Phishing: Don’t take the bait

Phishing has become a primary method for cybercriminals to plant malware and ply fraud on unsuspecting bank employees and customers. As their techniques become more sophisticated and their attack surface broader, community banks are finding themselves in the crosshairs.

By Karen Epper Hoffman

In studies and surveys and anecdotes, it is often pointed out that the greatest point of IT security vulnerability in any organization is the one between the keyboard and the chair: the human employee.

Hence, phishing and its more targeted big brother, “spear phishing,” have become primary approaches for attackers who realize that they do not need to possess great hacking skills to get into a bank system. All they need is enough information to craft a somewhat believable email or social media post that will make an unsuspecting employee click on an attachment or a link and trigger a download of malware to their entire network. Indeed, more than half of all phishing scams that target financial institutions are tied to “inadvertent actors” who unwittingly open a malware attachment, according to a recent IBM study.

“The human factor continues to be the target because it is likely to be the most easily fooled,” says Joseph Zazzaro, senior vice president and chief information officer for the $2.2 billion-asset PeoplesBank in Holyoke, Mass. “Since banks can move money so well and efficiently, they continue to be the target for hackers. The risk continues to be high because of the human factor. While nothing new, employees and customers continue to be targeted for the simple fact that they are the best bet for the attack to be successful.”

When it comes to cybercrime, “different groups set their sights on different types of targets,” notes Limor Kessem, global executive security advisor for IBM Security. In general, he says that cybercriminals are always looking for the “lower-hanging fruit, and they will test their tools and schemes against targets they would assume to be less secure or less challenging.”

Kathleen J. Luczynski, senior vice president and chief information officer for $530 million-asset Adams Community Bank in Adams, Mass., points out that “fraudsters go where opportunity and the money is … and they know there’s plenty of it in financial institutions. And although some spread the net as far as they can, others spear phish where they suspect there is more opportunity.” Many of these spear-phishing attacks, she says, take the form of more targeted emails—one that the bank’s CEO seemingly sent the CFO, for example—with the instructions to urgently wire funds. “Read in haste, it could be more effective than a generic email to the CFO,” she says. “Although it is not necessarily the case, fraudsters may be under the impression that smaller banks are not able to have the same levels of security protection as the bigger guys.”

Stu Sjouwerman, CEO of KnowBe4, a security awareness training and simulated phishing platform located in Tampa Bay, Fla., believes that “any company in financial services has a target on its back.” Cybercriminals are moving downstream to community banks, he says, because “they realize it’s harder to penetrate the big 100.”

More recently, targeted spear-phishing campaigns have been directed at small or mid-size community banks, because “these highly sophisticated phishing attempts to steal credentials, information and money from community bank customers can be more successful if staff and customers let their guards down or do not anticipate these attempted scams,” says Dan Lohrmann, chief strategist and chief security officer for Security Mentor, Inc., in Pacific Grove, Calif. “Such people who are not prepared may feel that messages must be real, because hackers wouldn’t send fake emails to our small community bank.”

An old foe
Despite the fact that “phishing is an old foe [that] has been plaguing online users for more than two decades, it keeps working because it preys on human emotion and the urge to act on written information,” Kessem says. Indeed, as he points out, phishing has gotten more sophisticated over the years, both in technical terms and in the visual effect of phishing emails and attack pages.

Luczynski agrees that “spear phishing is becoming more common, whereby the fraudsters know some of the players internally and tailor their phishing emails more specifically to them.” Adams Community Bank was on the receiving end of at least one fraudulent CEO-to-CFO phish, as well as lender-related spear phishing, she says. “Fortunately, we do a lot of education and testing, so these were immediately deleted.”  

Many community banks are not so fortunate. Lohrmann points to $2.6 billion-asset Southern National Bancorp of McLean, Va., which reported to the Securities & Exchange Commission in July 2017 that it suffered a malware attack that gave the attackers access to an undisclosed number of customers and led to roughly $172,000 in fraudulent wire transactions, according to reports.

Among the more advanced techniques bad actors use are “official-looking emails stating that a security incident, such as too many attempts to log on, has locked you out of your account,” Lohrmann says. “It could say: ‘In order to fix the problem, please sign in to your online account.’” The phishing emails typically include a link to connect, “but hovering over the link with your cursor reveals it does not go to your bank but takes you somewhere else first.”

