![[FI] The Exploit Part 4](https://mortgageworkspace.com/hs-fs/hubfs/blog-images/exploit-pt4-the-heist-hero.jpg?width=1200&height=571&name=exploit-pt4-the-heist-hero.jpg)
In This Article
- SRP Federal Credit Union: 240,000 Members, Two Months Undetected
- Why Standard Incident Response Fails Against Persistent Attackers
- FinWise Bank: A Former Employee's Two-Year Data Heist
- The Deepfake Dimension: When Seeing Isn't Believing
- Breaking the Final Link: Continuous Monitoring and Forensic Hunting
- Frequently Asked Questions
The Aftermath: A Credit Union Discovers the Breach Was Never Over
The CISO gets the call at 3 PM on a Tuesday. A member reports a fraudulent ACH transfer from their account. Then another call. And another.
Within 72 hours, the credit union discovers that an attacker who was supposedly remediated six weeks ago never actually left. The password resets, the endpoint scans, the "all clear" from the incident response vendor — none of it mattered. The attacker had planted a hidden admin account during the initial breach, and when the dust settled, they logged back in through the side door.
This isn't a hypothetical. This is what happened to financial institutions across the country in 2024 and 2025.
This is Part 4 of a four-part series tracking the cyber kill chain that credit unions, banks, and mortgage companies face today. In Part 1: The Leak, stolen credentials built the target profile. In Part 2: The Phish, AiTM phishing defeated MFA and compromised email accounts. In Part 3: The Breach, supply chain attacks cascaded across entire vendor networks. Now the kill chain reaches its final phase: the attacker turns access into money — and the institution discovers that getting hacked was only the beginning.
SRP Federal Credit Union: 240,000 Members, Two Months Undetected
Between September 5 and November 4, 2024, an unauthorized actor maintained persistent access inside SRP Federal Credit Union's network. For two months, the attacker moved through the credit union's systems, accessing and exfiltrating personal files containing member data. By the time SRP Federal discovered and contained the breach, 240,000 people had been affected.
SRP Federal Credit Union — 60-Day Persistent Access
Unauthorized access to SRP Federal Credit Union's network persisted from September 5 through November 4, 2024 — a 60-day window during which the attacker accessed personal files across the credit union's systems. 240,000 individuals were affected. The breach was reported to the Texas Attorney General, triggering notification requirements across multiple states. The prolonged dwell time suggests the attacker established persistence mechanisms that survived standard detection — the kind of access that a password reset and endpoint scan would not have caught.
Sources: SecurityWeek, Texas Attorney General filing
Sixty days. That is longer than most credit unions' annual budget cycle. Longer than most mortgage pipeline timelines. Long enough for an attacker to map every system, identify every high-value data store, and exfiltrate everything worth taking — slowly, carefully, in packets small enough to avoid triggering data loss prevention rules.
The SRP Federal breach highlights a pattern that security researchers see repeatedly in financial institution compromises: the initial breach gets all the attention, but the real damage happens during the dwell time. Every day the attacker maintains access is another day of data exfiltration, another day of communication monitoring, and another day closer to a wire fraud event that empties an account.
Why Standard Incident Response Fails Against Persistent Attackers
When a financial institution detects a breach, the standard playbook follows a predictable sequence: reset compromised passwords, scan endpoints for malware, review access logs, patch the vulnerability, write the incident report. For opportunistic attacks — a drive-by ransomware infection, a credential stuffing campaign — this playbook works. For targeted attackers who have specifically chosen your institution, it doesn't.
Initial Compromise
Attacker gains access through phishing, vendor compromise, or stolen credentials. During the first session, they plant persistence: a hidden admin account, a scheduled task, an OAuth app with delegated permissions, or email forwarding rules.
Standard Incident Response
The institution detects suspicious activity and executes the IR playbook: reset passwords, scan endpoints, revoke sessions, patch the entry point. The compromised account appears clean.
False "All Clear"
The incident response team declares the threat contained. Normal operations resume. But the hidden admin account, the scheduled task, or the OAuth app are still active — undetected by the standard scan.
Re-Entry
Days or weeks later, the attacker uses the persistence mechanism to regain access. This time, they know the IR playbook. They avoid the patterns that triggered the first alert.
Monetization
With persistent, undetected access, the attacker executes the heist: wire fraud redirection, data exfiltration for dark web sale, or ransomware deployment timed for maximum impact.
The gap between standard incident response and genuine threat eradication is where financial institutions lose money. Password resets don't catch hidden admin accounts. Endpoint scans don't find OAuth apps with delegated permissions. Log reviews don't surface email forwarding rules set to auto-delete after forwarding. The attacker who planted these mechanisms during their initial access is counting on the IR team following the standard playbook — because the standard playbook doesn't look for them.
Would Your Security Monitoring Catch a Hidden Admin Account?
