Financial institutions often have an uphill climb when it comes to cybersecurity, with a need to proactively secure internal assets and information from unrelenting cybercriminals. However, institutions should also consider taking on a new cybersecurity responsibility—helping clients become harder targets against attacks. Banks invest significant money and effort into securing the institution, but having insecure customers can also have a tremendous impact on reputation, financials and operations.
Many bank clients operate in unregulated and unsecure environments, and do not have an understanding of their potential cyber-risks. Often institutions have liability when a client loses funds in a fraudulent transaction, and even if covered by insurance, those claims and events are often heavily scrutinized by regulators and insurance companies. These events lead to higher insurance premiums, and in many cases the bank often needs to reimburse clients—at a minimum in the short-term—during an investigation.
Banks do typically provide some education to clients about potential cyber-risks, including hard-copy agreements and website bulletins; however, in today’s cyber landscape, that is clearly not enough. Ultimately, a more active effort to help strengthen client environments is beneficial in many ways; it increases client security and performance, builds relationships and customer satisfaction, and reduces strain and potential losses at the bank level.
An effective initiative to help banks protect themselves while also strengthening their customers’ cybersecurity posture starts with a few key internal and external processes:
Outside the bank: Providing better outreach programs
In our experience, banks don’t train customers well in several key areas. A defined, more extensive outreach program could include monthly emails with details about protecting online banking accounts, spotting malicious wire transfer scams and avoiding social engineering attacks.
For example, many clients do not know what social engineering is, much less how to implement effective controls. Your bank can provide an outreach program centered specifically on social engineering, providing helpful advice in emails or a recorded webinar. Potential topics could include:
- How to prepare for email, phone or in-person attacks
- What a potential campaign may look like
- What an attacker could do if an employee was scammed out of their credentials
- What a fake wire transfer request may look like
Banks should also emphasize the importance of dual controls over wire transfer requests in any outreach or training program. Regulatory guidelines dictate that the person within a bank that keys in a wire cannot be the approver; but that same level of control is not mandated for a client. With wire fraud through social engineering so rampant, when a client receives a wire request by email, they should call that person back to get verification.
A common social engineering attack includes an entire fake email chain based upon what a criminal has found online. These attacks are often customized to the target using employee nicknames or commonly used phrases. Without a formal wire approval process, a client’s employees often share account details in a response to those fraudulent emails. Banks have an opportunity to show how important segregation of duties can be, not only inside the bank, but also within the client environment.
For bigger clients, with more money to move and more action within online banking, your bank could offer a 15-minute phone call or webinar to go through the basics of social engineering and wire fraud. A call could serve a dual purpose to help keep those threats at bay, and provide a status check to help the client walk through any problems they are having.
Furthermore, banks should provide guidance on identifying skimming devices or point-of-sale faceplate replacements to collect credit card information. At the end of the day, the bank is often on the hook for reimbursing those charges. Even if the bank is reimbursed through insurance there is still operational impacts, and insurance premiums may increase.
Banks typically have a repayment threshold built into their insurance policy. If a fraudulent transaction is over that threshold, the bank either will have an unhappy customer or they have to make up the difference.
Inside the bank: Strengthening key internal processes
From an internal perspective, many banks are using antiquated or unsophisticated internet and mobile banking platforms. Newer or revamped platforms can provide role-based access controls and other more extensive security capabilities. In the wake of more pervasive attacks, banks with older systems should start moving toward more mature platforms.
For example, many older systems do not require multifactor authentication for online banking. However, at a minimum, any business banking, significant wire volume or high-dollar transactions should include a multifactor authentication processes with at least a text message, phone call or email verification. Ideally, multifactor would be required upon every login—this could be a fingerprint.
Most vendors have multiple software options, but many banks are comfortable with what they have used for years. Unfortunately, core banking systems can quickly become unsupported, minimally supported or sunsetted; some banks will ride them out as long as possible. The industry is so security minded as a whole, but many institutions will use a system with outdated security features or no real-time security activity alerting. That decision could leave a bank on the hook for reimbursing a malicious transaction back to a client.
In addition, many online banking platforms still allow internet-searchable challenge questions, such as a maiden name, high school or a pet’s name. With customers transferring such large amounts of money through online and mobile banking, those platforms need to be designed with more security in mind and more complex authentication processes.
Because of the surge in client social engineering attacks, banks also need to increase focus on their internal controls for web and email filtering. Banks are directly interacting with some very insecure environments, and if a client is compromised, that attack can spread to bank systems without the right oversight and controls.
Many midsized banks lack a significant IT presence; one strong initial protective measure that can be easily installed is a fine-grain email filter. Often, institutions implement a new email system and do not establish the proper security controls, creating vulnerabilities that lead to a breach shortly thereafter. Banks should consider quarantining all links and attachments, and allowing the system to determine if attached files or links are malicious before a user can click on them.
Cyberattacks and fraudulent transactions are not only harmful for bank clients, they also bring internal risk and regulatory scrutiny that no bank wants. The industry as a whole is lacking from an outreach and training perspective, and also should consider internal improvements to help protect client assets and diminish threats.
When you are a small bank, you can call to verify each wire or immediately question any suspicious communication. However, while growth is certainly a positive, expansion makes the risks outlined above even more challenging. Becoming a more active participant in client education and taking steps to address potential internal vulnerabilities can help both your institution and clients become more secure and successful.