Phishing for trouble
EDITOR'S NOTE: Jonathan Bilyk is a freelance writer.
For Kevin Streff, there is no substitute for human training when it comes to cybersecurity. And repetition.
For more than a decade, Streff, founder and president of South Dakota-based cybersecurity consulting firm SBS Security and a professor at Dakota State University, has worked with businesses of many varieties to design and implement solutions to safeguard company networks, information and customers. By Streff’s count, his company’s products can be found in about 950 banks across the U.S. But no matter how good cybersecurity technology may be, malicious hackers – “the bad guys,” as Streff describes them – will never stop working until they find a way in. All too often, Streff said, the true gaps in the firewall are emails – or more precisely, the human beings who receive these malicious emails. Often employees simply are too busy or are unaware of the danger they pose. This can result in potentially exposing company secrets, authorizing the transfer of large sums of money or even granting hackers access to the confidential information of thousands or even millions of customers. “You can have the best tech in the world, but by itself, it’s not enough,” Streff said. “Your employees are busy being productive, serving your customers, so this isn’t at the top of their mind. You have to train them.” The scheme is called phishing, and it’s nothing new. Through the years, it has taken many forms. Phishers traditionally have taken a scattershot approach, sending out countless emails containing malware, waiting on an unsuspecting victim to take the bait, click the link and download the malware to their device. Phishers then gain access to information they can use to steal an identity, hack a bank account or profit in some other way. Phishing has led to some of the largest data breaches in history, at massive corporations such as Target, JP Morgan Chase and Home Depot. In 2016, information hacked from Panamanian law firm Mossack Fonseca, commonly known as “the Panama Papers,” exposed secrets of many of the most powerful people in the world. In many cases, such theft of data or resources began with a single email, opened by an employee or executive, somewhere, said Andrea Hoy, president of the board for the Information Systems Security Association and founder of information security consulting firms A. Hoy & Associates and Sense1 Security. And today, the trend is only worsening, she said. “It’s incredible what’s happening today,” Hoy said.
Why banks? It’s like the bank robbers say, “That’s where the money is.” And now many can, literally or figuratively, rob the bank without ever even needing to pick up a gun.”
— Andrea Hoy, board president of the Information Systems Security Association
The Anti-Phishing Working Group, a nonprofit international industry association founded in 2003 which monitors and reports on phishing activity, with an eye toward helping businesses counter the threats, reported the breadth of phishing activity appears to have ebbed a bit through the first nine months of 2016. The APWG noted American businesses and individuals had logged a little more than 1.1 million “unique phishing reports” during the first three quarters of 2016, a decrease of about 7.5% compared to the first three quarters of 2015. The ID Theft Resource Center reported phishing and related attack techniques now account for more than half of all cyberattacks.
Phishing reports
Spear phishing
Streff and Hoy said the slight dip in activity last year could belie a change in tactics, as phishers move away from widespread, shotgun-style spam phishing, and pick their targets more carefully, using a technique commonly known as “spear phishing.” Under this technique, spear phishers use publicly available data to pinpoint a particular business or institution to target, and then select individual marks they believe will be able to get them the information or access they need to complete the hack. They then send emails, text messages or some other communication to the marks, and persuade them to freely provide credentials, such as usernames and passwords. Not surprisingly, Streff and Hoy noted banks and other financial service institutions have become increasingly popular targets for such tactics. In 3Q 2016, the APWG reported financial service institutions were the target of 21% of all phishing attacks, behind only the retail sector, which drew 43% of the activity. “Why banks? It’s like the bank robbers say, “That’s where the money is.” And now many can, literally or figuratively, rob the bank without ever even needing to pick up a gun,” Hoy said. Common targets for such spear phishing attacks include the financial institutions’ information technology professionals and executives, including CEOs and CFOs. But others targets could even be particular loan officers or even tellers, depending on the skill of the hackers and what they seek, Streff said. “It’s like hitting a baseball,” Streff said. “You don’t have to bat 1.000 to succeed. If you get one of every three or four (targeted), you’re doing pretty well for yourself.” Under such attacks, hackers could steal data or money, or, using malware known as ransomware, lock executives out of critical data and systems until a large sum of money, or ransom, is paid or some other demands are met. Such attacks also could be used by particularly malevolent actors to cripple banking systems or other key networks. In response to such attacks, banks and financial service institutions have thrown up email filters and other technological countermeasures. Many have followed industry guidance and upgraded their email authentication protocol to the standard set by Domain-based Message Authentication, Reporting and Conformance, or DMARC.
