Social Engineering Attacks and Banking
A little over a year ago, I spoke at a banking conference. At that time, one of the most concerning areas for the banks and their customers was Business Email Compromise. Banks had started to come up with “kits” for clients that got compromised to help them recover more quickly. Since then, things have only gotten worse.
According to a Mimecast report, 85% of organizations think the volume of web email spoofing is going to remain the same or increase. In 2019, the FBI estimated $1.7 billion was lost due to business email compromise.
There are some obvious things you should be doing.
- Enable Multi-Factor Authentication
- Make sure the Bank (or any website for that matter) is encrypted
- Don’t share your password with anyone
- Log off after you have used the website
But in business, you have to be aware of so much more. You finance department is on LinkedIn. Everyone knows who they are. They are constantly getting emails trying to get them to click things. Only 1 in 5 companies train their employees on how to spot malicious emails. If someone gets into their email, the first thing they are going to do is download everything. Then, they are going to see if there are any vendors that will be sending you money soon. If so, they will email them with a new routing number. What they do is not overly complicated, but $1.7 billion in losses indicates that this low-tech attack is very effective.
- Always train your employees. And don’t just do it once. Constantly have them do short trainings.
- Ask your vendors and your finance department to call, not email, for confirmation on any routing number changes
- If your email has been compromised, email your vendors. Warn them that you have been compromised and that they might try to use a fake domain to change routing numbers.
We only touched upon email in