Phishing is, according to Wikipedia, "the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication."
In its most common form, phishing is the sending of an email containing a link that appears to be from a trusted source, e.g., your credit union, but really isn't.
In the early days of phishing, such attacks were largely directed at consumers. The cyber-criminal would send out a massive number of emails claiming to be from, for example, Bank of America. The email would alert the consumer to some sort of security breach that required the consumer's attention, instructing said consumer to click the link to log on to home banking and resolve the matter.
Recommended For You
Of course, everything would turn out okay for the consumer – except that by following the prescribed steps, the consumer surrendered his or her home banking credentials to the fraudster. Just like that, those bank accounts were emptied. It didn't really matter that most of the recipients weren't, in this example, Bank of America customers. Just one dumb B of A customer could make for a very lucrative payday.
The problem with this scheme is that it is not highly efficient. Breach one consumer and you can only steal from one consumer. However, breach a large organization and you may have the opportunity to steal from hundreds or even thousands of that organization's customers. That is why many of the phishers of the world have redirected their efforts toward employees, including your credit union's employees.
Why go to all the time and trouble of hacking into a credit union's computer system when you can let a careless credit union employee do all the heavy lifting for you? Virtually all of the major breaches you read about week after week have one thing in common: They started when an employee, contractor or business partner clicked on a link they shouldn't have clicked on, in an email they shouldn't have trusted.
This phenomenon has given rise to a category of products with names like BadPhish, PhishMe and PhishGuru. These products launch simulated phishing attacks at your employees. If your employee takes the bait, you're immediately notified. This sort of product can be to your credit union what random drug testing is to professional sports. It is unfortunate when someone fails the test, but better to fail the test than fail in a real-life situation.
Examiners are becoming increasingly adamant about adequate cyber security training for employees. What's more, many of these solutions are very cost-effective. If you can prevent a cyber intrusion, satisfy an examiner and increase employee awareness all in one fell swoop, all at a relatively minimal cost, this is probably an area you should factor into your 2016 budget. The members you save may be your own.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.