The financial services industry is constantly under siege against would-be fraudsters seeking to exploit vulnerabilities—system or man-made—to launch an attack. One area that has seen a large uptick are social engineering attacks that cause data breaches or security violations.
Social engineering occurs when hackers manipulate employees into disclosing sensitive information and usually involves emails, phone calls, or any communication that provokes a sense of urgency.
The levels of sophistication on these attacks are growing at an alarming rate, forcing financial institutions to heavily invest in resources to avoid financial loss. Social engineering attacks are designed with two main goals in mind:
Here are three major tactics attackers rely on for their nefarious actions:
Phishing attacks are the most common social engineering attack faced by the industry and involves attacks that gain access to your bank’s network or any system that contains sensitive data, such as login credentials.
Once login credentials have been compromised, emails are sent to customers or employees camouflaged as originating from your bank or senior management. In most cases, the tone of the email urges immediate action.
The messages often request that employees update their login credentials because their password will soon expire, or because of a security settings change that requires new software installation. These emails typically contain attachments or links that are corrupted. Because of the sense of urgency, the employee may feel compelled to take immediate action and unknowingly becomes part of a data breach.
Website spoofing occurs when the attacker mimics an authentic website to fool the user. In cases in which emails are sent to employees, more than likely there is a link to the dummy website as well. At a glance it may resembles the true company’s website, but upon closer inspection minor deviations may be apparent.
For example www.icbabancard.org is a legitimate website but an unknowing customer or employee may not notice if a link was sent as www.icbaabancard.org and include an extra “a” between “ICBA” and “Bancard” When the employee fills in their sensitive data on the fraudulent website that they believe is legitimate, the results can be catastrophic.
Physical attacks are caused when someone has walked through the doors of your bank or organization and gains unauthorized access to a computer or other sensitive data. This person can masquerade as a customer, maintenance worker, an outside IT personnel vendor or a marketer.
Without properly identifying the individual, an employee could unknowingly give a hacker access to large swaths of data paperwork that gives detail of a customer’s financial or employment information.
Although social engineering attacks are not new, it is important that banks and consumers stay alert for warning signs and educate themselves on the latest fraud attacks to avoid becoming a victim of a high-risk gateway.
Dina Mickens is vice president of card risk at ICBA Bancard.