Jan 17 2019

Email Security: What Banks and Credit Unions Need to Know

These best practices can keep financial firms from falling victim to email-based cyberattacks.

Despite the increasing sophistication of cyberattacks everywhere, old-school phishing attacks are still as popular as ever. In fact, their popularity is rising. According to a recent report by Mimecast, 90 percent of organizations saw the number of phishing attacks increase or plateau in the past year. And it’s not just lower-level employees under attack; email-based attacks that target the C-suite — known as whaling — are also on the rise.

“We believe there has been a recent uptick in whaling scams aimed at businesses, and we want to warn companies to alert their employees about this potential fraud,” Katherine Hutt, communications director for the Council of Better Business Bureaus, said in a recent statement.

Many businesses think a spam filter is all they need to protect themselves. Some banks and credit unions operate under that misconception too, and that’s especially dangerous because their assets and employees are among hackers’ most desirable targets.

In December, for instance, researchers from Menlo Labs revealed a new business email campaign targeted financial companies and spread malware through Google cloud storage.


4 Tips to Improve Email Security for Financial Firms

So, what can financial firms do to keep their email secure?

In a recent article for BizTech, Karen Scarfone, principal consultant for Scarfone Cybersecurity, spelled out four ways businesses can improve this aspect of their security strategy:

1. Protect Vulnerable Sessions: When email client software establishes a session with a server, often it isn’t protected. There are two options to ensure these sessions are encrypted: “Transport Layer Security (formerly known as Secure Sockets Layer), protects all sessions using email protocols, including IMAP, POP and SMTP. Second, using a web-based email serv­ice instead of locally installed email client software ensures TLS will protect the web traffic,” writes Scarfone, noting that both options also require strong passwords and multifactor authentication.

2. Check Out Modern Anti-Malware: Threats are evolving, sometimes faster than malware can keep up, especially because traditional solutions depend on known patterns or signatures to detect malicious actors. New malware solutions, however, incorporate artificial intelligence or other tools that can detect even unknown threats and help companies stay one step ahead.

3. Monitor the Health of All Email Client Devices: “Automated health checks can flag problematic email accounts and identify emerging security problems — such as end-user systems that use weak security settings or lack OS and email client software patches — and hasten corrective action by the IT team,” notes Scarfone.

4. Incorporate Data Loss Prevention Tools: Often, malicious actors tap email accounts to forward sensitive info outside the company. Data loss prevention tools monitor, detect and stop these threats.

Beyond tools, one last important aspect of keeping your financial firm safe from email attacks is education. If employees don’t know what a malicious email attack looks like, how can they respond appropriately it? Training, communication and a solid cybersecurity culture that encourages employees to report suspicious emails can work wonders for any security strategy.

This article is part of BizTech's EquITy blog series. Please join the discussion on Twitter by using the #FinanceTech hashtag.



luckat/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT