Today, cybersecurity threats are ubiquitous. Cyber attackers are infiltrating email systems, computer networks and anywhere else they can find weaknesses to exploit. They’re using a variety of schemes to steal data, money and other assets—and tarnish corporate reputations.

Financial institutions are prime targets for cyber criminals, which is why cybersecurity must be a top priority. In 2018 alone, more than 500 security incidents affected financial and insurance organizations—with almost 25 percent having confirmed data disclosure, according to the Verizon Data Breach Investigations Report.

In addition, the costs to remedy the damage from cybercrime is higher than ever, and still growing. Now, the average cost of cybercrime for an organization is $13.0 million, up from $1.4 million in 2017, according to Accenture’s 2019 Cost of Cybercrime Study.

The Rise of Business Email Compromise

Not only are cyber threats rampant, but they’re becoming more devious and complex. For example, business email compromise (BEC) is one of the top threat vectors for 2019. BEC is a sophisticated type of phishing scam that’s perpetrated through five main scenarios, according to the FBI’s Internet Crime Complaint Center (IC3). Often, BEC scammers pretend to be a foreign supplier and attempt to trick employees into wiring funds for outstanding invoices into their bank account. In another common BEC scam, attackers impersonate a high-level executive, such as a CIO, CEO, or CFO, to try to deceive employees into wiring money.

However, BEC doesn’t always entail requesting wire transfers. More recently, BEC has involved data theft—the receipt of fraudulent emails asking for either wage or tax statement forms or a company list of personally identifiable information (PII). Regardless of the scenario, the business executive’s email is compromised, either by hacking (normally through a personal email account) or spoofing (altering the sender’s information to mimic a legitimate email request).

Like other cybercrimes, BEC continues to evolve and is rapidly expanding. The scam has been reported by victims in all 50 states and in 100 countries, according to IC3. Many BEC complaints have involved businesses and associated personnel using open source email accounts; the phrases “code to admin expenses” or “urgent wire transfer;” requested dollar amounts that are similar to normal business transaction amounts; and IP addresses that frequently trace back to free domain registrars.

Strengthen Cybersecurity Processes

Financial institutions and other organizations can protect themselves from BEC by implementing robust internal prevention techniques at all levels, particularly with front-line employees who are more likely to receive initial phishing emails. Some institutions are reducing BEC-related fraud by simply holding customer requests for international wire transfers for an additional time period to verify the legitimacy of the request. Other IC3-recommended strategies for strengthening bank cybersecurity against BEC include:

• Avoid free web-based e-mail accounts;
• Be careful about what is posted to social media and company websites (especially job duties/descriptions, hierarchal information, and out of office details);
• Be suspicious of requests for secrecy or pressure to take action quickly;
• Consider using additional IT and bank cybersecurity procedures, including a two-step verification process;
• Beware of sudden changes in business practices, such as being asked to contact a business associate through a personal email instead of company email address; and
• Provide security awareness training to all employees.

Regardless of the threat outlook for BEC and other cyber-attacks, financial institutions must have effective tactics for safeguarding their customer information, infrastructure and operations. This necessitates meeting regulatory and industry compliance standards for collecting, protecting and using private financial data.

To gain more insight into this area, as well as other key topics for CEOs to be aware of, download our white paper, Top IT Areas Where CEOs of Financial Institutions Should Focus: Important Questions and Answers.

Many financial institutions are finding the Cloud to be very appealing for their business objectives. Migrating server workloads and applications to the cloud provides many benefits for banks and credit unions alike, but it can also seem overwhelming to some who are introducing cloud services to their organizations for the first time. Today, many banks and credit unions are taking the first step of moving or looking to move their email hosting services to the cloud. Traditionally, email services have been hosted on-premises, but now financial institutions can take advantage of hosted email solutions to simplify email management and make processes more efficient for the entire organization.

Cloud hosted solutions, such as Microsoft O365, can dramatically simplify business email management by eliminating the need for manual intervention and management which enables the IT staff to focus on more revenue-generating tasks. In addition, the experience for end-users is essentially the same, creating a seamless transition for the institution.

In addition to increased efficiencies, there are other key advantages of moving email to the cloud such as:

• A secure email environment – the cloud is a secure environment for data storage.
• Reduced costs – there is no need to purchase and maintain costly servers.
• Reduced manual intervention – with cloud solutions, bank staff no longer needs to manage the email network including email migrations, upgrades, backups, and general maintenance.
• High reliability and availability – cloud-based solutions have redundant systems to ensure email services are consistent and run properly every day.
• Built-in backups and archiving – cloud-based solutions automatically perform backups and archive tasks. The backups are also stored off-site, which is an important aspect of any disaster recovery plan.
• Ability to access email from anywhere – cloud-based email solutions can always be accessed, from any location, using any device, improving the productivity of employees.

