Spear phishing affects financial institutions more than any other industry. The latest information from the Anti Phishing Working Group revealed 60 percent of the organizations hit with phishing attacks were financial institutions during Q4 2017.
With financial institutions being the prime target for cybercriminals, more firms have increased security measures. Gone are the days of simple phishing scams with easily identifiable markers with the look and feel of mass distribution emails. Now, cyber attackers employ a more sophisticated and targeted approach to dupe financial institution employees, especially executives, into disclosing sensitive network access information.
Anatomy of a Successful Spear Phishing Attack on Financial Institutions
Unfortunately for many financial firms, these tactics are working. As we mentioned in a recent blog post, cybercriminals use a predictable and effective system for siphoning funds from financial institutions. These tactics for stealing funds through spear phishing attacks include:
Step One: Send personalized emails focused on key individuals within an organization.
Step Two: Monitor the financial institution’s way of conducting business, from email communication patterns to the way the firm moves money from one account to another, to policies and protocols related to wire transfers.
Step Three: Test illegal access to funds by conducting funds transfers in small amounts, usually under $10,000, to avoid detection.
Step Four: Coordinate with other cybercriminals to monitor operations at individual branches of the financial institution.
Step Five: Launch larger attack or continue steady siphoning of funds in small amounts.
We’ve seen this five-step pattern play out in banks across the globe, including most recently in Canada and Mexico where cybercriminals used spear phishing to make off with upwards of $20 million thanks to a coordinated spear phishing attack.
The recent spate of breaches on financial institutions network included several components, but they all started with a successful spear phishing attack. Let’s take a closer look at those components and how you can identify and avoid them:
Recent Example of a Spear Phishing Attack on Financial Institutions
In the case of the Mexican bank breach that was discovered in May of this year, cybercriminals are believed to have gained access to the networks of a series of financial institutions through spear phishing.
Though officials are still investigating exactly how the criminals used spear phishing to gain network access, these attacks do follow a common pattern. Successful spear phishing attacks require:
- An individual target within a financial firm: This can be a mid- to high-level person within a financial firm such as a branch manager.
- Research on the target’s activities: Once the criminals identify the target they often view the person’s activities inside and outside of the financial institution.
- Monitoring of the target’s conversations: Through a series of social engineering activities, cybercriminals are able to find out which accounts their intended target handles and who they communicate with on a regular basis.
- A well-crafted email to dupe the target into exposing their network login information: Once the criminals have information about key accounts and communication patterns, they can then craft an email that mimics the communications their target legitimately receives from their contacts.
Once the criminals develop an email cadence and relationship with the target, it’s only a matter of time before they gain enough trust to have the person click on a link in an email that launches monitoring software/malware such as Carbanak. This malware records keystrokes and takes screenshots of a user’s behavior on a computer. This exposes the target user’s login information, giving cybercriminals access to the financial firm’s network.
When inside, the information they’re looking for centers around how money is transferred. Criminals incubate for months in a network, monitoring the patterns of how money moves through a financial institution’s network. This gives the attackers the information they need to mimic accepted protocols and take funds with minimal detection.
The biggest problem for financial institutions here is that once a user has access to the network, the system doesn’t question that user’s activities in the system. This is especially true for high-level users with unfettered access to sections of the network.
Incubating Attackers in Your Financial Institution’s Network - How to Find and Eliminate Them
After cybercriminals enter a financial firm’s network, they incubate for months at a time. Now law enforcement entities are taking the same approach to capturing and prosecuting those who seek to breach and steal from financial firms.
In June of 2018, a law enforcement effort led by the FBI arrested 74 people associated with a global cybercriminal network. Dubbed Operation WireWire, the arrests were a culmination of a six-month international effort to monitor and capture those who were planning attacks on financial institutions. The operation netted $2.4 million in recovered funds, and it interrupted $14 million in fraudulent wire transfers.
It’s important to note the international aspect of the operation. This underlines that breaches that originate with phishing attacks are being carried out, many believe, by international crime syndicates. As firms strive to make it easier for customers to move money across borders, criminals exploit the tools and systems implemented that create that ease of use, such as the SWIFT network.
As these criminals gain access and hide within the network, financial institutions must develop ways to identify and eliminate these threats. Here’s a quick rundown of ways your firm can prevent spear phishing-related breaches:
- Use email tools that establish communication patterns and identify deviations from those patterns. We recommend Zix as a powerful tool to implement this approach.
- Recognize spear phishing attacks originate with social engineering efforts. This requires firms to implement solid security awareness training efforts that help employees identify and report spear phishing attempts.
- Focus ongoing security awareness training on top-level employees. Though lower-level employees can also inadvertently give cybercriminals access to a financial firm’s networks, studies are showing high-level employees are most often targets of spear phishing efforts.
Security awareness training is now a consistent part of life for any C-suite executive or branch manager of financial institutions that are serious about preventing a network breach.
Next Steps in Securing Your Network Against Phishing Attacks
Security awareness training and software are the best resources for fighting the tide of spear phishing attacks targeting you and your key personnel. Develop a strong protocol for dealing with spear phishing by training key executives and decision makers to identify and report such attempts to breach the network.
Consider working with an external team to help you address the concerns associated with identifying and eliminating spear phishing attacks. DataComm has the software and training resources you need to fight the onslaught of attempts to breach your network. Let’s have a conversation today about ways we can help you manage your approach to these ongoing threats.
1 APWG, “Phishing Attack Trends Report - Q4 2017,” Released May 15, 2018