Other tricks include special deals, one-time cash bonuses, lower interest rates or anything else that can get you to click. “Not all phishing scams require clicking,” Lohrmann warns. “Phishing emails may ask you to call a number or send an email with information to an address that seems close to the email name of the community bank but has some different letters.” In addition, cybercriminals can phish via phone calls, text messages or “any other channel that tries to get you to reveal your information or take action,” he adds.

Additionally, the attackers might patiently wait for someone to make a mistake. “They will wait for the opportune time to launch their attacks and may have been in your systems for weeks, months or even years,” Zazzaro says.

Spotting phishers
While phishing has become far too pervasive and lucrative for its perpetrators to be completely halted, there are steps that all community banks can take to better spot and mitigate the risk of these attacks.

According to bankers and industry onlookers alike, employee education should be a top priority. “Community banks, and any organization looking to better their security around the phishing threat, should drive better user education across the board,” says Kessem. “Internally, giving role-based security training to all employees can make a big difference in how the next phishing attack will end.” A security program will become even more effective when test campaigns are launched every so often to remind and refresh employees’ knowledge about the most recent schemes and raise awareness and response to those types of emails, he adds. “Banks should also invest in educating their customers and offer timely information on their website, as well as several ways to report suspicious emails and pages purporting to come from the bank.”

Indeed, some community banks are keeping their staff alert and aware by periodically sending “spoof” emails and tracking how many employees mistakenly click these fraudulent links or attachments to see how their IT security tutelage is sticking. At a conference hosted by the Federal Reserve and the Conference of State Bank Supervisors last fall, Mastercard’s chief security information officer, Ron Green, shared that the card company had instituted a program where it encouraged employees to share suspicious emails they received. In turn, the employees receive “points” based on the threats they uncover, which makes them eligible for a cash bonus.

“It starts with culture and how important this security threat is from the top down,” says Luczynski. Once the culture is set, she says information security employees need to educate all employees about current phishing threats. “We send frequent email updates on the latest attempts we hear about,” she says, adding that they also send phishing emails to test employees as many as five times a month. 

Zazzaro agrees that community banks need to “invest in proper cybersecurity awareness training to help bank employees know how to recognize warning signs and exercise caution. Even then, it is very likely that you will have to deal with a successful phishing attack at some point in time. Remember, all it takes is one click.”

PeoplesBank employees and bank directors complete an annual cybersecurity training; new employees are required to participate at their time of hire. Zazzaro says that bank employees are “continually tested through phishing campaigns, and if someone fails, they are automatically enrolled in additional training.” In addition, he recommends that banks maintain a “multilayer defense.”

8 tips to avoid a phishing attack

1. Stay away from unsolicited email. No matter how tempting a subject, if you did not solicit it, did not make a purchase and were not expecting an invoice or package, report it as spam to your IT department. Then send it to the abuse mailbox of the applicable service provider and delete it from both your inbox and the trash folder.
2. Be especially wary of attachments and examine them for their true extension type. Most email-borne malware is actually an executable file, like an .exe; a container file, like .zip or .rar; or a Microsoft Office spreadsheet or document with macros that, in some cases, run automatically.
3. Have a comprehensive security awareness training program that is constantly updated and covers various phishing scenarios. Ensure that your program is not boring but offers brief, frequent and focused content that is helpful. Make it interesting and fun with gamified content and interactive lessons that teach people things they do not already know.
4. Teach and reteach your employees what to watch out for. Use real examples of fake (phishing) emails or use examples from industry peers in news headlines.
5. Tell your customers what you will and will not do. For example: You will never call them on the phone to verify their account number or passwords.
6. Test your employees with phishing campaigns that use common techniques. Offer positive examples as well as rewards for catching the mistakes.
7. Include phishing FAQs on your websites, newsletters and other materials. This example from Start Community Bank can help:
8. Change things up. Don’t stay with the status quo. Use updated materials and cover phishing as a part of your wider mission and training on other technology topics. —Karen Epper Hoffman

Karen Epper Hoffman is a writer in Washington state.