Spear Phishing: How to Fight BackWhy Community Institutions Are at Greater Risk for Attack
Spear-phishing attacks aimed at bank employees are on the rise, and experts say community banks and credit unions are a favorite target for fraudsters.
When banking institution employees are targeted with phishing e-mails, the goal is to obtain their credentials for accessing accounts or internal networks and systems, paving the way for fraud. Hitting employees is more fruitful than targeting consumers because compromising employee credentials can provide access to numerous accounts.
Targeted phishing attacks aimed at bank employees have been steadily increasing, and this is why more attention needs to be paid to employee education and phishing awareness training, experts advise. Stronger authentication is not enough, they warn.
Banks More Targeted
Some 44 percent of financial institutions say targeted attacks aimed against employees increased in the past year, according to Information Security Media Group's 2013 Faces of Fraud Survey. A majority of the 200 survey respondents were from community and regional institutions.
According to the Anti-Phishing Working Group, 720 brands globally were targeted by phishing attacks during the first half of this year; up almost 20 percent from the second half of 2012, says Rod Rasmussen, co-author of a new phishing study from APWG. He's president and chief technology officer of security firm Internet Identity.
Attacks waged against financial institutions and their brands still account for 75 percent of phishers' targets, Rasmussen says.
"The attackers go where there is the least friction, and that's why they go after community banks," says Jens Hinrichsen, vice president of business development for Versafe, an online fraud protection provider. "Secondarily, so many of these community banks have personal connection with their communities, so they're easier targets. On their websites, they share more information about the people who work at the bank. They have their e-mail addresses readily available to the community, and they generally make themselves more available."
A combination of limited fraud-detection resources and a lack of education about phishing attacks aimed at banking executives and frontline staff has made smaller institutions vulnerable, he says.
Stronger e-mail authentication efforts, such as DMARC - Domain-based Message Authentication, Reporting and Conformance - can help mitigate phishing risks by making it more difficult for fraudsters to craft phishing e-mails that look legitimate, Rasmussen says.
But education about what to look for in a spear-phishing attack, such as e-mails that request an employee open a malicious attachment, is perhaps the best way to mitigate the risks, Rasmussen says.
"When these attacks target employees, they are usually trying to get people to open an attachment, rather than click a link in the e-mail," he says. "This type of attack is definitely on the rise."
Still, Hinrichsen says the financial industry continues to rely too much on authentication and not enough on detection of malware and network intrusions to combat phishing. When an employee's credentials are compromised through a spear-phishing attack, the banking institution needs to have technology in place that can differentiate a genuine user from a fraudster, he says.
"If the credentials have been seized, then you still need to have a system to determine whether this is the right person," Hinrichsen says. "If you assume every employee is probably infected, you need to be able to identify, at the application layer, whether this is a fraudulent attempt to access."
Lack of Awareness
Community institutions often are less aware of the risks associated with targeted phishing campaigns than larger banking institutions, Hinrichsen says.
"The layers of defense for spam filtering are lower for community banks, but it's more than just a technology issue," he says. "Within the organization, especially if it's a small bank, some element of basic phishing awareness would benefit everyone."
But Sam Vallandingham, president and CEO of First State Bank, a $305 million institution in Barboursville, W.V., argues that community banks are no more susceptible to spear phishing than larger institutions.
"All banks are getting targeted," he says. "It's not just a community bank problem, but we do recognize the need for education."
First State Bank wages simulated phishing attacks against employees twice a year as a training exercise, Vallandingham says.
"We usually always have one or two employees who click on the link or open an attachment," Vallandingham says. "This is why we run these tests regularly, to constantly remind our staff of what these attacks might look like."