Security

5 Ways Banks Can Combat Phishing

The financial sector has become a primary attack vector. Here are some ways to fight back.

More than a third — 35.7 percent — of the 107 million attempts to visit phishing pages halted by Kaspersky Lab technologies in the second quarter of 2018 were related to financial services, the company recently reported.

Customers were targeted primarily via fraudulent banking or payment pages, the report states. Those insights point to the need for consumers to exercise extreme caution when browsing online banking sites. Attacks on financial organization customers, including banks, payment systems and e-commerce transactions, remain a continuing trend in cybercrime. Typically, those crimes result in theft of money as well as personal data.

“The permanence of attacks targeting financial organizations reflects the fact that more and more people use electronic money,” observes Nadezda Demidova, lead web content analyst at Kaspersky Lab. “Still, not all of them are sufficiently aware of the possible risks, so intruders are actively trying to steal sensitive information through phishing.”

While there’s a lot of good information available to help customers improve their security awareness, what can banks do to better protect themselves from ever-increasing phishing threats?

“Phishing techniques are similar across all industries, but it’s clear that some organizations — like banks — can experience more immediate and severe repercussions from a successful attack, just based on the nature of their business and the sensitivity of the customers they support,” says Gretel Egan, security awareness and training strategist for Wombat Security, a division of Proofpoint.

In speaking to Egan and Steven D’Alfonso, a research director at IDC Financial Insights, we developed the following list of five tips for banks and credit unions:

1. Identify Staff Who Have Opportunity and Access

Banks should identify staff members beyond the C-suite and management teams who have access to customer information and other business-critical data and systems, because cybercriminals certainly have, Egan says. Attackers mine social media and public websites, among other sources, to identify key individuals, such as loan officers, before targeting them directly.

2. Get Serious About Security Awareness Training

Employees who transfer funds regularly, manage sensitive data or participate in important business functions need additional training on how to spot and avoid more sophisticated phishing traps, Egan says. Cybercriminals frequently exploit employees’ fear and anxiety to solicit a quick (or unsafe) responses via email targeting. It’s a good idea for users to ask themselves these questions about any email they receive: Was I expecting this message? Does this email make sense? Am I being pushed to act hastily or out of fear? Does this seem too good to be true? What if this is a phishing email?

3. Focus on Public-facing Information

Bank and credit union technology teams should communicate with marketing and C-suite teams about the potential hazards of sharing company details on public channels such as public-facing websites or social media, Egan advises. That can be a double-edged sword in the banking world, where organizations strive to make it easy for customers to contact them, while still offering protection from cybercriminals and social engineers. Egan cautions that if information such as general email aliases, phone numbers, or lists of bank staff and their roles are visible publicly, cybercriminals will use the information to launch phishing attacks. IT staff should monitor all inbound email channels (even aliases) and train personnel who respond to inbound communications to recognize and avoid malicious messages.

4. Deploy Products that Analyze Malwarelike Behavior

Banks should consider deploying tools such as IBM’s Trusteer Rapport, which uses advanced analytics and machine learning to analyze suspicious behavior, increasing the chances that the software will detect and remove malware before it can infect a computer or broader network, IDC’s D’Alfonso says. Many banks now offer Trusteer as a free service for users to download before continuing any e-commerce functions.

5. Consider Continuous Authentication

Behavior biometric products that feature continuous authentication can detect nonauthorized users, such as a fraudster or a bot, D’Alfonso says. Such new tools help users safely authenticate and transfer money or pay bills, while continuous authentication keeps watch during every step of the process.

Staying on top of phishing requires consistent training and adjustments on the part any organization looking to combat ever-evolving threats. And while new behavioral and analytics tools can help, banks and credit unions can also achieve a great deal simply by keeping better tabs on employees and offering frequent training updates.