Thanks to movies and crime shows, we often think of cybercriminals as antisocial computer whizzes with impeccable typing abilities, an affinity for baggy hoodies and a multimonitor computer setup illuminating their dark hideouts. But instead of focusing on the fraudster's technological knowledge, picture the criminal as a sophisticated persuasion specialist with degrees in psychology and research.
These hackers make a living on using psychological tricks to prey on emotions to obtain information, and unfortunately, business is good. The Anti-Phishing Working Group reported more than 803,756 unique phishing attacks in 2015, of which about 21% targeted financial institutions.
To prepare for the mental manipulation, your institution must examine the emotional tactics used in cyberattacks and formulate a systematic defensive strategy that relies on institutional wariness. Here are three tactics your employees need to use to mitigate the risks.
A Respectful Cold Shoulder
Fraudsters can create elaborate lies to trick unsuspecting victims into disclosing sensitive information. Examples of this tactic include calling into the back office attempting to impersonate account holders to request the movement of funds, reset a password or obtain a temporary access code.
Financial institutions try to prepare employees for these threats, but pretexting is still a very successful means of perpetrating fraud. These fraudsters have an arsenal of information to disarm even the best-trained employee. Because your staff wants to do whatever they can to satisfy the customer, fraudsters exploit that desire to help. Successful fraudsters also use fear to get what they want. They might call into a back office claiming to have a personal friendship with an executive and threaten the employee's (victim's) job if their needs are not met. Combat this type of attack by educating everyone in your organization on the threat — not just customer-facing employees. Encourage them to practice respectful uncertainty and to follow the institution's procedures, whatever the circumstance.
By now, we should know to be suspicious of any unsolicited email requesting personal financial information, even if the message appears to be from an entity you trust. Fraudsters prey on our tendency to trust, but also exploit the carelessness we sometimes have when sorting email. Beware of links embedded in suspicious emails. Consider bookmarking free sites which convert any URL into a PDF and present it back to you so you can view the content of a webpage before visiting.
One of the increasingly common scams, often referred to as business email compromise, involves sending carefully crafted emails made to look nearly identical to messages a victim would normally see in his or her own inbox from a known party, such as a colleague or boss. In some cases, the fraudster may have gained access to the employee's email account to send the message or simply spoofed the sender's address to make it seem legitimate. Of course, the email appears extremely authentic. Social engineers use this type of attack to prey on the victim's fear and obedience: If the chief executive personally tells you to transfer a wire, what would the consequences be if you didn't follow orders?
The FBI reported that from October 2013 through February 2016, total financial loss in the U.S. due to business email compromise was $2.3 billion.
Protecting against these scams forces you back to the basics: Be wary of irregular emails sent from C-suite executives, and be wary of email-only wire transfer requests involving urgency. Review emails that request transfers of funds to determine if the request is abnormal and confirm funds transfer requests as part of two-factor authentication. Continued education about these scams along with employee training is also essential. Commit to training employees according to these best practices.
Police Social Media Usage
Social media is an attacker's gold mine. From the breakfast they eat to the time frame and location of their next vacation, people willingly share many private details of their lives. Not only do you have to worry about your financial institution's social channels (or the lack thereof), but you should be concerned with what your employees post as well.
Depending on their privacy settings, an employee may unknowingly share sensitive details about your institution. A group photo of co-workers seems innocent enough, but the image could reveal the layout of the back office, or it could be used to individually target those employees.
As for your institution's social channels, the 2013 Federal Financial Institutions Examination Council guidance requires all banks to monitor social media, whether the bank has a formal presence or not. If your institution doesn't have a presence, chances are a fraudster will fake one in your absence, using your institution's logo, mission statement and any other publicly available information to outwit your account holders.
Encourage employees to check their personal privacy settings and create an employee policy for social media usage. Check what your institution is sharing on social media. Read through your posts and think like an attacker: Are there pieces of seemingly harmless information that could actually be useful to someone trying to attack your institution?
Attacks come in many forms and from all angles, and they require a defense-in-depth strategy to protect against the barrage of attacks. Adhering to company policies is one thing, but developing good security habits is another.
Jay McLaughlin is chief security officer and senior vice president at Q2 Holdings Inc.