While distributed denial of service attacks ebb and flow based on geopolitics, mortgage problems and earnings reports, the two leading types of cyber threats on banks of late are two types of phishing. One plays off the government's troubled healthcare program, the other spoofs top executives' email accounts, according to Christopher Novak, managing principal and security expert at Verizon Business.
"A lot of social engineering campaigns are using the confusion around what's happening in healthcare to say, you need to come to this website and register and give up either personal information or credentials," Novak says. The victim thinks it's a legitimate message from the company for which he works and coughs up the desired credentials on a fake website.
The emails say something like, you've probably heard in the media that there's this new healthcare regulation taking effect, you need to re-sign up for open enrollment, come in through Bank X's website.
"In reality, it's a hacker hosted site," Novak says. "You're supposed to log in with your bank credentials." Minutes after the victim enters his credentials on the website, someone will come in from Asia or Eastern Europe and use that login information on the bank's website. The hacker will then conduct a funds transfer or ACH transaction to move money out of the account.
"It's a different twist on something we've seen before in phishing," Novak says. "There's a lot of talk, a lot of confusion, a lot of information and misinformation about healthcare right now. Those are the kinds of things the hacker community loves. That's why every March and April you see a whole set of phishing emails that go out around taxes."
Another currently popular phishing exploit uses the stolen email addresses of a bank's top executives. "Someone will spoof an email to the CFO or controller and it will purport to be from the CEO," he says. "The email will say something like, we need to sponsor this event or pay this vendor, it's urgent and I need you to wire $100,000 into this account immediately, we're already 30 days late. Because it's from the CEO, other staff will expedite the request.
"In one case, the CFO happened to have lunch with the CEO and said, just out of curiosity, who was that merchant you had us expedite the wire transfer to?" Novak recalls. "The CEO said, 'What are you talking about?' The blood drained out of the CFO's face and he said he had to go. We've seen more than a dozen of those happen in the last week. Probably over $10 million has moved in the last week because of this."
If a bank recognizes immediately what's happened, it has a chance of recovering the funds. But once the money is moved offshore, it's gone. About 70% of the time, the companies targeted by such scams are banks, Novak estimates.
Verizon gets an inside look at such incidents because it works with the FBI or Secret Service on the investigations.
"Usually after the CEO and CFO talk and realize what's happened, they'll ask us to help them figure out what occurred," Novak says. "We'll start looking at the email, find the link and trace it back to the site, and from there figure out where the phishing email originated, how the wire transfers were executed and where the money ended up. Most unfortunate is once the money goes offshore, the ability to recover it often takes a turn for the worse. Always the hope is that we can catch it before it gets to that point."
The key sign that an email is fake is that it comes from outside the bank. "But it looks like it's coming from the CEO," Novak says. "Not to diminish to prowess of CFOs and controllers, but generally they're not security experts. They're not generally looking at the headers of the emails to notice that they're coming from outside the bank."
You'd think two people who work closely together would be able to recognize a difference in tone in an imposter email message.
"You would think that, but a lot of times the email is kept very terse, to the point, with not a lot of detail," Novak says. "I think if you were to over-embellish it, that might cause you to ask more questions because you'd pick up the tone more, but it's more of a, 'this needs to happen asap,' or the email will be sent when someone's traveling and can't be asked about it in person."