Don’t get tricked! Data protection in the financial sector.
In our previous article about cybersecurity (read here), we have explained what are the channels and technology threats that can be used by cybercriminals as door openers to our servers and data. Today, we would like to raise awareness and warn our readers about the increase in the attempts of stealing sensitive information by using, so called, social engineering and the very common phishing and spear phishing techniques. What is phishing and spear phishing?
One may receive an email, text message or a comment that appears to be sent by a legitimate institution like banks, schools, popular companies, post offices, telecom companies, etc. They are designed to trick us into clicking on a malicious attachment or visiting an infected website. Typically, there is a “story” behind each message, saying that the log-on information or credit card details need to be updated, or else the access to the service going forward will be denied. The change can be made by clicking on a provided link, which is to infect our computers, and give hackers access to our systems. There could also be messages saying that we are ‘winners’ with the link to verifying our personal information so the prize can be delivered. Or, some can ask for support for whatever disaster, campaign, or charity that is hot at the moment.
We are all receiving this kind of messages from time to time, and most of us have learned to always verify them, but there are still many of us who are getting fooled, especially as the phishing attempts are becoming more and more sophisticated. What is seen happening in the financial services sector recently, are attempts of spear phishing, which is an advanced and targeted version of phishing.
Spear phishing in the financial services sector
The difference between “phishing” and “spear phishing” is that ordinary phishing emails are being sent to any random email account hackers can get, whereas spear phishing emails are designed to look like they are sent by someone we know in person or have been in contact with before, and whom we trust. They could be investors, customers or clients we currently work with, a colleague, a business manager or the IT department asking for a password update. Spear phishers take time to learn about our daily life and networks, to produce something that look legitimate enough for us to transfer money on behalf of a customer, or pay an invoice that the ‘manager’ asked us to do.
Currently, we see several newspaper articles and warnings from the financial services industry about the events described above, which are happening on a much more frequent and sophisticated basis. As hackers go where the money is, Permian would like ask everyone in the financial services industry to be aware. Our advice on how to avoid being harmed by cyberattacks are to:
- Raise awareness among employees about the scope, techniques, and dangers of cybercrime and that it can happen to everyone. Next attempt will look differently, so good judgment is important
- Thorough procedures and routines of bank transfers, for example:
- Double approval of transfers
- Additional control of new account numbers before issuing the transfer of moneyUse of BankID when logging into online banking and mobile banking and to authorise payments
- Additional phone call confirmation of the requested by the client transfers
- Beware of the emails regarding bank transfers or payment instructions that are ‘urgent’
- Beware of the misspelled email addresses that are to imitate the familiar ones
- Use of Multi-Factor Authentication (log on procedure in two steps)
We ask everyone to be alert at all times and always check whether the emails we get are legitimate or not. Better safe than sorry!