Preventing scams in financial institutions

The COVID-19 global pandemic has changed the way we live and work. Across the country, many businesses have closed or are operating at a reduced capacity, millions of Americans lost their jobs, schools are closed, financial institutions closed their lobbies, and the most sought-after items are masks and toilet paper. Overshadowing all of this is the unbelievable death toll in the United States and the world, despite the heroic efforts of health care professionals and first responders.

And yet, for many of us the new normal is not without a silver lining. Working remotely has allowed many to enjoy the comforts of home: no commute, a few extra minutes of sleep, a fresh cup of coffee any time and a relaxed work environment where you can wear pajamas all day. However, these comforts may lead us to be too relaxed and let our guard down when it comes to protecting information and our cyber security responsibilities.

Cybercriminals are attempting to benefit from the current pandemic. The Federal Trade Commission has received more than 18,000 coronavirus-related scam reports and those scams have collectively cost Americans around $13.4 million. It is not surprising scammers are using social engineering and cyber-attacks to take advantage of the panic and misinformation created by this rapidly evolving pandemic, but how do we protect ourselves?

Financial institutions are well versed in these types of attacks and have traditionally trained their employees to handle them. Financial institutions have historically measured the strength of their procedures and staff preparedness though phishing campaigns, pretext calling and physical penetration tests.

With lobbies closed and more staff working remotely, many financial institutions have put their tests on hold. However, as the bad guys are doubling their efforts, is now the right time to back away from testing, or the perfect time to test how vulnerable you might be?

Physical penetration tests require lobbies to be open and fully operational, so unfortunately, we do have to wait for those. On the other hand, social engineering tests such as pretext calling and email phishing should be done now. Financial institutions have been working out of their drive-up and interactive ATMs for a few weeks now and staff is adjusting to the new norm. Customers are still calling in and employees are still communicating electronically, with an even higher reliance on phone calls and emails than ever before. Best of all, aside from a little planning time upfront, these tests would add little to no time to your staff’s workload. Now is the time for social engineering testing.

In addition to running social engineering and cyber-attack tests now, we encourage financial institutions to remind employees of their information security responsibilities and cyber security practices, which should be implemented both at work and at home.

• Use strong passwords – include at least 10 characters, using lower and uppercase letters, numbers and special characters.
• Passwords should be different for all accounts – this way if one of your accounts gets hacked other accounts don’t.
• Use multi-factor authentication for all your accounts, including social media.
• Always lock your computer when you step away from it – even while you are working from home!
• Do not open emails that are not from trusted sources – double check the sender always. Fraudsters may mimic email addresses.
• Don’t give your personal information or banking information to calls you receive – If an offer seems too good to be true, it probably is. Additionally, trusted sources will not call you and ask for personal information.
• Lockdown personal social media profiles – limit who can see your social media and what information is on your social media. Remember, your friends can be hacked too.
• Use different email accounts for different purposes – social media emails, personal information, subscriptions, etc.
• Help stop misinformation – when you receive an email from a friend or see a post on social media with “facts” about the COVID-19 virus, verify these with a legitimate source such as cdc.gov before sharing.

We will never prevent all scams.  Perpetrators get smarter each day, and add new types of attacks, as well as gather more information to allow them to attempt new scams.  Prevention lies in understanding what they are trying to do, asking questions, and continuing to test and educate our organizations.  Given all the recent change, now is the time to consider testing.