Remote workforce Archives

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”