Our fourth annual credit union threat brief is out. The headline finding, that attackers reached one in three federally insured credit unions in 2025, may be less important than what’s happening underneath it.
This spring, our research team published SPOOF ’26: Annual Credit Union Brief, the fourth annual edition of our credit union threat report. The report tracks brand impersonation activity against federally insured credit unions using a full year of detection data, and this year it layers that data against NCUA quarterly reports, the FBI’s IC3 findings, and ITRC breach research to build a more complete picture than detection numbers alone can provide. Here is what stood out.
Attackers reached one in three credit unions in 2025
The headline number is that approximately 1,300 federally insured credit unions, roughly 30% of the system, appeared as the target of at least one brand impersonation attempt during 2025. The targeting rate was essentially identical to what we observed across FDIC-insured banks in the same period, which suggests attackers are largely indifferent to charter type.
What the 30% figure obscures is how unevenly the targeting distributes across the asset spectrum. In the $1B–$5B tier, effectively every institution appeared in our data as a target. At the largest tier above $5B, the rate was about 78%. At the smallest tier below $200M, it was 16%.
Those numbers describe two different problems. Mid-tier credit unions face a breadth problem: nearly all of them are being hit. The largest institutions face a depth problem: fewer are targeted, but those that are absorb far higher volume, averaging roughly 58 detected attempts per targeted institution compared to 9 in the mid-tier.
For credit union security leaders, the practical implication is that asset size no longer predicts whether your institution will be targeted. It predicts how many resources you have to respond when it happens.
The targeting wave moved further down-market than expected
In last year’s edition of SPOOF, we flagged mid-tier credit unions as the emerging center of gravity. The 2025 data confirmed that, but the shift went further. The largest credit unions saw their share of total attack volume drop from 54% to 40% in a single year, a 14-point decline. The smallest tier, institutions under $200M, absorbed most of the gap, more than tripling their share from 3.3% to 10.6%.
The shift accelerated within the year itself. Quarter over quarter, the smallest institutions took a larger share while the largest took a smaller one. Whatever is driving the redistribution, it did not stabilize. Credit unions should plan against Q4 conditions, not full-year averages.
This matters because the institutions now absorbing more targeting are also the ones with the thinnest resources to respond. The brief examines this through NCUA’s own financial data: the system’s headline numbers look strong, but the strength concentrates at the top. The system lost 168 federally insured institutions during 2025, almost all of them small. The structural gap between large and small credit unions is widening, and the threat environment is not scaling down to accommodate it.
Seven in ten reported cyber incidents involved a third-party vendor
NCUA’s cyber incident reporting rule completed its first full year and captured 1,072 reported incidents. Approximately 70% involved third-party service providers, and the danger of that much reliance on shared infrastructure showed when a single core processor compromise disrupted more than 60 credit unions simultaneously. The attack did not have to breach 60 institutions individually. It had to breach one vendor that all of them depended on.
What makes this finding particularly relevant to brand impersonation is what happens after the systems are restored. Vendor breaches that expose member data do not end with the incident response. They begin a second phase. The Identity Theft Resource Center’s 2025 analysis found that 54% of individuals who received a breach notification subsequently experienced an increase in targeted phishing attempts. Members who have just been told to watch for suspicious activity are precisely the ones most likely to respond to a well-crafted message that appears to come from their credit union. The breach creates the target list. The impersonation campaign that follows harvests the credentials.
Credit unions navigate this cycle with a structural disadvantage banks do not share. Unlike the OCC, FDIC, and Federal Reserve, the NCUA cannot directly examine or regulate the service providers credit unions depend on. GAO and FSOC have recommended Congress grant that authority. Until it arrives, credit unions bear vendor risk management responsibility without the regulatory backstop available elsewhere in financial services.
The ten-hour window and the 78% who didn't know
Two data points in the brief reshape how detection speed should be evaluated. The first is the established finding that 75% of victims arrive at a fraudulent site within ten hours of it going live. The second is newer: the FBI’s Operation Level Up, an initiative to notify cryptocurrency fraud victims directly, found that 78% of people contacted were unaware they were being scammed at the time.
Read together, these findings describe a problem that moves faster than most institutions can see it and affects people who do not know they need help. A brand protection program measured by takedown speed is measuring the wrong thing. The metric that connects to member harm is detection-to-blocking time:
What the data means for credit union security leaders
Three findings from this year’s brief have direct operational implications. The down-market shift means institutions in the $200M–$1B range should plan for the targeting volumes that mid-tier and large credit unions absorbed in 2024. The vendor concentration means brand impersonation monitoring should intensify during and after any third-party incident, when member data is most likely to be weaponized. And the ten-hour window means the metric that protects members is detection-to-blocking time, not takedown speed.
SPOOF ’26: Annual Credit Union Brief covers these findings in full, along with infrastructure analysis, TLD patterns specific to credit unions, and the NCUA financial data that frames the capacity gap across asset tiers. The trends documented in this year’s edition are not resolving. They are intensifying.
Key Takeaways
The fourth annual edition of Allure Security’s credit union threat brief, tracking brand impersonation activity against federally insured credit unions using a full year of detection data layered with NCUA, FBI, and ITRC research.
Approximately one in three (1,300 institutions). In the $1B–$5B tier, effectively all of them. The targeting rate matched FDIC-insured banks, suggesting attackers are indifferent to charter type.
The largest credit unions’ share of attack volume dropped from 54% to 40%. The smallest tier more than tripled its share from 3.3% to 10.6%. The shift accelerated quarter over quarter through 2025.
Seven in ten reported cyber incidents in NCUA’s first full year of mandatory reporting involved third-party providers. Vendor breaches create targeting data for downstream brand impersonation campaigns. NCUA lacks the vendor examination authority that bank regulators have.
75% of victims arrive within ten hours of a fraudulent site going live. 78% of fraud victims contacted by the FBI were unaware they were being scammed. Detection-to-blocking time, not takedown speed, is the metric that protects members.
