Back in the 1990s, phishing criminals masqueraded as Nigerian prices, lottery directors and attorneys for deceased tycoons, toting the email equivalent of a suitcase full of millions. All you needed to do was provide your bank account digits and “wealth” was on the way. It still happens today, the dead giveaways coming via salutations such as “Hello, my dear!” or the misspellings of simple words such as [sic] “chek.”
While you’d be hard pressed to find scores of innocent folk falling for that malarkey in 2018, phishing “phraudsters” have changed with the times. And for even the smartest of bank employees, the news is hardly good.
Cunning criminals now scout social media and company websites to gather relevant information—then disguise themselves as superiors, co-workers, vendors or clients. They can create emails that appear so real and believable, even security systems alone cannot detect them. Fake emails from the CEO may have tweaked addresses that evade the recipient’s casual glance: a middle initial inserted or deleted, or a domain address altered ever so slightly.
While technology can help detect and root out some of these emails, security experts say humans offer the last and best line of defense in the fight against phishing.
Social engineering, attack by design
Phishing—the practice of sending phony emails from “trusted” sources to gain sensitive information or system access—has progressed from haphazard to a hack hazard. Through a strategy called “social engineering,” hackers research social media, press releases and company websites to create compelling emails with all the right information.
A clever malefactor needs only a few minutes research to create a “very believable” email, says Stu Sjouwerman, founder and CEO of KnowBe4. “It’s the very same type of people doing this type of CEO fraud today. They have morphed and evolved into launching a much more sophisticated kind of attack that is relatively easy to pull off.”
So how does CEO fraud work, exactly? True to its name, someone poses as the company chief executive and gives orders to move money from bank to hacker. Belgian bank Crelan lost more than $75 million in 2016 when a hacker posed as the CEO and instructed a finance department worker to wire the funds overseas.
Criminals are also hitting community banks, as they perceive them as less secure.
“It’s getting ridiculous,” says Theodore Tomita III, senior vice president and chief technology officer at Catskill Hudson Bank in Kingston, New York. “It seems like the emails attempting to get in are getting more sophisticated and more frequent.”
He should know. Most attacks targeted at Catskill Hudson appear to come from the chairman or Tomita himself.
“They often appear to come from me, with all kinds of requests,” Tomita says.
Seeing through a C-suite attack
It shouldn’t be surprising that the financial services industry represents a prime target for phishing attacks. Carbanak, a global hacking group, has stolen more than $1 billion from banks in more than 40 countries by spreading malware through phishing, according to the European Union Agency for Law Enforcement Cooperation.
Carbanak sent bank employees spear phishing emails (so named because they target specific individuals and companies) that mimicked letters from legitimate companies as a means to burrow into ATM servers. The only thing that’s managed to slow them down was the March arrest of the hacker gang’s leader. Meanwhile, another cabal known as Silence has ripped some pages from Carbanak’s play book, hitting roughly 10 banks as of November.
Hackers typically direct phishing emails against banks to the comptroller or other executives, the goal to manipulate them into making transfers at the urgent request of the CFO or CEO. One common tactic is to monitor an executive on social media—then wait until they’re on a business trip and send an email to a subordinate to ask for a favor.
“They’ll say it’s urgent,” Sjourwemann says. “‘We’re in the process of a takeover and it’s confidential. You’re going to be called by someone from the SEC… and in the meantime, I need you to do this.’”
Poorly designed phishing emails are often easy to spot; they may come from a different email address, a person the employee typically doesn’t communicate with, or sound completely out of character. But the insidious ones are much harder to detect: They include personal, credible information.
And if the hacker has compromised the executive’s email, the message can come from the actual account.
They’ll ask employees to visit a website, open a document, or as in the above example take some sort of action. Other missives pose as emails from Microsoft that ask the employee to update their password or other information.
Fishing for phishing
Banks aren’t exactly defenseless, though. Technologies that include SaaS (Software as a Service) combine phishing detection and remediation. Other counter-weapons include DMARC (Domain-based Message Authentication, Reporting and Conformance), a protocol for validating email addresses. DMARC is easy to implement and can catch most basic phishing messages—though it can’t identify emails when hackers compromise an internal email server and send messages from the company’s domain.
Training bank employees to spot such emails is essential, and there are several red flags to look out for:
- senders the person ordinarily doesn’t communicate with
- emails sent in the middle of the night
- misspelled words
- hyperlinks to different websites
But the only way to sniff out a highly sophisticated phishing attack is to call the supposed sender directly and confirm the message.
Catskill Hudson Bank has taken a “non-stop defensive strategy” to raise employee awareness on the issue, Tomita says. The bank has also instituted a policy that says if the message doesn’t address something the chairman, president or Tomita previously asked an employee to do, they cannot move ahead without verbal confirmation. Tomita and others in the C-suite even send out their own dummy phishing emails to test employee awareness.
“If they do click on the link, we know and then we give them more training and show them how they could’ve prevented that phishing attack,” Tomita says. “You have to continually test them.”
Ultimately, most experts say the best, most effective phishing defense leverages employee awareness. “You need to train your employees to verify with the CEO that these things are legit,” Sjourwemann says. “It should be perfectly fine to say no to the CEO.”
By email, that is.
Want more Banking Strategies? Sign up for our free newsletter!
Craig Guillot is a business writer who specializes in retail and finance. His work has appeared in such publications as the Wall Street Journal, CNBC.com, Bankrate.com and Better Investing.