Learn what your business should do in the event of a data breach.
Read More
In 3Q 2016, the Anti-Phishing Working Group reported financial service institutions were the target of 21% of all phishing attacks, behind only the retail sector, which drew 43% of the activity.
Employee training
Hoy and Streff said they believe the best investment banks and others can make in fighting off phishing attacks is to train their employees to not only know what phishing is, and its risks, but also to know what a phishing attack may look like in real time.
To that end, they encouraged institutions and companies of all sizes to enlist outside help, who can deploy simulations periodically to test the system, detect weaknesses and create a plan to help them plug the holes.
“At airports, we’re told now that if we see something, say something,” said Hoy. “That’s how it should be for everyone who handles information. If you notice something seems odd in an activity log or something seems off about your computer, say something.
“It may be nothing. Or it may be everything.”
In the last two years, many of the largest names in finance, including Bank of America, Discover Financial and Wells Fargo have moved toward strengthening their DMARC protocols, either quarantining or rejecting outright potentially fraudulent and risky email. Hoy and Streff applauded such steps, but said phishers can still find ways to fool even the best systems. They noted as mobile platforms increasingly predominate, leading to more transactions being conducted on devices connected to possibly unsecure Wi-Fi, the ease by which hackers and phishers may be able to obtain critical information only will increase. “We’re putting out these apps, and I’m not so sure we’re paying as much attention as we should to review the code and make sure it’s secure,” Hoy said. Streff noted hackers also will begin to exploit vulnerabilities in the more mundane devices now wirelessly connected and controlled via the so-called “Internet of things.” Hackers, for instance, could use a phish attack to gain control of a company’s heating or cooling system, and then issue demands to be satisfied before handing control back to the company, he said.
Hackers use phishing emails to steal data, penetrate networks
© 2017 OnCourse Learning Corp. All rights reserved
Contact Us
20225 Water Tower Blvd. Brookfield, WI 53045
By Jonathan Bilyk
More inside this guide
Prevent cyberattacks
Banks must take proactive steps to stay ahead of cybercriminals
Phishing for trouble
Hackers use phishing emails to steal data, penetrate networks
Banks face new cyber regs
New cybersecurity standards could affect large financial institutions
Leading the way
New York establishes first-of-its-kind cybersecurity standards
What you need to know
Ways financial institutions can identify and respond to cyberthreats
Email fraud and cybercrime
Tips to identify red flags and respond to email and cyberthreats
Understand the threats
Learn ways financial institutions can mitigate cyber risks
Reduce cyber risk
OnCourse Learning webinar focuses on cybersecurity issues
Choose the right vendor
Financial institutions can be held responsible for vendor tech failures
Become cyber secure
OnCourse Learning offers cybersecurity training to meet your needs
Take cybersecurity seriously
Guide helps financial institutions identify cyberthreats
Beware of ransomware
Cyberattacks involving ransomware are a growing concern
Stop the bad actors
Terrorists and other groups threaten the financial system
Credit unions raise the bar
Agency creates cybersecurity assessments for credit unions
Cyber preparedness
Why cybersecurity should be a top priority for your financial institution
Increase cyber awareness
Federal and state agencies offer many cyber resources
Protect online payments
Agency warns of cyberthreats to bank payment networks
Training in the cyber age
Preparation is better than remediation when it comes to cybersecurity
How to Navigate
How to Navigate
Move forward or backward between articles by clicking the arrows.
Click or tap to bring up the Table of Contents.
Share articles by clicking on one of the social media icons in the upper right corner of the page.
Use your mouse wheel, keyboard arrow keys, or scroll bar to move up and down in an article.