Not surprisingly, the banking industry is one of the top targets of hackers using phishing attacks to breach security. And, while safety protocols are built into both internal and consumer-facing banking websites and apps, it is often the human element that fails to detect the scam, resulting in thefts large and small.
One word: money. Access to a bank account or to the internal network of a financial institution is akin to striking gold. Unlike the “old days,” where breaking into a bank involved digging tunnels and having a highly skilled team that included a safecracker, cyber-thieves can do much more damage remotely with very little skill and much less risk; now there are groups operating in the dark web that create malware or password-cracking apps and share or sell them to others.
Similarly, robbing people of their money used to involve using weapons and/or making threats; now, instead of hearing “this is a stickup,” you are more likely to receive an innocuous-looking email that asks you to “reset your password.”
What do most attacks have in common in the banking industry? They all involved standard email communications that upon first glance seemed legitimate. They had official-looking logos and email addresses or were personalized in some way. Yet, a trained employee could have easily spotted these emails as scams or at least questioned their authenticity and brought them to the attention of IT or other security professionals.
Aside from addressing the malware itself, banks should always think more holistically and consider it one key chink in the anti-fraud armor. These five weak links enable malware and fraud among banks today:
Standard countermeasures such as anti-spam filters and anti-malware protections will usually filter out part of these types of scam emails; however, they are not fool-proof, especially against the most targeted attacks such as spear phishing and whaling. Organizations should therefore look to adopt a broader approach, which can include: