It’s the bad gift that keeps on giving all year long. The holiday season may be gone and Spring may be upon us, but email phishing continues to be one of the greatest threats to financial institutions. You must remain vigilant to protect your institution and, at the same time, be prepared in the event a phishing attempt is successful.
It’s no mystery that phishing is a persistent threat. It’s the number one delivery tool for most malicious software. 91% of data breaches start with phishing. The reason phishing is so widely used is simple—IT WORKS. Targeting people is the most effective way of stealing information and delivering malicious software necessary for additional attacks. There are multiple methods that can be used to attack a network. Attackers would rather not spend time, money, and resources trying to squeeze through the typically small holes that perimeter hardware and software vulnerabilities may offer. Once through that obstacle, they will most likely run into additional layers of security provided a bank has instituted defense in depth. However, with phishing, one well-crafted email sent to one unsuspecting employee can open the gates and let them right in.
Users remain the weakest link in corporate infrastructure security. The use of social engineering to gain access to sensitive information and/or deliver malicious software has had serious consequences in the banking industry and the practice isn’t slowing down anytime soon. According to Symantec’s monthly threat report, numbers are only slightly down, but there is still 1 phishing email per 3,331 emails compared to 1 per 2,109 during the holiday season. As Symantec’s research indicates, the trend has remained steady over the last year.
While phishing email numbers are slightly lower at 1 in 3,588 for the finance, insurance, and real estate industry, the threat remains high.
Phishing scams targeting specific individuals, also known as spear phishing, are the most popular and effective form of phishing. In fact, according to the Symantec Security Threat Report 2018, spear phishing accounts for 71% of malware infection vectors.
Institutions under 1,000 total employees have the most common occurrences of phishing attacks. With a high number of community banks falling in this category, it is imperative to take steps to prevent phishing attacks at your institution.
So how do you help reduce phishing attacks? Can they be prevented? One of the first steps to protect against phishing is to be prepared for the possibility that a phishing attack will be successful. You need to ensure your incident response plans adequately address phishing attacks. Plans should:
- Encourage users to report suspected emails to designated individuals.
- Include steps to isolate and remove the emails identified as phishing emails.
- Address employees who fall victim to a deception and take steps to protect their accounts and access (immediately require the reset of credentials, etc.).
- Continue with isolation, elimination, and forensic investigation of affected systems.
You can take steps to ensure measures are in place to help employees identify emails that come from outside the institution, such as employee training to recognize invalid domain names or configuring disclaimers on institution email servers to display a warning on emails that originate outside the organization. This process will help stop emails disguised as coming from internal support and/or management from being as effective, but may not be as affective on emails disguised as outside vendor support or invoice requests.
Comprehensive training is a must. A good starting point for training is providing examples of how to identify phishing emails, samples of actual case studies of attacks, and reviewing bank procedures in the event of an attack. However, true email phishing tests also have proven effective, and periodic testing can help identify employees prone to phishing attacks. Providing informative training based on initial testing as well as continuing education (periodic email reminders, etc.) can aid in reducing the likelihood of a successful attack.
Finally, have reporting procedures in place. Make sure employees are fully confident that they can use the “see something, say something” rule without consequence. Employees and customers should be encouraged to report when they receive suspicious emails. The bank can use this information to further educate all employees and customers as well as provide information to law enforcement and other industry organizations. This action has proven to help reduce the success of identified suspicious emails.
So as long as it continues to pay off, phishing is here to stay. The bad actors will continue to use this method of delivery for the foreseeable future. Unless steps are taken to curb the success rate of email phishing, this gift to the bad guys will keep on giving.