Guardian's continuous monitoring detects the anomalies that standard IR misses — new admin accounts, suspicious OAuth consents, and sign-in patterns that don't match your users. Across 750+ financial institutions.
FinWise Bank: A Former Employee's Two-Year Data Heist
Not every persistent threat comes from outside. In May 2024, FinWise Bank disclosed that a former employee had maintained unauthorized access to customer data for two full years after leaving the company. The insider accessed records for 689,000 American First Finance customers — Social Security numbers, financial account details, and personal information — without triggering a single alert.
FinWise Bank — Insider Threat, Two Years Undetected
A former FinWise Bank employee retained access to customer data systems for two years after termination. During that time, they accessed records for 689,000 American First Finance customers, including Social Security numbers and financial account details. The breach was discovered during a routine review — not by automated monitoring. The two-year dwell time represents a fundamental failure in access management: the former employee's credentials were never fully deprovisioned.
Source: SecurityWeek
The FinWise breach exposes a gap that exists at most credit unions, banks, and mortgage companies: the gap between terminating an employee and actually revoking every access point they held. In a complex environment with dozens of applications, shared service accounts, and legacy systems, full deprovisioning requires more than disabling an Active Directory account. It requires auditing every OAuth token, every API key, every shared credential, every system-level account the employee may have had access to.
The FinWise insider accessed 689,000 records over two years without triggering a single alert. The credentials were never deprovisioned. The monitoring never flagged the access. This is the insider threat gap that most financial institutions don't discover until it's too late.
The Deepfake Dimension: When Seeing Isn't Believing
The kill chain is evolving. In early 2024, an employee at Arup — the global engineering firm — joined a video call with what appeared to be the company's Chief Financial Officer and several colleagues. Everyone on the screen looked and sounded exactly right. The CFO instructed the employee to authorize a series of wire transfers. The employee complied. Fifteen transactions later, HK$200 million — approximately $26 million — had been wired to five bank accounts controlled by the attackers.
Every person on that video call was a deepfake.
| Indicator | Data Point | Trend |
|---|---|---|
| Deepfake fraud attempts | 1,300% surge in 2024-2025 | Accelerating |
| Voice fraud in US contact centers | 1 attack every 46 seconds | Up significantly |
| Banking sector deepfake attacks | 149% increase year-over-year | Fastest-growing sector |
| Voice phishing surge | 442% increase in 2025 | Accelerating |
| Banks losing $1M+ to deepfakes | 10%+ of surveyed institutions | Growing rapidly |
| Largest single deepfake heist | $26 million (Arup, 2024) | Record-setting |
Sources: Pindrop 2025 Voice Intelligence Report, SpeechTechMag, Forbes
For credit unions, banks, and mortgage companies that process wire transfers daily, deepfake technology collapses the last line of defense many institutions rely on: the verification phone call. When a loan officer calls the title company to verify wire instructions and the person on the other end sounds exactly like the contact they've spoken with for years, how do they know it's real?
The Regulatory Response: Incident Reporting Timelines
Financial institutions face increasingly compressed reporting timelines. HUD Mortgagee Letter 2024-10 requires FHA-approved lenders to report cybersecurity incidents within 12 hours of discovery. Fannie Mae requires notification within 36 hours. The FTC Safeguards Rule requires breach notification to the Commission within 30 days for breaches affecting 500+ consumers. NYDFS Part 500 requires notification within 72 hours. For a credit union like SRP Federal, whose breach went undetected for 60 days, the reporting clock doesn't start ticking until the breach is discovered — but every day of delayed detection is another day of data exposure that regulators will scrutinize in the aftermath.
Breaking the Final Link: Continuous Monitoring and Forensic Hunting
The controls that break the final link in the kill chain go beyond traditional incident response. They require the assumption that the attacker is already inside — and the capability to find them.
Guardian MxDR — Managed Extended Detection and Response. Microsoft Defender, Sentinel, and Secure Score with 24/7 human monitoring. Not a SIEM that generates alerts for someone to review on Monday morning. Human analysts who investigate anomalies in real time — at 2 AM on Saturday, when the attacker expects no one is watching. ABT's security operations team monitors telemetry across 750+ credit unions, banks, and mortgage companies, which means pattern recognition that improves with every institution in the network.
Microsoft Sentinel correlation. Sentinel ingests telemetry from every layer — endpoints, identity, email, cloud apps, network — and correlates events that individually look benign but collectively signal a threat. A new admin account creation, followed by a sign-in from an unusual geography, followed by a OneDrive bulk download — each event alone might pass review. Together, they trigger an automated investigation.
Service account and admin auditing. Automated alerts on new admin account creation, scheduled task registration, and OAuth app consent. Regular audits of elevated privileges catch the ghost accounts that persist after incident response. When FinWise's former employee retained access for two years, this is the control that was missing.
