The amount of money lost from business email compromise fraud between 2016 and 2021
The increase in identified global exposed losses from business email compromise fraud
Much of cybersecurity relies on humans, and humans, of course, are fallible. That’s why email phishing campaigns, where a hacker pretends to be someone else in hopes that the target will cough up money or information, are about as old as email itself.
But now, hackers have become sophisticated enough to fine-tune targeted attacks at individuals—even taking over someone’s email account—and do financial and reputational harm. Community banks are a prime target.
To build a better line of defense, community banks can use cybersecurity tools, but they should also train their employees to watch what’s currently in vogue for hackers and on what to do if they fall for a fake email. Because as long as email is a method of communication, phishing attacks will stick around.
“Anyone with an email address is targeted by phishing attacks,” says Todd Stringer, information security officer at $6.8 billion-asset BankPlus in Ridgeland, Miss. The kinds of attacks may change, but email is “a prevalent attack vector that’s not going away anytime soon.”
“If in the past it was a generic email sent to millions of people in the hopes someone would fall for it, this kind of phishing is sending you an email that looks very convincing and very targeted at you personally.”
—Dror Liwer, Coro Cybersecurity
In order to know what to look for, employees need to know what’s happening on the ground. That’s why this kind of education can’t just happen once a year, says Dror Liwer, cofounder and chief marketing officer for Coro Cybersecurity.
Any time a fellow community bank is phished, employees should be updated on how the attack happened, he says. “Sharing it with the team, including how someone fell for that scam, can help make sure they don’t fall for the same thing.”
Constant phishing education
For example, if employees have been trained to watch for unusual file attachments and suspicious links they shouldn’t click on, they may save themselves from business email compromises, where hackers take over someone’s email account and then start acting as if they were that person. According to the FBI, losses from this type of fraud mounted to $43 billion between 2016 and 2021.
“If in the past it was a generic email sent to millions of people in the hopes someone would fall for it, this kind of phishing is sending you an email that looks very convincing and very targeted at you personally,” Liwer says. These emails are coming from actual corporate email addresses, just with hackers in control.
If employees aren’t aware of this practice, they may not question why the CFO, who never reaches out to them directly, is asking them to transfer funds, or why someone in accounts payable is asking them to pay a vendor at a different account than what has been used before.
This is why community banks “need to educate their employees constantly,” Liwer says. That way, they know what exactly to look out for. In addition, those emails are a regular reminder that threats are out there, reinforcing any education efforts.
“We send phishing emails out internally and do our best to make sure those emails look like something that an attacker might use.”
—Todd Stringer, BankPlus
Community banks can test their employees’ efficacy in spotting scams by running their own simulated, fake phishing campaigns. BankPlus runs multiple tests like this every year.
“We send phishing emails out internally and do our best to make sure those emails look like something that an attacker might use,” Stringer says, adding that these tests change quite often to match what hackers are doing out in the real world, “so it’s never the same internal test twice.”
If BankPlus sees a new phishing scam happening to other community banks or similar businesses, they’ll run a test to simulate it, he says.
If an employee falls for a fake phish, they are redirected to a website that “educates them on what they missed, and why that email was phishing,” Stringer says. The tone of these videos and informational documents is educational, not disciplinary.
“This isn’t some loud buzzer that goes off to let everybody know someone clicked on the link. We don’t want to embarrass them,” he says. “If you want your employees to do better, educate them to do so, and train them to do so.”
BankPlus also has a special helpdesk that employees can contact if they think they fell for a phish, though Stringer said its cybersecurity department usually knows first, since they have security tools to recognize unusual activities on the network. But the community bank’s focus on safety instead of consequences means employees are more likely to reach out with a concern.
While employees who break policy at BankPlus are subjected to reprimand, Stringer says they will not be shamed for mistakes.