Targeted phishing aimed at bank and credit union employees continues to grow, it continues to get more sophisticated, and it continues to result in millions of lost dollars.
It’s not razzle dazzle but it is a proven way to steal.
Question: would you click on an email from your boss with the header: Urgent - Need Response Immediately?
One financial institution employee in two will click on that email, and they may regret their decision because the emails may carry malware that could involve transmitting user name and password to criminals, who will loot the credit union or its members’ accounts.
“When we start training employees, the susceptibility rate usually is around 58%,” said Rohyt Belani, CEO of PhishMe, a Chantilly, Va., training company that claims three of the four biggest banks as customers. Belani also said the company has many credit union customers – he declined to name names – among its 175 active accounts.
What PhishMe does is simple. Employees at clients get periodic targeted phishing emails, sent by PhishMe. Those who click to open immediately get a mini training session (90 seconds to perhaps three minutes, said Belani).
The process is repeated – again and again.
After 18 months of training, susceptibility plummets to the 4% to 8% percent range, said Belani.
The point: employees can be taught, through bite-sized educational interludes, what to click on and what to forward to security.
But this is a never-ending fight. Phishing emails continue to morph as the senders get smarter.
A frightening prediction from Belani: “In 2013 we will see more targeted malware SMS sent to employees’ cellphones.” His belief: as Bring Your Own Device (BYOD) has spread to more institutions, security for those devices has not kept pace.
He sees criminals targeting financial institution employees, grabbing their contacts list off their phones, and using that data to send out more and more precisely targeted phishes.
Would you click on a link in an SMS that seemed to come from your credit union’s CEO?