Post-incident continuous monitoring. After any security event, Guardian doesn't declare "all clear" and walk away. Behavioral analytics remain elevated for 30-90 days after an incident — monitoring for re-entry patterns, new persistence mechanisms, and subtle signs that the attacker survived the remediation.
Out-of-band payment verification. For wire transfers above a defined threshold, verification happens through a pre-established, out-of-band channel — a phone call to a known number (not a number from the email), a confirmation through a separate secure messaging platform, or in-person verification. This single control would have prevented every dollar stolen by the Ayeni BEC ring.
Kill Chain Status — Part 4 of 4: Chain Broken
Recon > Phish > Breach [>>> HEIST >>>] → [BROKEN by Guardian]
The full kill chain — from stolen credentials to phishing attacks to supply chain breaches to persistence and wire fraud — is a connected sequence. Break any single link and the chain fails. Guardian's architecture breaks multiple links simultaneously: leaked credential detection catches compromised passwords before they're weaponized. Phishing-resistant MFA stops AiTM attacks. The pure Microsoft stack eliminates vendor platform risk. And continuous monitoring catches the behavioral anomalies that signal persistence before it becomes a heist.
"The institutions that get hit hardest aren't the ones with the weakest firewalls — they're the ones that declared 'all clear' too soon. We see it across our 750+ financial institutions: the difference between a contained incident and a seven-figure loss is whether your monitoring catches persistence mechanisms before the attacker comes back."
Serving 750+ financial institutions since 1999
Is Your Monitoring Catching What IR Missed?
Hidden admin accounts, suspicious OAuth consents, email forwarding rules — the threats that survive standard remediation are the threats that cost millions. Guardian's continuous monitoring surfaces them across 750+ financial institutions.
Frequently Asked Questions
Attackers plant persistence mechanisms during their initial access that survive standard remediation. Common techniques include creating hidden admin accounts in Active Directory or Entra ID, registering OAuth applications with delegated permissions, setting scheduled tasks or startup scripts, creating email forwarding rules that auto-delete after forwarding, and implanting backdoor accounts in legacy systems. Standard incident response — password resets, endpoint scans, and log reviews — often misses these mechanisms because they don't look like malware. They look like legitimate system configurations. Finding them requires thorough investigation that examines every admin account, every OAuth consent, every scheduled task, and every email rule.
Dwell time — the period between initial compromise and detection — varies widely but remains alarmingly long for many financial institutions. SRP Federal Credit Union's breach persisted for 60 days (September to November 2024). FinWise Bank's insider breach went undetected for two full years. Industry-wide, the median dwell time for financially motivated attacks has improved to roughly 36 hours for organizations with mature security operations, but institutions relying on annual penetration tests and periodic log reviews often measure dwell time in weeks or months. Continuous monitoring with automated correlation — like Microsoft Sentinel integrated with 24/7 human analysts — is the primary factor that separates hours from months.
Deepfake attacks against financial institutions surged 1,300% between 2024 and 2025, with the banking sector seeing a 149% year-over-year increase. Attackers use AI-generated voice clones to impersonate executives on phone calls requesting wire transfers, bypass voice-based knowledge authentication in contact centers, and — in the most sophisticated cases — create real-time video deepfakes for video conferences. The Arup heist ($26 million stolen via deepfake video call in 2024) demonstrated that even multi-person video calls can be entirely fabricated. For mortgage companies processing high-value wire transfers, the defense is out-of-band verification through pre-established channels that cannot be spoofed — calling a known number, not a number provided in the suspicious communication.
Financial institutions face multiple overlapping reporting requirements with different timelines. HUD Mortgagee Letter 2024-10 requires FHA-approved lenders to report cybersecurity incidents within 12 hours of discovery. Fannie Mae requires notification within 36 hours. The NYDFS Part 500 cybersecurity regulation requires notification within 72 hours. The FTC Safeguards Rule requires notification to the Commission within 30 days for breaches affecting 500 or more consumers. Federal banking regulators require notification within 36 hours for incidents that materially affect operations. These timelines run concurrently, meaning a single breach can trigger four or five separate notification obligations with different deadlines and different reporting formats.
Managed Extended Detection and Response (MxDR) combines endpoint detection, identity monitoring, email security, cloud application monitoring, and network telemetry into a unified platform with 24/7 human analyst coverage. Unlike traditional managed security services that focus on log management and alerting, MxDR provides active threat hunting — analysts proactively searching for indicators of compromise rather than waiting for automated alerts. For credit unions, banks, and mortgage companies that lack the budget for a full in-house security operations center, MxDR provides enterprise-grade detection and response capabilities. ABT's Guardian MxDR integrates Microsoft Defender, Sentinel, and Secure Score across 750+ financial institutions, which provides cross-client pattern recognition that improves detection accuracy for every institution in the network.
