Fighting Phishing in the Financial Sector

Financial Sector

As Russia welcomed the warmth of spring last March 2018, dozens of banks experienced a phishing attack from a hacker group called Silence. The sender of the email was disguised as FinCERT, Russian Central Bank’s security arm. The emails had attachments that claimed to help standardize digital communication across all banks. In reality, the files contained Silence’ downloader to exfiltrate important data.

Phishing, among other hacking tactics, has plagued individuals and companies since the 1990s. Because the act requires both artistry and technical know-how, vulnerable institutions are more prone to giving away information because of their lack of error-checking. Fighting against a different level of skill requires both cybersecurity awareness and a fortified system.

What is Phishing?

Phishing is a fraudulent method of trying to obtain sensitive information through impersonation and sending deceptive messages.  A malicious actor reaches out to the victim through email or call that appears to come from a reputable source aimed at stealing information or installing a malware. The Phishing attacks have been at the root of some of the biggest, headline-grabbing breaches in recent years including a wide-spread attack against Gmail in 2017, the Ukrainian power grid attack in 2015, and the Target scam in 2013.

Because the ‘phisher’ looks trustworthy, the victim is more likely to give out confidential information or download a file that compromises company’s security.

There are four different types of phishing:

  • Deceptive Phishing

This is the most common type of phishing, where the attacker will try to obtain sensitive information through call or email, asking the victim to provide details or verify information.

  • Spear Phishing

This tactic targets specific individuals; through social engineering, the attacker customizes the information in the email or call, making the message extremely authentic to the target. Spear phishing is often used to infiltrate a company by obtaining access through company’s employees.

  • Whaling

This is a specialized type of spear phishing that targets individuals from the executive level of the corporation. Because CEOs or managers have access to highly sensitive information including trade secrets, hackers are more likely to obtain valuable information if they are successful. Therefore, this process takes a considerable amount of time to profile the “big” victim and find the correct time to conduct the attack.

  • Pharming

This is another advanced level of phishing, where attackers infect a website’s DNS server or a person’s computer. Once a user tries to access the website, they are sent to a fraudulent one instead.

The Strategy to Fight Against Phishing

Before diving into the different ways, a company can fortify its systems and network to prevent phishing, it is important for everyone in the business to stay vigilant. Be alert for suspicious errors and inconsistencies in emails or calls. This could save the company from possible data breaches or data loss.  Therefore, it is imperative to be more alert and try to identify:

  • Spelling errors
  • Suspicious domain names
  • Suspicious email addresses

To keep a company, secure from phishing scams, here are three steps:

  1. Monitor Network Performance

Have a list of all the equipment and software owned by the company and properly monitor each of these. Infected computers or laptops can compromise overall security, so it is important to check that all devices are compliant with the company’s current cybersecurity standards. This means installing the most up-to-date firewall protection, antivirus, and anti-spyware software.

  1. Protect Sensitive Information

Once the right tools have been installed, keep important files and data backed up on an external hard drive or a secured cloud storage service. Organizations should develop a yearly or quarterly back-up routine as a preventive measure.

Be sure to encrypt important information stored online to keep it safe from outsiders. Incorporate Data Loss Prevention (DLP) tools to further secure data. When receiving emails, employees should also apply spam filters that help detect suspicious senders or viruses. All of this will discourage phishers from infiltrating the network because there will be no weak links or faulty devices.

  1. Create Contingency Plans

Companies cannot predict when security breaches will occur. But it is possible to develop a plan that serves as a guideline in the event of a security breach and helps mitigate the impact. This written management document should include instructions, recommendations, and considerations for a company on how to recover after an attack or disruption.

  1. Offer Security Awareness Training for Employee

No matter how sophisticated IT security defenses are, one weak link will endanger company’s information and information systems. Efforts should be made to help employees understand their roles and responsibilities in safeguarding sensitive information and protecting organization’s resources. This will involve providing security awareness training coupled with periodic workshops aimed at increasing employees’ ability to identify and avoid risks.

While phishing is becoming a common threat to financial institutions, staying vigilant and secure will prevent great crises for the company. This is not only for the company’s security but also for the customers who rely on these businesses.

Talk with us.

Wilson Consulting Group is a cyber security firm that aims to provide companies the solutions to keep their systems secure. Our Risk Management and Assessment Services identifies, evaluates, and responds to your network’s risks.