Avoiding social engineering attacks is a team effort

Social engineering, a growing type of identity theft, involves fraudsters posing as customers, bank employees or even the CEO. These attacks take advantage of community banks’ personal customer service to obtain confidential information and make fraudulent transactions.

By Katie Kuehner-Hebert

Social engineering is one of the fastest-growing types of identity theft and a major risk cited by bankers in a recent CSI survey. It’s defined as when a fraudster poses as someone else to dupe a customer or bank employee into divulging confidential information or conducting a fraudulent transaction.

Customers of $550 million-asset Bank of Idaho in Idaho Falls, Idaho, have been targets of social engineering attempts, says president and CEO Jeff Newgard.

“We had a customer fall for a romance scam, as people are isolated and looking for connection online,” he says. “Once the fraudster gained the customer’s trust, they asked if the customer would lend them money. The fraudster stated they would meet up after the transfer was completed.”

Newgard says one way community banks can help protect their customers is through the relationships they develop with them. Knowing the customer and having the confidence to ask them questions about a suspicious transaction could save them from a loss. Those questions include: “Did they ask for a portion back?” “Is it too easy or good to be true?” “What did they do to earn the money?” or “Have you ever met this person?”

“At the end of the day, customer experience can help mitigate risk,” Newgard adds.

Bank of Idaho doesn’t limit its identity theft prevention to a policy or guideline when it comes to educating staff on the topic. The IT department and team as a whole are regularly educated to recognize social engineering fraud.

“We use multiple resources to detect and monitor transactions outside of a customer’s normal banking patterns,” Newgard says. “This system allows us to block suspected transactions as well as alert staff to reach out and have a conversation with our customer.”

“The biggest mistake when it comes to cybersecurity is thinking you have a person for that … [and that] it’s their problem. No. It’s a team sport; it’s our problem.”
— Jeff Newgard, Bank of Idaho

And it doesn’t stop there. Externally, Bank of Idaho staff provide extensive educational materials and literature for customers during account openings and via email, social media and their website.

“Having those real authentic conversations in-branch also helps our customers trust our knowledge and authority to ultimately protect their money and well-being,” Newgard says. “The biggest mistake when it comes to cybersecurity is thinking you have a person for that … [and that] it’s their problem. No. It’s a team sport; it’s our problem. We all have to be vigilant and we all have to take responsibility.”

Staying vigilant to fraud

Training is the key to fraud detection and prevention. Employees should role-play different situations across bank channels that could involve social engineering, says Joel Williquette, ICBA’s senior vice president of operational risk policy.

“[Community banks’] No. 1 goal is to help their customer, but they also have to realize that it is not always their customer that they are dealing with,” he says. “That single fact has to stay present in their thoughts throughout the day as they interact with customers via email, in person, [on the] phone and online.”

For social engineers, social networks are a “goldmine” for finding prospective people to masquerade as. It’s relatively easy to find targets’ interests, hobbies, lifestyle and preferred social networks, says Prabhash Shrestha, ICBA’s group executive vice president and chief digital strategy officer.

“Scammers can use public information to make a convincing request to the bank staff by impersonating an executive of the bank,” he says. “Banks can help prevent social engineering attacks by preventing security vulnerabilities around social media, asking staff to be careful of friend requests and keeping an eye on social media privacy settings.”

Kevin Shine, vice president of sales and partnerships at Fraud.net in New York City, recommends that community banks develop protocols to help employees quickly identify red flags. That can be tricky, however, as fraudsters are experts at manipulating bank employees, who strive to provide great service to customers in need. Banks need to implement technologies to facilitate multifactor authentication of high-value bank transactions.

The State Bank of Cross Plains in Cross Plains, Wis., works with both employees and customers to educate and prepare for these issues, says Kevin Piette, chief operating officer at the $1.3 billion-asset community bank. It offers regular communication and training with customers through newsletters, social media, an online education site and discussions with staff, he adds. The bank also offers business customers fraud prevention technology.

“We also have several internal and third-party systems that prepare, monitor and prevent systems access, but the human element is typically one of the most vulnerable access points,” Piette says. “Training on various social engineering scenarios assists employees in awareness and prevention.”

Staff are given protocols for proper identification of vendors and other visitors to the community bank’s facilities. They’re trained on systems alerts and warnings, as well as how to identify red flags in various channels, such as telephone or face-to-face conversations.

“Unfortunately, in today’s day and age, and given the business we’re in,” Piette says, “we need to look at everything and every situation with scrutiny.”

Katie Kuehner-Hebert is a writer in California.