Smaller Banks Need to Protect Themselves FromSocial Engineering: A Hacker’s Favorite Tool

By Jeff Multz, Director of Midmarket North Americaat Dell SecureWorksbank

As James Cagney would say, “You dirty, double-crossing rat.” That’s the sentiment small banksfeel after falling for “social engineering” tactics. Social engineers pretend to be someone they’re notin hopes that you fall for one of their ploys. They use tactics to “engineer” their way inside your organization. For example, claiming to be a prospect,they may send you an email that convinces you to click on an attachment or a link inside the email. Doing either may surreptitiously download malware onto your computer.

Here’s an example of how social engineering works. An attacker sends people at your bank an email posing as a prospective customer. The email might say, “Our company is thinking about opening a business account with your bank. Please review our attached financial data and let me know which type of account would work best for us.” Once receivers click on the document, they inadvertently download malware onto their computer. Once their computer is infected, most likely soon the network will be too.

Social engineers often use “social networking”to engineer an attack. The attackers use networking sites like LinkedIn or Facebook, where users often name thecompanies they work for. Then, attackers find the company emails for those people and send them emails like the one mentioned above. Or, attackers could send an email with a malware link or attachment that looks as if it were sent from an actual employee. For example, attackers could send employees an email that looks as if it were sent by someone in the accounting department, asking people to click on a link to update their home contact information. Once people click on the link, a box pops up asking people to insert their home address and phone number. This looks like a valid request, so no one questions it. Actually, when the receivers clicked on the link,malware was downloaded onto the their computers.

The Effect on Small Banks

Community banks with smaller staffs and budgets aregenerally not as well protected as their larger counterparts. Although smaller banks I speak with think they are not at great risk for cyber attacks, they are. Attackers often targetsmaller banksto perfect an attack before launching it on larger banks and to go through their networks to get access totheir customers. Many of these attacks start with social engineering.

Tips

You can help prevent social engineering byteaching your employees the following security tips:

  • Don’t accept friend requests from people you don’t know just because they are “friends” of your friends.
  • Keep your Facebook account on Private settings, so neither the public nor friends of friends can see your posts.

•Share real examples of phishing emails your bank has received.

•Present examples of social engineering techniques cyber criminals use, which include suspicious phone callsasking about employeesand “repair people” trying to get onto a company computer.

•Promote a culture that politely, but firmly, questions unusual activity and policy violations.

•Consistently train staff on cyber security via meetings and emails.

It would be nice to be able to trust everyone, but when you don’t “trust but verify,” you often end up communicating with a rat. And that stinks.

Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs.For more information on securing your organization, please contact and write “Social Engineering” in the subject line.

Classification: //Dell SecureWorks/Confidential - Limited External Distribution: