09 October 2015


Retired Member

1,226Posts 4,187,889Views 1,505Comments

Spear Phishing Targets Bank Employees

13 August 2013  |  2900 views  |  0

We now have proof that hackers are targeting bank employees. Sadly, keyloggers, man-in-the-middle, and Trojans aren’t just for online banking customers anymore. The joint fraud alert from the FBI, FS-ISAC, and ICCC at the end of 2012 warns financial institutions that hackers are using spear phishing to take over internal employee accounts and send fraudulent wires.

Assume you’re already compromised.

The latest advice from security experts is to assume that criminals already have access to your systems. They’re not throwing in the towel; the reality is that attacks are becoming more sophisticated, and FIs are having a hard time keeping up. The talk around the security water cooler is “if a criminal really wants to get in, they’re going to get in.”

Cyber attacks = internal fraud?

How is a cyber criminal different from an embezzler? In this case, they’re not different at all:

  • They’re both trying to steal money from you and your customers. 
  • They’re both covering their tracks to avoid getting caught. 
  • And, unfortunately, now they both have full access to your core banking systems.

Then what technology do we need?

This is not a problem that can be solved by technology alone. The largest FIs have spent millions on technologies like SIEMs, firewalls, IDS/IDPs, access control, payment fraud detection, online fraud detection, and so on. And yet they’re still susceptible to attacks from both embezzlers and cyber criminals.

The answer: understand your complex money flow.

There is a way to stop BOTH cyber criminals and embezzlers, and it starts with understanding how money flows through your organization. Over years, FIs have built a complex web of phone, fax, email, and payment systems that can move money internally and send money externally. This leaves FIs open to massive embezzlement. Employees and hackers have the ability to send or redirect tens of millions of dollars. The $19 million wire fraud reported by Citibank in 2011 is a perfect example of how payment complexity leaves financial institutions open to massive exposure.

Understanding shows you risk-based solutions.

As you follow the paths that money takes through your organization, the solutions become obvious. You spot the supervisor who can create AND approve a $5 million wire. You learn that branch managers can both transfer funds internally and send them externally. You realize that nothing will stop a wire room supervisor (or a hacker that took over their account) from redirecting a $15 million wire. And as you find these issues, the solutions become obvious.

Get started today.

The process to follow is simple:

  • Start in your front office (tellers, CSRs, phone bank, lending officers, etc.). 
  • Identify every way that your front office staff moves money (internally and externally). 
  • Follow every step in the money movement process until the end. 
  • Along the way, you’ll also find back office functions that can move money. 
  • At each and every step of the process, make sure you understand three things: (1) How do we know this request is legitimate? (2) Where does this request go next? (3) How much money can we move? 

While the process itself is simple, it becomes complex as you repeat each step hundreds of times. Careful organization is crucial, as are a repeatable process and staff who understand both payment processing and how to think like a criminal. At the end of this process, you will have a prioritized, risk-based view of the threats posed to your organization by both internal staff and cyber criminals who may take over their accounts. You’ll also have a prioritized list of recommendations. If organized properly, this review gives your Board and Sarbanes-Oxley team a much higher level of confidence about this threat.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

Apple Watch: What’s in store for Digital Banking?

30 July 2015  |  1735 views  |  0  |  Recommends 0 TagsMobile & onlineInnovation

A Millennial’s Mindset: Money and Biometrics

15 July 2015  |  1624 views  |  0  |  Recommends 1 TagsMobile & onlineRetail banking

Periodic Table of Remittances

27 June 2015  |  1513 views  |  0  |  Recommends 0 TagsPaymentsRetail banking

Is the time now right for data sharing?

25 June 2015  |  1641 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking

Cloud based Mobile Financial Services and Payments

18 June 2015  |  2629 views  |  0  |  Recommends 1 TagsPaymentsInnovation

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who's commenting on Retired's posts

Dirk Kinvig
Andrew Churchill
Bjorn Soland
Karim Maalouf
Ketharaman Swaminathan
Paul Ruskin
Neil Vernon