3 Types of Social Engineering Attacks on the Financial Services Industry: Would Your Employees Fall for Them?
Providing quality customer service is crucial for the financial services industry, but there are many potential pitfalls when your employees go above and beyond for your customers. Consider the number of sensitive assets that banks rely on every day to conduct business: Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances, and more. It’s all available and accessible to employees, which means that it’s susceptible to being compromised by a malicious hacker. That’s why it’s critical to focus on social engineering training for bank employees. This will educate them on how to identify and report social engineering attempts.
What is Social Engineering?
How sure are you that your employees can withstand a social engineering attempt? Social engineering is creative and engineered to trick your employees. Social engineering leverages and manipulates human interactions to compromise your organization. This could be something like bypassing a procedure and letting a guest into an employee-only area or believing someone’s unusual circumstances that lead to breaking policy. Eventually, these breaks in policy or procedure lead to malware or unauthorized access to your system. The stories that come out of social engineering engagements can be shocking to security officers and executives who believe that their employees would never fall for it – especially in the financial services industry. Social engineering doesn’t require a lot of technology or complicated processes; all it needs is a distracted, careless, too-accommodating, or overworked employee.
What Types of Social Engineering Attacks Could Happen at a Financial Institution?
While phishing attacks are the most common social engineering attack that the financial services industry typically faces, they’re not the only kind that could cause a data breach or security incident. Whether it’s via email, website spoofing, or a physical attack at a financial institution, malicious hackers will find a way to access sensitive data. Let’s take a look at the following types of social engineering attacks that could happen at a financial institution.
1. Email
The goal of phishing is to gain access to an organization’s network or systems by compromising the login credentials of an employee or group of employees. Emails are often sent under the disguise of senior management, contain corrupt links or files, and are often hard to identify. For example, let’s say that an employee who has worked at your bank for over ten years receives an email that requests that she verify her login credentials immediately or else her account will be suspended. Although this employee has never received an email like this before, the urgency of the request coupled with a fear of being locked out of the network she needs to fulfill her duties influences her to click on the malicious link in the email, leading to a major data breach. Would your employees fall for this scenario?
2. Website Spoofing
Website spoofing is often combined with phishing emails. Website spoofing occurs when a malicious hacker creates a website that looks nearly identical in both design and web address to an original website. For the financial services industry, this can be especially problematic given the sensitive nature of the data used to conduct business. For example, if an employee receives an email that directs them to their company website (i.e. www.wellsfargo.com), but the link provided in the phishing email is www.welllsfargo.com, how many employees would be able to spot the difference between the two URLs before clicking on the link and compromising their credentials?
3. Physical Attack
Physical attacks are just as much of a threat as phishing attacks at a financial institution. Consider the variety of people that walk into a financial institution every day: customers, vendors, maintenance personnel, etc. A malicious hacker, for example, could walk into a bank disguised as an IT professional. If employees aren’t trained on proper policies and procedures for dealing with outside IT professionals, such as verifying identify, would they give the unverified third party access to their computer?
Scenarios like those mentioned above happen more frequently than you would think. Let KirkpatrickPrice help you mitigate the risk of you and your employees being compromised. Contact us today to learn more about our advanced social engineering services.
More Social Engineering Resources
Not All Penetration Tests Are Created Equal