Investment firms and financial companies are constantly under the microscope of regulatory agencies to prove that adequate security controls are in place to protect sensitive client data and accounts.
To most CEOs, that means adhering to ISO/IEC 27001, an information security standard followed by more than 130 countries and advocated by Kurtosys. The outlined policies, procedures and implementation of security-specific technology are designed to cyber-proof their computer systems.
While this standard certainly plays a key role in preventing cybercriminals from gaining access to and stealing identities and investment funds, it simply isn’t enough in today’s inter-connected digital world.
Despite the fact that a ginormous company like J.P. Morgan Chase & Co. has doubled its security budget to $500 million and Bank of America declaring it had no financial limits to fighting cybercrime, just goes to show that we have a long way to go toward winning this war.
It’s not just private enterprises forking over big money; the US government plans to invest $19 billion for cybersecurity this year, up from $14 billion in 2016.
But, is it all necessary? Now, don’t get me wrong: financial companies definitely need to install firewalls at every network connection, run software that can detect, then alert IT of a possible breach; and whatever else security measures money can buy.
If you ask Kevin Mitnick, once a professional hacker on the FBI’s Most-Wanted List and known for popularizing the term “social engineering,” people are the weakest security link, not technology.
“All of the firewalls and encryption in the world can’t stop a gifted social engineer from rifling through a corporate database,” he said. “If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link—not operating systems, firewalls or encryption algorithms—but people. You can’t go and download a Windows update for stupidity… or gullibility.”
As Mitnick said, “It takes one to know one.” He was once convicted of several computer-related crimes, including hacking into Pacific Bell’s voice mail computers and copying proprietary software from some of the country’s largest cell phone and computer companies. Today, he is Chief Hacking Officer at security awareness training site KnowBe4. Businesses now hire him and The Global Ghost Team™ to protect against hackers and to test their systems’ vulnerabilities to attack.
“Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn’t, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology,” he said.
This type of attack was used in March 2016 when someone sent a spear-phishing email to the former chairman of Hilary Clinton’s presidential campaign that eventually put sensitive campaign emails into the hands of WikiLeaks.
While social engineering attacks can come via phone, online, social media and internally, it’s the sheer number of emails we send and receive that make this the most popular avenue among hackers.
Digital Marketing Ramblings reports that around 205 billion emails are sent per day worldwide with 2.3 percent of them contain a malicious attachment.
Bad guys are generally not trying to exploit technical vulnerabilities in Windows. They’re just trying to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content, said Mitnick.
Only about 3 percent of malware tries to exploit a technical flaw. The other 97 percent is trying to trick a user through some type of scheme, he added.
Called Business Email Compromise (BEC), this particular scam caused at least $3.1 billion in total losses to some 22,000 enterprises around the world over the past two years and growing, according to the FBI. BECs target businesses that regularly perform wire transfer payments or work with foreign suppliers.
In what might be the biggest BEC attack in 2016 on a single company targeted Wall Street technology firm SS&C Technology. The company reportedly completed six fraudulent money transfers totalling $6 million from the Tillage Commodities Fund, a US investment firm, three of which went overseas.
A lawsuit filed by the Tillage fund alleged that SS&C Technology failed to verify the legitimacy of the transfers and processed payments without requesting the necessary paperwork. Considering sending funds to foreign entities was something the Tillage fund had never done, the Wall Street tech firm should have known better, according to the lawsuit.
As it turns out, the whole ordeal could have been prevented if it hadn’t been for negligent employees. Call it lack of knowledge or carelessness; either way, it’s why BEC scams and other social engineering tricks work. It simply makes it easier for them to infiltrate a system without having to use more sophisticated tools and methods.
Here’s another costly example: In February 2016, hackers used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system of Bangladesh’s central bank systems to submit 35 payment requests to the Federal Reserve Bank of New York. They transferred $101 million to bogus accounts in the Philippines’ Rizal Commercial Banking Corporation and a Sri Lanka-based financial institution. The New York Fed became suspicious and denied 30 of the requests, but not before the release of $81 million to a foreign exchange broker.
While security should be largely the responsibility of the IT department, employees should still be the first line of defense. Commit to educating and training employees according to your company’s best practices. And, make it clear that part of their responsibilities as employees is to stay vigilant and defensive against potential attacks.
Here are 10 tips from security firm Trends Micro for avoiding BEC scams:
- Be on the lookout for out-of-the-ordinary emails sent with urgency from C-suite executives, especially if one involves fund transfer requests. CEO fraudsters usually register a domain similar to its target. If the target e-mail is [email protected], a scammer may use a variation such as [email protected] or slightly change the spelling into [email protected]
- Question any e-mails with subject lines that imply urgency regarding payment inquiries or fund transfers such as: Payment – Important, Payment Notice, Process Payment, Quick Request, Fund Payment Reminder, Wire Transfer Request or Bank Transfer Enquiry.
- Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
- Stay updated on customers’ habits including the details, and reasons behind payment.
- Confirm requests for transfer of funds by using phone verification as part of a two-factor authentication process. Use known familiar numbers, not the details provided in the email requests.
- If there are indications of a compromise, report the incident immediately to law enforcement or file a complaint with the IC3.
- Instead of clicking on Reply, use the Forward feature and type in or select from your contacts list the e-mail address of the person you’re replying to. This is to ensure that you are not replying to a spoofed address.
- Have mail security solutions in place. The tricky part with e-mails used in BEC scams is they don’t necessarily carry a malicious payload. With that being said, it’s advisable to go for solutions that not only detect dangerous attachments but also have social engineering correlations and a context-aware approach to email detections.
Finally, here are some very simple guidelines to protect yourself or your business from attacks from the “takes one to know one guy” – Kevin Mitnick.
- NEVER use any kind of public network (hotel, restaurant, transport etc.) even when travelling.
- NEVER open ANY PDF file on anything other than your desktop and only once scanned (but even then some malware might pass anti-virus).
- Anybody using the same private network as you MUST apply Rule #1 and #2 otherwise there is a breach.
All of the above tips and guidelines may not result in complete prevention, but they should reduce your exposure—in conjunction with the proper training for employees, that is.
The threat landscape for financial institutions has changed considerably since the DDoS attacks of 2012. Watch this webinar with Rich Bolstridge, Chief Strategist, Financial Services, at Akamai Technologies for an overview of how the definition of “adequate cybersecurity” has shifted.