Spear-Phishing: What Banks Must DoCurrent Efforts to Protect Employees from Fraudsters Inadequate
See Also: Automating Security Operations
And the final results of Information Security Media Group's 2013 Faces of Fraud Survey confirm that the financial services sector is among those seeing the increase in targeted phishing attacks.
Phishing attacks aimed at banking institution employees are up over last year, 44 percent of the survey's respondents say. In fact, spear-phishing is becoming more common across the globe, says Dave Jevans, chairman of the Anti-Phishing Working Group, a global consortium dedicated to responding to cybercrime. He's also founder and president of online security and authentication provider Marble Security, formerly IronKey.
In the financial services sector, fraudsters are using spear-phishing to target specific employees who have great access to accounts. If they can get those employees to click on a bad link, then they can plant a Trojan and use the virus as a gateway to draining accounts.
Education Comes Up Short
Internal education campaigns are having some impact on spear-phishing awareness, Jevans says. "What they will do is phish their employees once per year and measure their response rates," he says. "If someone does click on a link, it's an educational moment. Those trainings are effective. But I would say we have a long way to go on that effort."
Another survey finding that Jevans found alarming is that 57 percent of banking institutions don't know what types of Trojans may have contributed to fraud losses they suffered in the last year. "The big banks often know, but the little guys still don't know what is hitting them," he says. "It's a little surprising to me that the number was so high. Because after all of these years of training and talking about Trojans and malware, you'd think the industry would be more educated."
Independent financial consultant Tom Wills says education is the best way to mitigate spear-phishing risks. But few banking institutions have perfected their educational efforts targeted to employees and customers, he contends.
"It continues as a major problem," Wills says. "Education is the only truly effective control, but it is very underutilized."
Too many bank employees "fail to understand how much they make themselves a target," says Troy Pugh of IBM Financial Crimes, a former executive at Bank of America. "Banks are doing internal education, but we can never say they are doing enough of it."
When it comes to spear-phishing, the challenges are multiplied, he says, "because these e-mails often come - or seemingly come - from a trusted person."
And it's not just entry-level employees who fall for these schemes, Pugh says. "At BofA, we launched an internal phishing campaign to see who would click on a link in an e-mail that appeared to come from the bank," he says. "Even with the higher executives, we still had several of them who clicked on it."
Pugh says the greatest obstacle all organizations face, when it comes to thwarting spear-phishing, is changing user behavior. For example, individuals reveal too much about themselves on social networks, and they too often click malicious links, he says.
"The biggest challenge we have is that we continue to put our lives online," Pugh says. "Facebook is predominantly the easiest way to gain information about individuals, and then there is LinkedIn and Ancestry.com, where fraudsters access accounts and bypass the security measures."
Users are not careful about whom they allow into their social networks, and fraudsters exploit that weakness.
"If I have a blocked or a restricted profile on LinkedIn, for instance, why would they try to target me, especially when they can go to the guy next to me who has pretty much the same profile yet everything is open?" Pugh asks. "The attackers are going to target the easy ones."
And now these targeted attacks are not just aimed at PC-based e-mail, he says. "You've got smishing attacks that are as prominent as phishing attacks are," Pugh says.
Smishing attacks, which are aimed at mobile devices, are, at least in part, to blame for the uptick in spear-phishing, experts say.
From 2011 to 2012, smishing attacks in Europe increased 1,700 percent, he says. From 2012 to 2013, the increase so far is 614 percent, Pugh adds.
Though smishing attacks have not reached the same levels in the U.S., Pugh predicts similar attack increases here within the next 12 to 24 months. "Generally, we see fraud trends go east to west. So we will see robust growth in smishing in U.S., I predict," he says.
Wills, the consultant, points out that most institutions don't believe they are adequately prepared to handle phishing of any kind. The survey shows only 31 percent say they are well-prepared to detect phishing attacks.
"Preparation to handle phishing is surprisingly low ... after all these years of increasingly effective phishing threats," Wills says.
E-mail authentication initiatives, such as DMARC - Domain-based Message Authentication, Reporting and Conformance - can help reduce phishing, but they're not a cure-all, Jevans notes. DMARC has made it more difficult for fraudsters to craft phishing e-mails that look legitimate. But unless all e-mail providers and hosting companies adopt DMARC, it won't be effective, he contends.
"E-mail authentication helps, but I would say we have a long way to go on that effort," Jevans adds.
For more about spear-phishing and other fraud schemes, see the webinar: Survey Results: 2013 Faces of Fraud.