Not all cloud-based email solutions are created equal

Financial institutions require an industry-specific email solution that adheres to strict cybersecurity regulations to remain in compliance with regulatory guidance and expectations.

In addition, community banks and credit unions place increased importance on the availability, uptime and security of their email solutions. Some aspects of a cloud-based email solution that banks and credit unions should consider include:

• Ability to meet strict cybersecurity regulations
• Can create customized reports for regulators (e.g., compliance, user, and encryption)
• Reliable up-time and redundancy
• Unique layers of security, SPAM filtering, antivirus, and on-demand encryption
• Multifactor authentication

Email Account Takeover is one of the most profitable cybersecurity threats for criminals and as a result, has become increasingly common. In fact, according to Agari, email account takeover has seen a 126 percent increase month-to-month since the beginning of 2018. Agari also indicates that 44 percent of businesses reported being victims of targeted email attacks. Regardless of the type of email system, whether it is hosted in-house or in the most robust cloud solution available, the level of vulnerability and ease in which a user can fall victim to this threat tend to remain consistent.

As one might suspect, passwords are often the weakest link in email security. They are usually obtained through traditional means such as social engineering, malware, buying passwords off the deep web, or users simply reusing the same passwords for different sites or applications. Once passwords are compromised, hackers then use that opportunity to watch and monitor email usage to determine and ultimately target the best ways to profit from this access. This happens by emailing malware from a known user account within a legitimate contact list; a payment request for seemingly business-related items or services; or a request for another user’s passwords. Unfortunately, criminals are displaying endless levels of creativity in executing their fraudulent activity.

The Impact of Email Account Takeover

Email account takeover attacks are particularly dangerous (and very effective) because they often originate through emails from trusted senders. Because there is a pre-existing trust relationship with the sender, the attack is then more likely to succeed. In addition, since the attack originates from a legitimate account, it often goes undetected by traditional security controls.

When email account takeover attempts are successful, not only are the user and the organization directly impacted, but the losses and hardships extend far beyond those tied to that individual account. Account takeover puts a significant strain on customer and member relationships and can result in long-term damage to a financial institution’s brand and reputation.

Imagine an email with malware imbedded was sent to all of your customers or business partners. This has the potential to infect hundreds of customers’ machines. Now imagine $10,000 being wired to a rogue account based off of an email that included the correct language and information; or all of your employees receiving emails from your network administrator requesting they confirm their passwords. These are not hypothetical situations, but rather real-life examples that have all happened multiple times, regardless of industry or location.

How to Mitigate Email Account Takeover

Many banks and credit unions have realized that simply having the correct username and password is no longer enough to ensure a truly secure email account. Successful email account takeover attacks reveal a lack of adequate protection which, when recognized, can be corrected. Some proven methods to effectively prevent an attack include the following.

Employee Training

Increasingly, banks and credit unions are recognizing employee training as an important security mechanism and prevention protocol. Employees who are not adequately trained on how to properly use email, including: email attachment protocols; how to deal with unknown senders; and how to spot suspicious emails; can quickly become a top vulnerability and security threat for their institutions. Training for all employees—from tellers and loan officers up to the President and CEO—is critical.

Password Usage

Remembering all of the passwords required to secure daily activities has become a tall order, one which often results in employees using the same (or a limited set) of passwords for all accounts. This is not a good idea as once your password is compromised in one place, you are then immediately vulnerable in multiple places. Whenever possible, one should randomly generate a unique password for each program or site that they use.

Outside Testing

Community banks and credit unions can leverage an outside security company to conduct security training and checks to verify exactly how their employees interact with suspicious emails. This allows network administrators to evaluate different levels of risk based on whether an employee a) ignored the email, b) opened the email, or c) clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.

Stop Email Account Takeover Attacks with Multifactor Authentication

A proven way to protect your bank’s email system is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.

While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include: Something the user knows, like a password or PIN; Something the user possesses, like a smart card, token or mobile phone; and Something the user is (i.e., biometrics), such as a fingerprint or retina scan.

Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When employees login to their email account, they must first type in their username and password. Then, as a second factor, they use a mobile authentication app, which will generate a code or PIN to enter on the screen and only then are they given access to the account. If you or your employees don’t have a smart phone, that’s ok. Microsoft provides multiple ways to implement their multifactor solution. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts — even if a password or security answer is stolen.

For such a seemingly simple act, account takeover presents significant reputation risk and financial risk to your institution, but by ensuring that your bank or credit union adopt proven strategies to counter it – and remain diligent in performing them – it is a threat that can be prevented.