Following the massive JPMorgan Chase security breach last summer, banks around the world have come under increased pressure to improve their protection of user data. Many banks have responded by doubling down on their network security efforts. Nevertheless, bank employees are unintentionally exposing valuable information to hackers— in some cases even laying bare the digital clues that can make a breach possible. In fact, today several banks are testing whether their employees are leaving them susceptible to hacking attacks by falling prey to targeted attacks, or spear-phishing attempts.
In such cases, criminals lure recipients to click on email links or attachments, often containing malware that allows hackers to access passwords or other sensitive information that can expose a bank’s sensitive data and private customer information. Hackers increased their use of spear-phishing attacks by 40 percent in 2014, reaffirming its place as a core tactic, making email security a serious concern for banks and their customers.
According to a new report from Websense Security Labs, the average number of attacks against financial services institutions is 300 percent higher than the number of attacks suffered by companies in other industries. Aside from the obvious financial incentives for hacking banks, criminals seek out financial-services firms because they collect and store the greatest amount of personal customer information, making them a serious target.
What is spear phishing, and why is it so successful?
Using email to infiltrate banks has become a very common tactic for hackers—the average business user sends and receives up to 122 emails a day. All said, 112 billion emails are sent on an average day, according to the 2015 Email Statistics Study by The Radicati Group. Targeted spear-phishing attacks have become the clear weapon of choice for hackers due to their simplicity and effectiveness, accounting for 91 percent of cyber attacks each year.
A spear phishing, or targeted attack, is an email-based attack that targets a specific organization, or person, seeking unauthorized access to confidential data. Typically these email messages come from a “trusted source”, often under the guise of a company employee, and more generally from someone with a position of authority. The reason that spear-phishing attacks are often so successful is because they’re extremely believable. Spear-phishing emails feature specific references to people and projects that the recipient knows and trusts.
It’s also relatively easy to launch an attack.
A spear-phishing email targeting a bank can be disguised to look like a message from a trusted source, such as a C-level executive or a high-ranking employee. Even a CV sent to Human Resources can create a high-risk spear-phishing opportunity. Other types of spear-phishing emails or messages will typically include specific content, such as a recipient’s full name, account numbers and real bank logos, making the email appear to be legitimate. Emails will also often include personal information garnered from social media outlets, where hackers can gather incredible detail about their targets: who their friends are, who their colleagues are, what their interests are, the list goes on.
When a bank employee clicks on an attachment, they may inadvertently run an exploit, which will install a malware allowing hackers access to a bank’s network. Malware (or advanced persistent threats—APTs) give hackers unauthorized access to a computer, enabling them to steal information. In recent years, fraudsters developed several new versions of banking malware, such as Dyre and Dridex, which infiltrate computers via infected email attachments. Once installed, these malwares can bypass strong authentication technologies and collect user information, ultimately providing fraudsters ammunition for their next attack.
Stepping up security
Today, while employees are aware of spear phishing, hackers are still able to craft fraudulent emails that are virtually impossible to catch—even by someone with a trained eye. Last year, according to a survey released by the Association of Corporate Counsel, roughly 30 percent of data breaches resulted from employee error. On average, said the survey, employees opened links or attachments in one out of every five spear-phishing emails.
So, how can banks step up their security to mitigate these threats?
Banks today have gone as far as sending simulated phishing attacks to employees to test and educate them about these very threatening emails. Companies try to teach employees how to identify, report and mitigate spear phishing. The problem is that even the most talented employee may be outsmarted by highly sophisticated—and highly motivated—hackers.
For banks and financial institutions, keeping customer information secure is not just an option—it’s a must. Customers need to feel completely confident that their personal information and financial assets are always secure. That’s why it is very important for banks to stay up to date with current trends and cyber threats and employ a variety of solutions.
Here are some recommendations:
- Make sure employees are properly trained about email and web-based infections. While training your employees will not solve the problem of spear phishing, it can still help. Teach employees about social engineering and the clues of which they should be aware.
- Use a secure email gateway solutionthat monitors emails being sent to an organization for unwanted content and prevents these messages from being delivered. For instance, Votiro’s Zero-Day Exploit Protection technology scans all incoming files and removes all malicious codes, including undisclosed and zero-day exploits, helping banks stay protected.
- Hire the right security professionals. There are still many banks today that hire regular IT (information technology) professionals and put them in charge of cyber security. Today cyber security is a profession, and these are the professionals that should be on guard to anticipate, address and help prevent security threats.
Despite banks’ efforts to protect themselves, hackers will undoubtedly continue to attack banks and chase after their customers’ personal data. While these threats are a certainty, banks have the power to protect themselves and their customers by responding to these threats with the right tools and tactics.