written by Chris Griesemer
You and I both know there’s not a Nigerian prince waiting to hand us several million dollars as soon as we send him our bank account numbers and $10,000, but do your bank employees know how to identify a social engineering scammer making a legitimate ask and presenting legitimate information?
As companies and the public become more aware of simple scams like the Nigerian prince, scammers are upping their game and employing social engineering techniques to elicit information out of even well-trained employees. New phishing and vishing scams mean bank employees must be on the lookout for a scam every time they answer the phone or open an email.
What is social engineering?
Social engineering may sound like a job title for the computer techs at social media company, but in reality, it’s something scammers are quickly becoming experts at doing. Social engineering uses emotional techniques to get someone to do something they wouldn’t normally do. The Federal Bureau of Investigation estimates social engineering scams cost U.S. businesses $1.6 billion between 2013 and 2016, and that number is expected to rise.
Scammers who use social engineering target people instead of technology, often creating a scenario that builds rapport and creates a sense of urgency. Self-professed “human hacker” Chris Hadnagy tells BBC News, social engineering “releases certain chemicals in our brain that allow us to take an action we perhaps shouldn’t take.”
A new twist on an old scam
Phishing scams, defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, are nothing new. We’ve all been targeted with a fake email professing to be from our bank or a large retailer, and most bank employees know not to give out customers’ personal information via email.
But new phishing attacks can look like a legitimate customer request, and simply clicking on the email can lead to malware being installed on that employee’s computer. The newest scams are ransom-based where the employee clicks on the link in the email, and virus software locks the computer. The scammers will then request a ransom to release the data.
From phishing to vishing
Vishing is the newest path of attack for scammers. Vishing, or voice phishing, is where scammers are making the most inroads because they target the weakest link in the security chain, humans.
Vishing calls can seem legitimate, with a scammer posing as a customer. The scammer probably has a lot of the right information – name, social security number, address and phone number. And these vishing scammers will also tug on the emotions, creating a scenario where an urgent resolution is necessary.
While technology can solve a lot of security problems, it is well-trained employees who are the best defense. As cybersecurity expert Bruce Scheiner shares:
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
The best defense against both phishing and vishing attacks is vigilant employees. Simple actions like checking the email address and looking at web addresses in emails before clicking on them can prevent most phishing attacks. To avoid vishing scams, banks should require customers to have verbal passwords to use for phone interactions.
Employees should be trained to never give out personal banking information over the phone without the appropriate passwords. Have your employees ask more difficult questions when verifying identity. Instead of asking for mom’s maiden name or the last four digits of a social security number, have employees ask for the last transaction made on the account.
When it comes to your bank protecting its customers’ information from phishing and vishing scams, don’t let your employees be the weakest link. Find out how The Whitlock Company can help you secure your first and last lines of defense when it comes to cyber security through our IT Exams.
Chris Griesemer is a Partner at The Whitlock Company, an accounting firm bridging the gap between traditional and forward-thinking accounting through outsourced accounting and CFO services. Chris brings more than 15 years of experience in Information Technology Security for community banks.