Small Banks, Big Targets: Rising Threats of Cybercrime for CFIs

Did you know that dragonflies are at the top of nature's list for most successful predators? Dragonflies boast a 95% success rate when hunting prey mid-flight. This ability is a skill that even human-designed robots have not fully been able to achieve. In cybersecurity, humans show a similarly high percentage, but for very different reasons. About 95% of data breaches can be traced back to human error. Some common culprits include unsecured devices, connecting to public Wi-Fi, using weak passwords or the same password in multiple places, storing passwords on visible Post-It notes, and sharing passwords or devices with others.

There's no shortage of risks to consider when it comes to protecting your digital accounts and devices, and it's more important than ever to have all your bases covered. Cybercrime is increasing within the financial services industry, and vulnerable community financial institutions (CFIs) and their customers are now fraudsters’ favorite targets. Americans last year suffered nearly $21B in losses due to internet crime. For the financial services industry specifically, $275MM in losses were recorded, a 59% increase from 2024, according to the FBI’s 2025 Internet Crime Report.

The report, which recorded more than 800K complaints, underscores that the majority fall into “cyber-enabled crime” — schemes that originate online but result in real-world financial loss. Phishing and spoofing ranked as the most reported crime type, followed by extortion and personal data breaches, while business email compromise (BEC) and investment scams remained among the most financially damaging. In many cases, these crimes begin with a digital touchpoint and ultimately lead to fraudulent wire transfers or ACH payments.

CFIs and their customers are ideal targets because they don’t have the type of robust security resources that bigger banks do, like dedicated cybersecurity specialists and operations centers whose budgets often surpass a CFI’s budget across its entire operations. Bigger banks have also cultivated mature defenses with rapid response capabilities and aggressive legal teams. 

“There’s a painful irony facing community banks and credit unions today. The same characteristics that make them valuable to their communities — personal relationships, local decision-making, accessible leadership — have become vulnerabilities that attackers systematically exploit,” writes Allure Security.

While the customers are the ones who often suffer the financial losses from cybercrimes, the banking institutions carry the operational, reputational, and response burdens. CFIs must contend with increased dispute volume, call center strain, and rising operations costs. They also face heightened pressure from regulators and their boards to demonstrate that they have the appropriate controls in place to impede additional cybercrimes.

On top of that, when customers lose money, the financial institution owns the relationship fallout. “Fraud and scams don’t just affect the bottom line; they affect customer relationships and divert resources away from other important operational activities,” says Scott Anchin, ICBA’s Senior Vice President of Strategic Initiatives and Policy. 

CFIs can bolster their in-house cyber defenses with the help of their core providers, fintechs, and consortium-based solutions. Core platforms embed controls like transaction limits, user entitlements, and monitoring rules that differ by payment type and risk level. For example, most core providers have now built security features into each of their functionalities, such as limitations depending on the type of transaction, like Zelle transactions or B2B transfers. Fintechs will often layer on top of core systems to provide more advanced analytics, identity verification, and behavioral monitoring. Shared fraud networks provide shared visibility and controls across institutions, which is especially valuable for detecting patterns that wouldn’t be visible within a single institution.

The $2.1B-asset Isabella Bank in Mt. Pleasant, Michigan takes advantage of all of these tools, says Jenn Brick, Vice President and Director of Customer Service Operations. “We have internal monitoring based on different types of alerts of anything that would be considered a high risk. In addition, we have solutions for our customers.” Isabella Bank uses a system that messages customers to ask if a certain debit card transaction was legitimate. If not, the system shuts down the card and asks the customer to contact the bank.

On of the most effective ways to reduce cybercrime is to educate customers on how to spot potential fraud attempts. CFIs should offer these pointers to their customers:

The $2.2B-asset Plumas Bank in Quincy, California provides its customers with information from federal agencies on how to spot and protect themselves from the latest scams. Customers are educated not only through blogs, newsletters, and social media, but also at in-branch forums.

“Educating our clients on how to protect themselves against fraud and cybercrime is a top priority for Plumas Bank, and we take our role as a trusted financial resource for our clients very seriously,” says Amber Marshall, Senior Vice President and Risk Manager.

CFIs can also regularly post on their websites the latest fraud scams and fraud types from government agencies, including the FBI’s annual Internet Crime Report and the Federal Trade Commission’s Avoiding and Reporting Scams. Institutions can also download tools and customer education materials from the Financial Crimes Enforcement Network and the U.S. Postal Inspection Service, such the latter’s Security: It Comes With the Stamp.

Cybercrime is rising, and your customers are prime targets. While adding tools to your cybersecurity plan is rarely a bad thing, it's also vital to educate customers on what they can do to protect their accounts. Empowering customers on how to stay alert for common fraud indicators is a natural part of a robust cyber defense system in a landscape of prolific cybercrime at CFIs.