Pub. 9 2014-2015 Issue 3

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. P HISHING ATTACKS ARE A PART OF everyday life. Unfortunately, the banking industry is the primary target of these types of attacks, according to the “Global Phish- ing Survey 2H2013: Trends andDomain Name Use” by the Anti-Phishing Work- ing Group (APWG). So, what are phish- ing attacks and how can we protect our banks against these attacks? What is a phishing attack? A phishing scam is a type of social engineering attack that typically uses fraudulent electronic messages (email, text, etc.) that appear to come from legitimate sources. These messages usually attempt to acquire sensitive in- formation or install malicious software by directing the recipient to click a link or open an attachment. Some common types of phishing include: • Spear Phishing: targeting spe- cific individuals, roles, or orga- nizations • Whaling: targeting executives or board members • Phaming or Minnowing: target- ing family or children of key employees • SMiShing: an attack using text messages • Vishing: an attack over a phone call What are some examples of recent phishing attacks? Here are a few common phishing attacks we have seen recently: • An email appearing to come from the Better Business Bureau claims someone opened a com- plaint about your institution and directs you to, “click here to read the report.” • An email appearing to come from your corporate phone sys- tem directs you to “click here to listen to the voicemail.” • An email appearing to come Gone Phishing Russ Horn, CISA, CISSP, CRISC, President, CoNetrix TECH TALK fromFacebook asks you to reset your password. • An email notifying you of a recent transaction supposedly from eBay or Amazon directs you to “click here to view or cancel the transaction.” Are phishing attacks successful today? Yes. Over the past 12 months, CoNetrix has conducted 96 social engineering tests on various financial institutions across the United States. During these tests, we were more than 90 percent successful in getting at least one em- ployee from the institution to click on a link or open an attachment. Why are phishing attacks suc- cessful? There are many reasons phishing at- tacks are so successful, including: 1. The sheer number of attacks. Phishing attacks are fairly easy to construct and inexpensive to deploy. 2. Inherent human desire to please. We train our employees to be kind and helpful, and it is human nature to want to please. Phishing attacks prey on these natural and trained characteristics. 3. Hurried work life. Employees are wearing so many hats and have so many deadlines, they learn to move quickly and can easily over- look common sense, clicking a link or opening an attachment when they shouldn’t. 4. It only takes one. It just takes one person in the organization to fall for an attack in order for the attack to be successful. What can we do to train our em- ployees? Training must be repetitive. We need to continually remind our employees of these attacks and show them examples of what they look like. Testing is also a good trainingmech- anism. Employees may think they will never be targeted with a “real” phishing