By: Mike Detrow, CISSP, Senior Consultant and Manager of I.T.
Assessments show that the human element is always the weakest link in the security chain. It is not uncommon for a community bank to fare well during external network vulnerability scans due to appropriately configured firewall rules controlling inbound traffic and/or limited internally hosted services. While controls may be implemented to mitigate technical vulnerabilities, humans are still susceptible to social engineering attacks such as phishing. This vulnerability may be compounded by community banking values, such as customer service and employee accessibility. One example of employee accessibility is placing employee email addresses on the bank’s website. While it is not a bad practice to provide employee contact information on the bank’s website, placing email addresses directly within a webpage, rather than utilizing a contact form to hide the email address from automated tools and website visitors, simplifies the email address harvesting process.
One of the activities that we perform during the majority of our vulnerability assessments is a social engineering test, where we send a phishing email to the client’s employees to evaluate the effectiveness of the bank’s information
security training program. Through our assessments, we frequently demonstrate the ease with which an attacker can convince multiple employees to visit a malicious link or provide information system login credentials.
Many community banks utilize technology service providers for services such as email hosting, loan documentation, document imaging, and online mortgage applications. These services are often accessed through a web browser. As a result of the phishing emails that we send during our assessments, we are typically able to obtain email login credentials. If the bank is using a hosted email service with webmail capabilities, we can then use the provided login credentials to access an employee’s email account and view any non-public data that the employee has sent or received. You may be thinking, “No worries here, we have a policy that instructs employees not to send customer information through unencrypted email so they are surely following this policy.” Even so, it is very common to see customer information sent through unencrypted email between bank employees and in some cases between bank employees and customers.
Even if no customer information is sent through email, there is still plenty of other useful information within an employee’s email box. Some examples of this useful information include bank policies, employee schedules, and welcome emails with temporary login credentials for accessing web-based services. By obtaining a list of the web-based services available to the compromised email account’s owner, we can now access the websites for these services and use the password reset function which sends a link to the compromised email account to allow a new password to be set. We now have access to this web-based service which will provide access to a significant amount of customer information depending on the type of service provided. In addition, systems that rely on the user’s email address for the purpose of one-time passwords or password recovery would be compromised.
The compromised email account scenario above is just one example of the result of a phishing email. Some other examples of phishing emails include links to malicious websites for the purpose of installing malicious code onto the visitor’s workstation, and emails that instruct the recipient to perform a task such as sending a wire transfer to the attacker.
Phishing Training
While many community banks provide some form of phishing training to employees on an annual basis, this training usually consists of a policy review or a few examples of phishing emails during a presentation. This type of training is not as effective as exposing employees to actual phishing emails throughout the year.
To assist community banks with their employee training program, Young & Associates, Inc. offers a quarterly Phishing Training service. The intent of this service is to simulate real-world phishing scenarios during the normal business day and require each employee to respond individually to the email. Employees that respond negatively can receive additional training from a supervisor or materials can be provided after a link is clicked or after credentials are provided. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. Our consultants will send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team.
Our consultants will work with your institution to develop a customized phishing training program for your employees which will establish:
- Expectations for the training program
- A baseline of the effectiveness of the current employee training program based on the first quarterly email
- A schedule for sending the remaining quarterly emails
- Increases to the complexity of each remaining email
- Development of ongoing training materials
For information about our Phishing Training service, please contact Mike
Detrow at 1.800.525.9775 or click here to send an email.
