Online Fraud: How Banks Should Respond - Doug Johnson, ABA
So, how should banks respond to this alert and assist their business customers?
Doug Johnson of the American Bankers Association addresses:
Johnson serves as Senior Policy Analyst for the American Bankers Association, where his public policy responsibilities include payments system technology and the relationship between technology, privacy, and security. He also advises the ABA and its members on a variety of other matters, including social security reform, real estate brokerage, mortgage finance, and public funds.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about the alert that the FDIC sent out this week about online fraudulent transactions, and we are talking with Doug Johnson of the American Bankers Association. Doug, I appreciate your taking time to speak with me today.
DOUG JOHNSON: Glad to do it, Tom.
FIELD: Doug, the FDIC warned institutions that online cyber gangs are preying upon small businesses in particular and using their banking credentials to siphon their accounts. From your experience with institutions, how prevalent are these fraudulent transactions now?
JOHNSON: Well, Tom, it is hard to get a fix on the exact number, but I think it is safe to say that law enforcement and institutions have really seen the exploit migrate from large businesses to small businesses, and that is the concern. It is a different type of business that might not be as aware of the fraud and the challenge there is, obviously, to make sure they are aware of the fraud and how to protect themselves.
FIELD: So to this point, what have you shared with your member institutions about this alert, the situation, the trend?
JOHNSON: Well, we have used a variety of mechanisms. Obviously we have a series of email bulletins for instance, and one actually is going out again this morning that deals with various frauds, and it will contain once again in the dictation that the FDIC has gone on record as indicating that we need to be careful about our authentication at the business customer level and develop education programs to ensure that our business customers need to know how to protect themselves.
We have also shared other documents, which are good documents to explain exactly what the exploit is and how institutions can go and ensure that their business authentication procedures are appropriate.
FIELD: So how should banking institutions respond to these alerts to this alarming trend?
JOHNSON: It is all about education. It is all about ensuring that the business customers are aware that they may be spear-phished -- because that is how this thing starts. It starts very cagily by the fraudsters, mostly from Eastern Europe, doing some social intelligence associated with the business so they might know who the CFO is, or they might know who someone in HR is or what have you, or in IT. And then they will send an email, which might be a Microsoft update for instance, or some other thing, which that particular individual would be aware of. The CFO might get something that purportedly is coming from the Better Business Bureau, for instance, things of that nature. And so business customers and financial institutions just need to be aware that an email that may look familiar, but may not be familiar, and they need to be careful about, and probably avoid in the business setting, clicking on any links that are within those emails.
FIELD: Now, Doug, it seems like we have put an awful lot of emphasis on consumer awareness and consumer protection. What are some ways that banking institutions really can help their business customers to better protect themselves?
JOHNSON: By ensuring that they are aware of the exploit and how to protect themselves as we just went through. I think that it is not unusual for business customers to in their busy day not even think about the emails that they are clicking on, and so ensure to the extent that you are a small business, that you are aware of that, but also make sure that you are tightening down on your ACH and your wire procedures. It is probably appropriate to ensure that the PC that you are utilizing for those purposes in your institution, or in your business rather, are not connected to things that they don't need to be connected too.
For instance, ACH or wire, if they are connected to those, do they really need to be connected to the overall internet and things like that? I think those things are very important.
FIELD: Well, it sounds fair to say that we will see some outreach efforts coming then.
JOHNSON: Absolutely, Tom.
FIELD: Doug, I appreciate your time and your insight today.
JOHNSON: Very good, have a good day.
FIELD: We have been talking with Doug Johnson of the American Bankers Association. For Information Security Media Group, I'm Tom Field. Thank you very much.