United States

Protecting your financial institution from social engineering attacks

Not all cyberattacks come through cyberspace


When you think of cyberattacks, your first thought may be of high-tech hacking attempts, but some threats are far simpler. Social engineering attacks are designed to trick your employees into granting access to systems or divulging information that helps attackers gain that access through low-, or often no-tech means.

Consider this example. A hacker drops a USB drive in your bank’s lobby, maybe with a note taped to it that says “grandma’s birthday pictures.” A well-meaning employee picks it up, assuming it belongs to one of your customers, and plugs it into one of your computers, hoping to find information that will help them return it. And maybe it really has pictures of a birthday party on it. But it also has malicious code that has now opened your system to attack.

Social engineering attacks can come in many forms—by phone, email, snail mail, in person or through social media. So it’s important that you train your employees to be wary. Following are some effective strategies for combating social engineering.

  • Telephone attacks. Social engineering phones calls often involve an attacker pretending to be a member of your own organization, a customer or another party, such as a vendor, presenting what seems to be a valid request for information. For example, a common scam is a call that purports to be from your information technology (IT) vendor, claiming that there is an issue with the employee’s computer or security credentials. The number on the employee’s caller ID may even match your IT vendor’s number—attackers can use spoofing devices to hide the number they are actually calling from. The employee is then duped into giving the fraudster information that grants them access to the system. But not all threats are that direct. Attackers often make a series of calls, gradually gathering the information they need to appear more credible to the next caller. The call alleging to be from your IT department could simply ask the employee to “confirm” that they are running a specific program, which gives the attacker one more piece of information they need about your systems. So what can employees do? Train them to understand that every phone call could be an attack. They should be on guard when they get a call from anyone they don’t personally recognize, especially if that person starts asking for information or if the call deals with an area with high exposure, such as a wire transfer. One effective defense? Simply ask to call them back at the number the bank has on file for that contact. Whether the caller purports to be a co-worker, a customer or a vendor, your institution should have a contact number for them. By calling them back at that number, employees can ensure they are talking to the right party. Also, there is certain information employees should never give out over the phone, such as account numbers and passwords.
  • Email attacks. Attackers can pose a variety of questions via email to either trick employees into granting direct access to your systems or to gain information about your personnel, technology or operations that they can then use for further attacks. Hackers also use emails to trick employees into clicking on links that can launch attacks on your system. Again, the key is vigilance. Train employees to realize that every email could be an attack and to be particularly suspicious of emails asking for information, even if the email seems to be coming from a trusted contact. Unlike a phone call, where the employee would recognize the voice of that contact, an email shows only an address. That address can be spoofed, or that party’s account could have been hacked. Just as with phone calls, and easy and effective defense is to write back, but not by replying to the email. Instead, write a new message directly to the address for that contact confirming that the request is from them. In the case of a suspicious message from a trusted contact, for instance, a request from a co-worker for information that you know that co-worker already has, call them or talk to them directly.
  • Social media attacks. Attackers can use social media to gather a wealth of information about an individual or target that they can then use to lend legitimacy to other social engineering attacks. As employees increasingly use platforms like LinkedIn for networking, the amount of information they can inadvertently reveal increases. For example, an employee in your IT department might list the specific applications he has experience with at your bank, which could provide valuable insights into your IT security to an attacker. Train employees not to reveal information that could damage your security on their social media profiles. Attackers also can use social media to slowly build trust with a targeted contact. Remember, that stranger you’ve been exchanging messages with on LinkedIn for the last six months is still a stranger. Finally, attackers can use social media to gain a wealth of information about someone that they can then use to lend credence to their other social engineering attacks. Employees should realize that just because a caller says he went to school with Bill and played on the lacrosse team with him doesn’t mean that caller actually knows him.
  • In person attacks. Attackers can actually walk in to your bank in person looking to breach your security—the USB drive example earlier is just one example. Attackers can pose as customers claiming to have lost their wallets and try to gain access to account information. They have posed as utility workers claiming they need access to utility areas due to an emergency or to perform regular maintenance. Having specific procedures in place at your branches for dealing not only with customers but utility workers, vendors and others will prepare your employees to deal with these attacks.

Social engineering attacks are a real threat, but, with some basic training, they are a threat that can be controlled. For too many banks, though, training is a once-a-year activity that employees come to see as a formality. Periodic training refreshers throughout the year, along with bulletins that share known attack methods, will help keep employees on their toes. Also, when it comes to training, don’t forget your executives. They aren’t immune. In fact, when it comes to social engineering, they are often in the position to do the most damage.



Financial Institution Insights
delivers news and information critical to community banking professionals. The bi-monthly newsletter tackles issues ranging from IT security to regulatory compliance to operational improvement.

Compliance News
Compliance news for the banking and investment industry. Gain insights about the latest compliance news and how it will affect your business.