How to Defend Against Social Engineering Attacks in Banking

©Gorodenkoff/iStock/Getty Images Plus

One of the most worrying cybersecurity threats for financial institutions and their customers is Business Email Compromise (BEC), when attackers use social engineering tactics to trick employees into initiating bank transfers back to the cybercriminals. Typically, a BEC attack occurs when a hacker impersonates someone in an email, e.g. B. the CEO or another person in the C-suite, supervisors or even a supplier. After the emails are compromised, the cybercriminal may request a business payment that looks legitimate and authentic as it appears to be from someone “higher” in the corporate ranks. Staff will usually respond and honor the request; Nobody wants to upset the boss. During this scam, the hackers require the transactions to be wired or deposited in order to appear as normal. This can also include stealing an employee’s personal information or even tax forms like a W-2.

Banks and bank customers are high-value targets for hackers. Many banks are already aware of BEC attacks and have launched programs like “kits” to help compromised customers recover faster, but the threat continues to grow. According to a Mimecast report, 85% of organizations believe the volume of web email spoofing will stay the same or increase. That The FBI estimated that at $1.7 billion was lost to successful BEC attacks in 2019 alone.

There are some standard practices that banks and their employees should adopt to reduce the likelihood of a BEC incident. For example, a security expert will tell you that the first line of defense against BEC is to enable Multi-Factor Authentication (MFA) to secure online accounts. This adds a required extra layer of protection to logins that require a multi-factor authentication process through a mobile device—typically by sending a unique code via text message.

Financial institutions should also ensure that the bank’s website is encrypted and that a spam filter is implemented in their email client. Another well-known practice is that employees do not share passwords across systems or with anyone else and log out after using the bank’s website. Financial institutions and banks using on-premises Microsoft Exchange email servers may be advised to switch to Microsoft 365 cloud-hosted email, as security is generally much better in the cloud.

However, companies need to be aware of so much more. Below are some additional tips that banks and financial institutions need to put into practice to strengthen cyber defenses against BEC before it might be too late.

condition for conditional access

Once MFA and the above cybersecurity fundamentals are implemented, financial institutions should evaluate whether they are considering additional layers of security. For example, one of the less common security practices is conditional access, which only allows employees to access email from certain geographic locations or from certain computers. Businesses using Microsoft 365 can set up Conditional Access to block sign-ins from places their users have never been or don’t typically travel to reduce the overall attack surface. For example, if your end users don’t typically travel to a country that’s far from the United States, like New Zealand, consider disallowing sign-ins from that region.

Train, train, train your employees consistently

Believe it or not, most banking and financial institutions don’t take the time or effort to train their employees on how to recognize malicious email. For example, an employee in the finance department could be found through their profile on LinkedIn and then receive constant emails trying to trick them into clicking links and phishing information. When the attacker breaks into their email, they download everything and see if any vendors will be sending any transactions soon. If this is the case, they will email the providers to their account with a new routing number. These low-tech attacks are very effective. Financial institution and bank employees should be trained to pay close attention to what to look for in phishing email attempts. Awareness programs enable employees to develop critical thinking when they receive a suspicious email. For example, if a seller requests a quick change in payments for a new routing number — as opposed to using the same number for years — an alert should be triggered. These can be remedied quickly with a simple call to the vendor to confirm the changes and identify a BEC attack before it becomes catastrophic. During these sessions, employees can also learn about other methods such as “smishing” or SMS phishing – where attackers send texts instead of emails – which can sometimes confuse people and end up revealing more sensitive information than usual.

This training should not be a one off annual special event, but should be held regularly on a monthly or quarterly basis. In 5-10 minutes of a user’s time, reinforcement training keeps employees in the loop and informed of every possible attack – especially as cyber attacks are constantly evolving. It’s also so prevalent that employees can stick with it without losing interest or skipping it to take a coffee break instead.

Against a successful BEC

Prevention is always key, however In the event that an email has been compromised, the first step is to immediately contact vendors and staff about the attack and send a warning that you have been compromised and that cybercriminals may be trying to use a fake domain to Changing things like routing numbers. This also includes data subjects who had data in the mailbox and should be contacted immediately. At the same time, the organization should promptly change the user’s password. All rules within the compromised account should be reviewed, especially rules involving redirection to external accounts. The IT or security team should review all available logs to determine what data was accessed. If the logs are not detailed, it should be assumed that all information in the mailbox has been compromised. Finally, a detailed review of how the email was compromised and subsequent training for the individual should be conducted – as mistakes happen.

Preventing a BEC social engineering attack requires effort and commitment from supervisors, IT managers, security managers, employees and C-suites to mitigate losses that can be irreversible and costly. By adopting standard practices like MFA, encryption, and enabling additional layers of security like conditional access while maintaining rigorous employee training, the risk of a successful cyberattack is drastically reduced.

Chip Gibbons is Thrive’s chief information security officer.