Crisis Management

How to Defend Against Social Engineering Attacks in Banking


by Chip Gibbons

Cybersecurity has fundamentally altered the security landscape of financial institutions. Of the very many threats and tactics, Business Email Compromises are the most common and the most compromising. Banks and financial institutions, now more than ever, need to implement habitual practices to strengthen their cyber defense against BEC, before it is too late.

©Gorodenkoff/iStock/Getty Images Plus

One of the most concerning cybersecurity threats to financial institutions and their customers is Business Email Compromise (BEC), when attackers utilize social engineering tactics to have employees initiate bank transfers back to the cyber criminals. Typically, a BEC attack happens when a hacker imitates someone, like the CEO or someone else in the c-suite, supervisors, or even a vendor, in an email. After compromising the emails, the cybercriminal might request a business payment that looks legitimate and authentic as it appears to be coming from someone “higher up” in the company ranks. Employees will tend to respond and comply with the ask; no one wants to upset the boss. During this scam, the hackers will ask for the transactions to be wired or deposited to appear like business as usual. This might also involve stealing an employee’s personal information or even tax forms, like a W-2.   

Banks and banking customers are high-value targets for hackers. Many banks are already aware of BEC attacks and have started programs such as “kits” to help compromised clients recover more quickly, but the threat is continuing to grow. According to a Mimecast report, 85% of organizations think the volume of web email spoofing is going to remain the same or increase. The FBI estimated that $1.7 billion was lost in 2019 alone due to successful BEC attacks. 

There are some standard practices that banks and their employees should be doing to lower the chances of a BEC incident. For instance, a security expert will tell you the first method to defend against BEC is enabling Multi-Factor Authentication (MFA) to secure online accounts. This adds a needed additional layer of protection to logins that require a multi-step authentication process via mobile device – usually by sending a unique code via text.  

Financial institutions should also make sure that the bank website is encrypted and has spam filtering implemented within their email client. Another prominent practice is for employees to not share passwords across systems or with other people, and to log off after they have used the bank website. Financial institutions and banks utilizing on-premise Microsoft Exchange email servers might be recommended to make the move to Microsoft 365 cloud-hosted email, as security is generally much better in the cloud.   

However, businesses need to be aware of so much more. Below are some additional tips that banks and financial institutes need to put into habitual practice to strengthen cyber defense against BEC before it may be too late. 

Condition to Conditional Access 

Once MFA and the aforementioned cybersecurity basics are implemented, financial institutions should explore looking at additional security layers. For example, one of the lesser-used security practices is conditional access, where employees can only access email from precise geographic locations or from specific machines. Businesses using Microsoft 365 can set up conditional access to block logins from locations their users have never been or do not normally travel to reduce the overall attack surface. For example, if your end users normally do not travel to a faraway country from the US such as New Zealand, then you might want to consider not allowing any logins from that region. 

Train, Train, Train Your Employees Consistently 

Believe it or not, but most banking and financial institutions don’t take the time or effort to train employees on how to spot malicious emails. For example, an employee within the finance department could be found via their profile on LinkedIn and then constantly receive emails trying to get them to click links and phish for information. If the attacker gets into their email, they will download everything and pinpoint if any vendors will be sending transactions soon. If so, they will email the vendors with a new routing number to their account. These low-tech attacks are very effective. Employees at financial institutions and banks should be trained to keep a keen eye on what to look out for in any phishing email attempt. Through awareness programs, employees can build critical thinking skills when they receive a suspicious email. For example, if a vendor asks for a quick change in payments for a new bank routing number – as opposed to them using the same number for years should trigger a warning. These can be quickly rectified by a simple phone call to the vendor to confirm the changes and can identify a BEC attack before it becomes catastrophic. During these sessions, employees can also learn about other methods like “Smishing” or SMS phishing – where the attackers send texts instead of emails – which can sometimes confuse people and they end up giving away more sensitive information than they normally would.  

This training cannot be a once-in-a-year special event but should be consistent on a monthly or quarterly basis. In 5-10 minutes of a user’s time, the reinforcement of training will keep employees up-to-date and fresh on any possible attack – especially since cyberattacks are always evolving. It’s also spread out enough so employees can stick to it without losing interest or skipping it to go on a coffee break instead. 

Countering a Successful BEC 

Prevention is always key, but in the event that an email has been compromised, the first step is to immediately contact vendors and employees about the attack and send a warning that you have been compromised and that cybercriminals might try to use a fake domain to change things like routing numbers. This also includes affected individuals that had data within the mailbox and should be contacted post-haste. At the same time, the organization should immediately change the user's password. All rules within the compromised account should be reviewed, specifically rules that have any forwarding to outside accounts. The IT or Security team should review any logs available to determine what data was accessed. If the logs are not detailed, it should be assumed all information in the mailbox was compromised. Finally, a detailed review of how the email was compromised and subsequent training for the individual should be enacted – as mistakes do happen. 

Preventing a BEC social engineering attack takes effort and commitment from supervisors, IT managers, security managers, employees, and c-suites to mitigate loss that can be irreversible and costly. Through standard practices like MFA, encrypting, and enabling additional security layers like conditional access, while also maintaining consistent employee training – the risk of a successful cyberattack will lower dramatically. 

Chip Gibbons is the Chief Information Security Officer at Thrive.