fraud-related revenue impact in the range Aberdeen documented would affect operations today versus during the stimulus-era trough. Phishing infrastructure remains location-agnostic. The populations it reaches, and the institutions that serve them, are not.
Key Takeaways
NCUA data shows a 3.6x gap in median delinquency rates across states. Delaware leads at 134 basis points while New Hampshire and Rhode Island sit at 37 basis points. The Southeast consistently shows elevated stress.
FINRA research found that financially fragile individuals experience more fraud victimization. Members struggling to cover emergencies are more likely to respond to lures promising debt relief, hardship assistance, or account protection.
National median delinquency has returned to pre-pandemic levels after an artificial stimulus-era trough. Credit unions built risk frameworks during historically low member stress, but fraud capabilities have advanced dramatically since 2019.
High-delinquency states like Delaware also show asset declines, meaning institutions face more vulnerable members and thinner margins simultaneously. Fraud impacts documented at 2.7-11% of revenue hit harder for institutions already under pressure.
