Hackers hack. It’s what they do. To some of them it is just a game. They want to see how much they can get away with, without getting caught. Hackers, or cybercriminals, use a variety of methods. They are creative. They are relentless. They keep trying until something works. Unfortunately for community banks, the game simply isn’t fair. You have to defeat them every single time to be considered successful. They, on the other hand, only have to score on you once to win the game. If they are successful it will cost you money, damage your reputation, draw attention of regulators, and leave a wound that may never heal.
Cybercriminals Don’t Play by the Rules
Remember when you were a kid and your older brother would change the rules while you were in the middle of playing a game? That’s how cybercriminals act. They’ll try anything to win. Since cybercriminals use several different methods to breach your defenses, your community bank must use several layers of security to counter attack. All attacks launched at you include some element of technology as do all the defensive maneuvers you deploy to defeat each attack. However, one unique battlefront in this cyber war is not all that “cyber” after all - people. Yes, people. YOUR people. The employees at your community bank are the layer most vulnerable to attack. Criminals have figured out how to use tricks and deploy some crafty psychology (social engineering) to manipulate your employees and pull off a successful attack. If, and when, they find success attacking the people layer your technology defenses may ultimately be too little too late.
Phishing is their Favorite
Cybercriminals have dozens of methods, but phishing is their favorite. Why? Nearly every employee has an email address, so they can target nearly everyone. Setting up and deploying a phishing email is very easy. And, it only requires human error or curiosity to catch someone of guard. Technology isn’t of much help.
14 types of phishing, as described by syscloud
In a recent attack, phishing emails targeted anti-money laundering officers at multiple financial institutions. The clever email was personalized, mentioned the Patriot Act and appear to be a from fellow anti-money laundering officer from another institution and included an attachment masquerading as a case report.
Even the Playing Field
Since the game is rigged in their favor, you have to fight fire with fire. If cybercriminals are using phishing to attack bank employees, then use your employees to fight back. Phishing awareness and defense are everyone’s responsibility not just IT. How do you fight back? Training. Testing. Practicing. You need to know which employees need help, and which employees need access rights limited or removed. The more your employees learn about phishing, the more effective they will be in your overall cybersecurity stance.
What to do if You’ve Lost the Game
If the cybercriminals score on you, the game isn’t over. You still have time to react. If you think you’ve been breached as a result of phishing, then follow these steps:
- Inform all employees immediately
- Isolate and contain the breach
- Kick start your disaster recovery protocol, etc…
- Forward suspected phishing emails to firstname.lastname@example.org – If the phishing email impersonates a company or other organization, you should contact them as well so they are aware.
- Another place you can report to is the Anti-Phishing Working Group. This group includes security providers, financial institutions, law enforcement agencies and internet service providers and exists to fight phishing. You can email them at email@example.com.
Game Over? Sorry, it Never Ends
The “game” will never stop. As long as you have valuable data, the cybercriminals will attempt to steal it. They’ll keep on innovating and deploying new methods of attack. So, you have to keep testing, training and practicing to keep them out!
Never think “we’re good” or “we’re done” – you’re not. In a recent engagement with a community bank, Finosec conducted a simulated phishing attack on all 61 community bank employees. An astonishing 24 employees fell for the attack and clicked on the link in the email they received. Fortunately the link lead to a Finosec landing page that informed them of the dangers of phishing and provided a training video.
Introducing Finosec PhADER
Since phishing is so popular and difficult to defeat, Finosec offers a solution to help your community bank educate, train and arm employees to fight back. Finosec PhADER is built specifically for community financial institutions and tailored to your needs.