Hey Chuck, A bank I used to work for had a bad scare recently – they got hit with ransomware!! Best they can tell, an email attachment was the culprit. That bank is very similar to my current bank, and I thought they had a solid Information Security program while I was there. As the Information Security Officer this has me worried that we might be next! What kinds of threats are you seeing with email these days? And what can we do to make sure we aren’t the next victim?
This is a huge topic to cover, so I’m going to answer each question in a separate post. Let’s start with your question on threats.
It Only Takes One
Cyber criminals are constantly probing email systems looking for the easiest “score” at the lowest cost. Most criminals know that bank employees are the weakest link in the security chain, and if they can trick just one employee to open an attachment or simply click a link, they stand a very good chance of bypassing multiple layers of security. In fact according to the FDIC, a phishing attack of just 10 emails yields a greater than 90% chance that at least one person will become the criminal’s prey. This is a very real threat to your information security.
Best Practices for Control and Management of Your Community Bank’s IT
Because the employee is the weakest link, email attacks almost always have a social engineering element. It is all too simple to masquerade as someone else in an email, and malicious emails often appear to originate from legitimate senders. From there, attackers prey on human factors such as fear of monetary loss, eagerness to please (particularly effective with anyone in the customer service area), or simple curiosity to compel their victims to open an attachment or click on a link.
While no two attacks are the same, email attacks generally fall into a few different categories:
This is the most common type of attack financial institutions face. In the strictest sense, phishing emails are designed to trick recipients into disclosing sensitive information like usernames, passwords, account numbers, and social security numbers. This definition has expanded in recent years to describe the type of messages being sent. These days, phishing emails are a cheap and common malware delivery method. Cyber criminals employing a phishing campaign aim to cast a wide net by crafting a generic message that could apply to most of their recipients, hoping that even a small percentage of recipients are fooled. Phishing messages can range from extremely rough to highly polished, but are generally not customized to the specific recipient.
While phishing attempts focus more on quantity, spear-phishing and whaling (aka whale phishing), are more targeted attacks. Spear phishers put in the effort to learn about their intended victims, and construct their malicious emails with this Intel in mind. Messages appear to come from individuals or vendors familiar to the recipient, and are often crafted to closely match the aesthetics and even timing of emails normally received from that outside party. These custom-made malicious emails are often of higher quality than simple phishing emails; thus, they can be more difficult for security mechanisms to filter out and for end users to detect.
This spear-phishing variant involves highly personalized phishing messages targeting high-value individuals at a company such as C-level employees, senior managers, or IT Administrators. Such executives are extremely enticing to phishers, as they usually have a high level of access to both business networks and confidential information. A great deal of effort can go into the hunt for this elite group of targets, generally including extensive information gathering and/or surveillance. These messages are typically very well-crafted, highly customized, and most often appear to come from an internal user.
This type of attack flips whaling around, and involves the impersonation of a high level executive at the institution. As the name suggests, these emails purport to come from the CEO or another high-ranking individual. Often, emails are timed to correspond with travel or incorporate some other excuse for asking an eager-to-please employee to bypass normal operating procedures. Commonly, such requests involve wire transfers or bulk disclosure of sensitive information.
Data collection and social engineering are not the only concern here, and as an ISO you should be very concerned about what happens after a user opens an attachment or clicks a link. Phishing campaigns are an extremely common catalyst for malware infections. These malicious emails help fuel a massive and profitable criminal industry, so bad actors are highly motivated to keep finding new ways to sneak bugs in through your inbox.
In 2016 alone Safe Systems observed numerous email attacks acting as a front end for ransomware like Locky, CryptoWall, and CryptXXX. At best (if your backup procedures are solid), such ransomware infections can cause a temporary loss of resource availability, and at worst ransomware may cause extended downtime and permanent loss of data. While ransomware gets most of the attention, any malware infection has the potential to negatively impact your institution’s operations and reputation.
Unfortunately, there is no reason to believe these threats will decline in the foreseeable future, so financial institutions would be wise to prepare accordingly. There are numerous technical controls available to help protect your mailboxes; however, no technology solution is perfect. Additionally, entirely new threats or threat variants (aka “zero day” threats) are always an ongoing concern. Email usage policies and proper employee (and customer) training play a vital part in catching threats that evade your technical controls. Please join me for part 2 of this article where we will discuss effective security strategies to protect against email-borne threats.
Submit a question for Ask the ISO