Data Security: Up Close and Personal


Fostering a ‘culture of awareness’ to foil social engineering attacks

By Elizabeth Judd

When a growing number of community bankers hear the name “Zeus,” instead of envisioning a Greek god they think malware. They think of snooping viral software spreading between computer systems over Internet connections, transferring bad bits and bytes.

That image is appropriate enough. But increasingly the spread of dangerous malware isn’t necessarily occurring when computer systems talk to each other. It’s happening more often when one human talks to another.

That up-close and personal approach to computer hacking is often called “social engineering,” where one person convinces another to commit a security error in order to release malware software, explains Mark Eich, the managing principal of the information security team at CliftonLarsonAllen LLP, a consulting firm in Minneapolis. This fall Eich led an ICBA webinar on the topic, one that he says every community bank should guard against.

Social engineering can involve hackers posing as customers, vendors or even coworkers to trick bank employee into giving up security information or inadvertently taking actions that download malware. While most community banks are aware of social engineering techniques, Eich worries that some are becoming complacent about the threat. Community banks are being increasingly targeted by hackers this way, he says.

“There’s no flyover country for these attacks anymore,” he says. “They’re happening everywhere.”

Assessing the risks

Broadly speaking, there are three ways hackers can use their social engineering techniques for criminal ends: over the telephone, by email and by physically walking into a bank facility where people and computers are located.

Social engineering scams have numerous variations. Over the telephone, a criminal might call a bank employee and identify himself or herself as an IT specialist at one of the bank’s technology outsourcing partners, Eich says. One social engineering ploy is to call a bank employee claiming to be troubleshooting a network problem. During the call the role-playing hacker will try to find a convincing storyline to obtain the employee’s user ID and password. In a common scenario, the criminal tried to convince a bank employee to download a piece of malware that would then take over his or her workstation, assuming administrator privileges.

“If a bank has 30,000 customers and the hacker hits the Holy Grail and steals information for all 30,000 of those, that’s worth a lot of money to organized crime,” Eich explains. “They’ll pay the hacker top dollar for those customer records.”

Some pranking malware causes damage to a computer network, while so-called ransomware locks up an individual’s computer until a high fee is paid to have the computer unlocked again.

Email is the most common vehicle for social-engineering tactics. A hacker might send an email that credibly mimics correspondence from an individual within a bank, inviting the recipient to visit a certain link—what’s known as “spearfishing.” During such an attack, the target bank employee would be led to believe he or she is visiting one site but is instead accessing a completely different site, and quite possibly downloading malware in the process.

Because of the increasing popularity of these scams, Eich advises against bank employees clicking on emailed website links, urging individuals to use a browser to navigate to the desired sites on their own.

Setting boundaries

One way for community bankers to guard against social-engineering attacks is to understand the risks and then establish clear policies and procedures, highlighting what employees are and are not allowed to do. “We teach our users that it’s IT’s job to do software updates and change configurations and settings,” Eich says. “Computer users use and administrators administrate, and never the two shall meet.”

Strong, clear policies also help community bankers should an attack take place and the case land in court. If a bank, for instance, accepts two-digit passwords and a customer’s account is later hacked, courts are increasingly viewing the bank with skepticism. Although legal outcomes in this realm have varied greatly, Eich sees a developing bias for holding banks responsible because they’re presumed to be more sophisticated about security breaches than their customers.

Another way of fending off social-engineering attacks is to hire an outside consultant to simulate an attack. The IT security group at CliftonLarsonAllen, for instance, performs network penetration tests by sending spearfishing emails, making pretext phone calls and even showing up unannounced to see how easily they can gain access to unauthorized areas. From these real-life lessons, community banks learn ways to disarm potential social-engineering threats.

“We’re trying to create a culture of awareness.”
—Mark Eich, IT security expert and ICBA seminar instructor

Awareness is critical because hackers constantly switch tactics, making it difficult to anticipate the next move or adjustment. Eich is therefore convinced that the only lasting solution to this daunting challenge is remaining vigilant. “When it comes to social-engineering attacks,” he concludes, “there is no silver bullet.”

Elizabeth Judd is a writer in Maryland.