What makes CDFIs vulnerable to fraud

CDFIs can be susceptible to fraud for many reasons. While they share vulnerabilities with other businesses and financial institutions, CDFIs’ mission-driven focus and community-oriented goals can amplify certain risk factors.

• Volume: Like all financial institutions, CDFIs possess a significant amount of capital, assets and data, naturally making them targets for bad actors. According to the Federal Reserve’s 2023 CDFI Survey, 3 out of 4 CDFIs reported increased demand for their products. A similar share of CDFIs anticipates that this growth will continue. “As there’s more lending and more payments, just by percentage, there are going to be more fraud attempts,” said Sam Collis, Global Cybersecurity and Technology Controls Attack Simulation, JPMorganChase.
• Service-oriented culture: CDFIs are focused on helping their communities. Like other financial institutions, CDFIs’ eagerness to help can make them vulnerable to social engineering attacks, such as business email compromise and phishing, smishing and vishing, that involve impersonating clients or vendors. Fraudsters can quickly translate those social engineering efforts into credential harvesting, leading to widespread issues.
• Risk-reward balance: As mission-based organizations, CDFIs should promote the work they’re doing. But these financial institutions should be mindful of how such publicity could expose them to fraud. “Sharing good work also has risks associated with it,” said Michael Rhodes, Executive Director, Community Development Banking Intermediaries Lending, JPMorganChase. For instance, a CDFI’s marketing team may want to send a press release or post to social media about a recently funded community project. Although these announcements can successfully promote the CDFI’s work, they can also make the organization more vulnerable. “The CDFI needs to balance its desire to advertise good news with publicizing a major transaction and potentially making the organization a target for bad actors,” Rhodes said.
• Size: CDFIs range in size, from smaller institutions to major financial players with millions of dollars in assets. Both large and small CDFIs have vulnerabilities. The level of technical maturity and investment in cybersecurity varies among different organizations. Smaller CDFIs may have limited resources—translating to fewer staff members and limited budget for technology and training. Meanwhile, larger organizations—those with annual revenue of at least $1 billion—are more susceptible to payments fraud attacks than are smaller ones: 83% compared to 74%, according to the 2024 AFP Payments Fraud and Control Survey report.

How CDFIs can safeguard against fraud

CDFIs should take fraud-protection measures, including:

• Practice cyber hygiene: Cyber hygiene refers to the practices and procedures organizations use to maintain the security of data, networks and systems. To mitigate cyberattacks, CDFIs and other organizations should ensure segregation of duties, limit and control account access, document procedures and use multifactor authentication, among other measures. 
• Maintain up-to-date systems: CDFIs should apply all software updates as soon as they are available. “Because cyber criminals are actively seeking to exploit known vulnerabilities within systems,” Collis said. He cited recent cyberattacks on casinos and healthcare systems. “Those successful attacks involved social engineering that turned into credential harvesting, and then the attackers were able to utilize other weaknesses in the environment.”
• Invest in comprehensive, ongoing employee training: Cybersecurity and fraud education and training are paramount for CDFIs. Training should cover how employees can spot suspicious emails, plus potential check fraud and wire fraud. “Having training on strong procedures, and then executing those procedures every time, can help CDFIs identify and prevent fraud,” Rhodes said. CDFI trainings should also detail robust callback procedures. “That extra step of making a simple call to confirm payment amounts and recipients, is some of the best defense,” he said.
• Engage JPMorganChase treasury services: Our treasury services team can conduct a fraud analysis to identify what security and controls CDFIs may be missing and find solutions, whether that’s installing new software or honing in on any vulnerabilities during training sessions.