Small business banks are the target of phishing attacks at an increasing rate. This is one of the areas I teach people about as part of my profession as an online-security analyst.
Over 200,000 new infections occurred between this past July and September of 2013-the highest jump in the past 11 years, says a report on networkworld.com. Cybercriminals are ubiquitous on this planet; the U.S. and Europe aren’t the only targets; count in Brazil, Japan, India, Australia and more.
ZeuS (aka Zbot) is a common malware, planted on Web sites. Visitors are then attacked as the malware is installed on their software-vulnerable computer. Once settled in, ZeuS steals online banking credentials, then transmits these details to a remote server.
So to recap, it’s a visit to the Website infested with ZeuS or other malware; it then infects the user’s computer if it has weak links in its software; and then the banking information in that computer is stolen and delivered to a remote site, where the cybercriminal accesses it.
Why are these Web sites being visited in the first place?
The user can’t resist clicking a link that’s sent to him or her in an e-mail – the link takes them to a malware-planted Web site.
It’s hard to believe (or maybe not?), but eweek.com reports that a recent security analysis says that 18 percent of phishing messages are opened in the workplace – and this includes clicking the accompanying malicious link. No wonder small banks are so affected by phishing scams.
Employees are a vast feeding ground for attacks. In fact, one particular phishing campaign yielded a 72 percent clicking response on the link.
Monthly training of employees to avoid suspicious e-mails helps knock down the percentage of clicks (to 2 percent) much better than quarterly training does (to 19 percent), but being reeled in to making that fateful click is still an enormous problem worldwide.
Phishing is a favorite among fraudsters’ arsenal of attacks, a way to gain access to computers, as well as infecting a computer.
The attack begins with a “lure” in the e-mail message. It’s a numbers game: A lure such as “Thanks for your $500 purchase at Amazon,” if sent out to enough recipients, will accurately apply to enough of a percentage that out of that group, there will be takers of the bait. These vulnerable employees will think that the message (possibly sent out to thousands) was meant especially for them.
How many who open the e-mail actually click on the malicious link? Over 80 percent. Furthermore, 71 percent of computer users, says the report, are especially endangered due to having popular software such as Microsoft Silverlight and Adobe Acrobat.
The eweek.com report adds that cleaning recipients’ invaded computers costs the company, even though 57 percent of companies rated phishing attacks as “minimal.” However, even “minimal” impact still means a lot of cleanup for a high volume of attacks, involving IT staff response and employee downtime during system restoration.
How Bank (and other) Employees can protect Themselves
Those who take the bait can end up with malware or a stolen identity. The Anti-Phishing Working Group recommends:
- A big red flag should go with e-mails that request personal financial information. If the name of the company bank is mentioned, arrange a phone call to that bank regarding the suspicious e-mail.
- Be leery of exciting or worrisome statements designed to rattle emotions rather than sink in logically; think before you click!
- Be highly suspicious of a message asking for a password, username, credit card information, date of birth or other very private details of yourself or your company.
- Employees who don’t recognize the sender’s name or address, or have no idea what the message could pertain to, should simply ignore it altogether. It’s never urgent to click a link; you won’t get fired if you don’t.
- Never enter confidential financial (or personal) data in a form inside the e-mail.
- A special toolbar, installed in the Web browser, can help protect the employee from fraudulent sites. The toolbar compares online addresses with those of known phishing sites and will provide a prompt alert before you have a chance to click or give out private information.
- The latest versions of Chrome, Firefox and Internet Explorer have optional anti-phishing protection.
- Bank, debit and credit account statements should be regularly checked for suspicious transactions.
- If any transactions look suspicious or unfamiliar, the employee should alert appropriate personnel to contact the relevant financial institution (or contact it themselves if they’re in the position to do so).
- The computer browser should always be kept up-to-date. Security patches should be installed.
Bank leaders and their employees who follow these rules will not have to worry about phishing attacks.
Sources:
IDTheftSecurity.com
http://www.sans.org/reading-room/whitepapers/ecommerce/protecting-small-business-banking-34277
http://www.networkworld.com/news/2013/111213-banking-malware-infections-rise-to-275838.html
http://www.eweek.com/security/phishing-messages-trick-one-in-five-employees-into-clicking-survey.html
http://www.antiphishing.org/
