What good could possibly come from breaches at major retailers that exposed millions of Americans to potential card fraud? The silver lining for U.S. financial institutions is that the breaches at Target, Neiman Marcus and Michaels have woken up their customer base to cybersecurity threats.
With nearly every media outlet reporting the grisly details, there has never been a better time to educate commercial account holders about the risks associated with online banking, particularly phishing attacks.
Consumer awareness will help firms implement the Federal Financial Institutions Examination Council-mandated educational programs on corporate account takeover by providing account holders who are now sure to be active listeners. Corporate account takeover is a type of business identity fraud where malware is used to infect the machines of account holders to capture login credentials, hijack online banking sessions and commit electronic wire fraud. To help combat this type of fraud, the FFIEC recommends that banks educate their commercial account holders on how CATO attacks work, the exposure risk, recommended minimum security standards and types of insurance coverage available to them to cover fraud losses.
The Target breach began when an outside vendor fell victim to a phishing attack and entered its network credentials into a malicious website controlled by hackers. This gave hackers authorized access to spread their malware onto point-of-sale servers and systems. This tactic is analogous to corporate account takeover attacks because online banking credentials are essentially authorized access into a bank's network.
A long-held belief in IT security is that the easiest and least detectable way to gain unauthorized access into a system is to leverage someone else's authorized access. The consequence for online banking is that account holders have that authorized access and, thus, are and will continue to be the most attractive target for cybercriminals. Why would hackers bother learning how to pick a commercial-grade safe when users can be tricked into simply opening the door for them?
Unfortunately for banks, and their customers, the phishing attacks which started the Target breach are alarmingly successful. Verizon's data breach report shows if attackers send out just ten phishing emails, they have a near 100% chance of at least one victim clicking the embedded link or opening the attachment. Making matters worse, half of those clicks will occur within the first 12 hours.
There are several reasons phishing attacks still work. First, embedded links in phishing emails inherently want to be clicked. After all, humans are curious by nature and that is exactly what links were designed to do: pique their curiosity. It takes training to resist the habit of following a link or opening an attachment.
Secondly, hackers are refining their techniques; phishing attacks are looking more and more legitimate. Lastly, while banks have invested a lot of resources into educating business clients, particularly their accountants and bookkeepers, on phishing attacks, not all employees at these firms receive training on online banking. This creates additional risk as the Target breach demonstrates that for fraud to occur, it only takes one user being tricked into giving away credentials to open the door to the entire network. All employees at a company should be trained on phishing attacks, not just their online banking users.
The amount of news stories focused on cyber-breaches demonstrates that not only is mainstream media becoming more comfortable delving into technical topics, but also that there is an eager audience awaiting that information. Major retailers across the country have paid the tuition, in full, for the education of each and every online banking user. There has never been a better time to educate online banking users on the threats which exist, the countermeasures available to them, and how critical they are in the fight to deter fraud.
To properly educate customers, banks should use a multifaceted approach which appeals to different learning styles: whitepapers, seminars/webinars, interactive web games and threat overviews. A best practice to follow is alerting the customer base to new threats, at least every other month, to keep security top-of-mind.
Ryan Elmer is the national director of eBankSafe, a fraud-deterrence line designed to mitigate the risk of corporate account takeover and electronic wire fraud.