Alert!! STCU is warning members about a phishing email that is circulating in an attempt to steal login credentials from members.

Phishing and Your Bank

According to the report, there is an “official-looking” email claiming to be from STCU (Spokane Teachers' Credit Union) requesting that members click a link and login to their account. Instead, the link takes the member to a fake STCU page where the attacker can collect login credentials.

STCU is not the only bank to neglect email security. Check Fraudmarc’s email security score for your bank or credit union. Unfortunately, it is too common for banks to lack basic email security.

This is yet another example of the classic spoofing attack, and it's EXACTLY* the type of attack that DMARC can prevent. We checked, and it does not use DMARC and it has a broken SPF record- worse than having nothing set up at all!

How to Avoid Phishing Emails

In their warning statement, STCU had some advice to offer member on how to avoid spoofed emails:

  1. If you are not sure if an email is really from the sender, call the sender to verify. In the absence of a DMARC policy, this is good advice. However, DMARC provides an easier way. See our post on how to verify an email sender.
  2. Phishing emails can be identified by these tip-offs:
  3. Poor grammar or spelling errors: This is sometimes true. Think about CEO scams (which are 95% effective).
  4. An excessively long or unlikely web address: To be safe, always avoid clicking links in emails. Instead, navigate to that address through your browser (don’t copy or type it; search for the business’s website!)
  5. A supposedly secure website that is designated ‘http’: This tip-off is rapidly becoming outdated. Now that “https” websites are free and easy to use, many phishing websites are using “https.”  See this article for more details on https in phishing attacks.
  6. An email from a credit union that mentions “customers” or the unabbreviated name of STCU: While this is useful information, it is not common knowledge and only applies in this particular case. Therefore it is unlikely to help many members.

Fraudmarc can help

At Fraudmarc, we want all domains to be secured against this type of attack. We are experts at implementing DMARC with complex conditions. We offer a variety of tools and services, including SPF compression, in order to help every business secure their domains against this type of attack. For those who prefer to manage their own email security policies, we released Fraudmarc CE, the open-sourced version of our DMARC reporting.

If you would like additional information, please contact us. You can also find more information our community forum,, or in our other blog posts.

*Because we did not receive this phishing email, we cannot verify with 100% certainty that it was a spoofed message. Based on the claim that the email was “official-looking” paired with STCU’s lack of email security, we are confident that this was a spoofed email. For more information about spoofed messages compared to other types of phishing attacks, see our posts, What DMARC Can & Can’t Do for Domains, and Does DMARC Really Increase Email Security.