For banks, keeping customer and institutional data safe is an ongoing challenge. Between malware, phishing, vishing, email spoofing, malicious attachments and other cyber threats, there’s always work to be done.
“When we get one area of vulnerability under control, another one pops up. It’s like Whac-A-Mole.”—Leslie Lowery, Merchants and Planters Bank
“It’s never-ending,” says Leslie Lowery, chief financial officer at $320 million-asset Merchants and Planters Bank in Newport, Ark. “When we get one area of vulnerability under control, another one pops up. It’s like Whac-A-Mole.”
In addition to protecting their operating systems from a technology standpoint, community banks have a perpetual need to provide education to employees and customers about the latest threats and safety best practices.
Here are some ways community banks are rising to the challenge.
Testing employees’ ability to sniff out bad actors
Community banks use various tactics to keep employees up to date on the latest threats and scams.
For example, $220 million-asset Security Bank in Dyersburg, Tenn., works with a vendor that provides a monthly video that bank employees are required to watch on topics such as how to identify a phishing email and respond appropriately, says Jennifer Nunley, president and CEO.
The community bank tracks who completed the training and follows up, if necessary, to ensure compliance. According to Nunley, the videos are just three minutes on average, and the bank increased the frequency from once a year to monthly to keep it fresh in employees’ minds.
Several community banks also work with third-party vendors or their own IT departments to test employees’ ability to weed out bad actors. They send emails to staff members, often spoofing the email of actual bank executives, asking employees to click on links or open attachments. These emails are meant to be realistic and plausible—to make employees think before they act, bankers say.
Tim Aiken, president and chief executive of $370 million-asset Union Bank in Middlebourne, W.Va., offers the example of an email crafted by the community bank’s network administrator that appears to come from its human resources administrator. The email told employees there was a mistake in their recent pay stub and invited them to click on a link to receive corrected information. Another email, purportedly from the bank’s holiday party committee, asked employees to click on a link and give their input.
At Climate First Bank in St. Petersburg, Fla., many new hires receive a text, purportedly from the bank’s chief executive, in which he asks them to use their own money to buy $500 in gift cards for a customer and immediately provide him with the codes, says Lex Ford, president of the $425 million-asset community bank.
Two years ago, two new hires fell for the scheme. They got their money back but had to go through additional training to ensure they didn’t make this type of mistake again, Ford says. Now, bank employees get CEO fraud training during first-day onboarding.
Bank employees also receive ongoing training, which includes weekly spoof emails to try to entice them to click on a link or open an attachment. Every quarter, or whenever the bank identifies a new fraud, Climate First alerts its staff.
Just recently, for instance, the bank told staff about an email that targeted the bank’s CEO. He received an email from outside the bank, seemingly from someone he knew, asking him to scan a QR code embedded in the email and send money. He didn’t fall for it, but the occurrence made for a teachable moment, Ford says, adding that employees also need to be reminded frequently to report suspicious emails to their bank’s IT department.
Getting the word out to customers
Proactive communication is one of the main ways banks can help customers avoid being duped. This is especially important given that artificial intelligence is increasingly being used to make threats seem more credible and thus more difficult to discern.
Community banks need to have repeated conversations with customers about how they will and will not contact them—reaching out across all mediums—including paper brochures, mailings, texts, social media, emails, signage within bank branches and on the bank’s website. “Every time you are communicating with them, drive home that message,” says Richard Watson-Bruhn, U.S. head of digital trust and cybersecurity at PA Consulting.
Older customers are a demographic that can be an especially easy target for scammers. Since many of these customers don’t use online banking, it’s even more important for banks to reach them in other ways, such as bank signage, handouts and postal mailings.
“They [tend to be] less digitally literate, and that’s more of a threat [to community banks],” says Jennifer Fuller, U.S. financial services lead at PA Consulting.
To reach non-digital natives, Security Bank’s tellers hand out brochures on topics that include ATM security, cybersecurity on smartcards and chip technology, direct deposit, direct payment, online banking and data security.
For more digitally savvy customers, community banks post warnings on their website, such as the recent one Union Bank used to alert customers to a social engineering campaign targeting customers via text messages, telling them their account is on hold and requesting them to enter their debit card number.
“These text messages are not legitimate and should be deleted if received,” the website alert reads. The warning asks customers to call the bank’s operations department if they have questions or concerns.
Community banks also use social media outlets such as Facebook and Instagram to post about threats they are seeing.
In July, for instance, Merchants and Planters Bank posted the following warning on its Facebook page: “Scammers gonna skim, but there are ways to help secure your card information,” directing them to several links for further education on fraud prevention.
And in March, the community bank used Facebook to remind customers that it would never call or text to ask them for their personal information, and to not give anyone their account number, debit card number, PIN or Social Security number.
For its part, Security Bank posted on Facebook in late June advising customers not to entertain calls that offer online banking registration assistance. Another post from the same day cautioned customers to avoid online scams in the Philippines.
In all communications, community banks should encourage customers who have any doubts to contact the bank at a number they know to be genuine—not the one listed in an email or text—and confirm the validity of the communication before taking any action, says Jim Mottola, vice president of data privacy, investigations and security at Porzio Compliance Services.
Fraudsters prey on people’s emotions, trying to create a sense of urgency. Banks need to train customers “to stop before they give any information,” Mottola says. “You have to take the emotion out of it.”
The fine line between employee remediation and discipline
It’s bound to happen from time to time: Employees will fall for a scam generated for employee training purposes by a bank’s IT department or a third-party vendor. While it’s uncommon for employees to fail one of these tests twice, it does happen, and banks need to have a plan to ensure data security is taken seriously, said Tim Aiken, president and chief executive of Union Bank in Middlebourne, W.Va.
In his community bank’s case, an employee who fails once every 12 months has to complete remedial training, with additional exercises required if the person fails twice in that time frame. A third offense likely means a face-to-face discussion with a senior manager, so the employee understands the bank’s commitment to data security, Aiken says.
“All banks wrestle with how to work this into their disciplinary standards,” Aiken says. “On one hand, you want to allow for remediation.” On the other hand, banks have to be extremely careful about data privacy. “It really just takes one wrong click [to do damage].”
