Cyber-attacks are becoming more sophisticated as cyber criminals find alternative ways to target financial institutions and their data. Most recently, there has been an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords. The ultimate goal is to trick bank employees into clicking on links or opening attachments that redirect them to fake websites where they are encouraged to share login credentials and other personal information.
With access to your employees email accounts, cyber criminals have the ability to read your bank’s critical information, send emails on your employees’ behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information. This can result in both financial and reputational risks for the institution and its employees.
To help protect your institution’s data, here are two key ways to prevent phishing scams and increase security for your community bank or credit union:
- Employee Training is the Number One Priority
Without proper training, it is very easy for employees to fall victim to a variety of email phishing scams. Financial institutions must have a policy of on-going testing and training to ensure employees understand security procedures and are equipped to identify phishing emails and other security threats. It is also important to establish a security culture within your organization to ensure that all employees recognize that they have a personal responsibility to safeguard against breaches.
Community banks and credit unions can also leverage an outside security company to conduct security training and checks to verify how employees interact with suspicious emails. This allows network administrators to look at different levels of risk based on whether an employee ignored the email, opened the email, or clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.
- Stop Email Phishing Attacks with Multifactor Authentication
A proven way to protect your bank’s network is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.
While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include:
- Something the user knows, like a password or PIN;
- Something the user possesses, like a smart card, token or mobile phone; and
- Something the user is (i.e., biometrics), such as a fingerprint or retina scan.
Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When an employee tries to login to their email account, they would first type in their username and password. Then, as a second factor, they would use a mobile authentication app, which will generate a code or PIN to enter on the screen and would then be given access to the account. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts even if a password or security answer is stolen.
To combat today’s cyber threats, financial institutions must stay up to date on the latest phishing strategies and verify that the security policies and solutions in place can reduce potential threats. It is also vitally important that employees understand the types of attacks they may face, the risks, and how to address them. Implementing a combination of employee training and multifactor authentication strengthens your institution’s security strategy and can make the difference when (not if) cybercriminals attempt to hack into your employee accounts.