Tackling Familiar Cyber Threats with Smarter Tools

Auburn Bank prides itself on being a locally minded institution. The $977 million-asset community bank has clients in every state and even internationally, but its focus is on Auburn, Alabama, says Jerry Siegel, senior vice president and chief technology officer.

The community bank has worked hard to build a good reputation within the community, which is why Siegel also knows that if there’s ever a data breach, it won’t just be a blip of a news story. It could put the whole bank at risk.

“We’re in a small town,” he says. “A breach would be more detrimental to us and our customer reputation than if it would be at a larger institution.”

Community banks have built their reputation on trust, which can be damaged by a successful cybersecurity attack. 

A study from Vercara found 66% of U.S. consumers would not trust a company that has a data breach, and 44% attribute such events to a company’s inability to take proper security measures. Plus, such breaches are expensive, averaging $4.88 million, according to IBM.

But community banks are well attuned to how to protect their operations, employees, customers and data from these kinds of threats, despite the ever-changing nature of cyber threats.

Here’s a look at the cybersecurity threats community banks are addressing today and how banks are empowering both their staff and their customers to guard against cybercrime. 

Classic scams abound

The most common cyber threats community banks face today are not new, says Mike Manske, director of cybersecurity consulting at West Monroe, a global business and technology consulting firm. 

Ransomware, in which criminals use malware to gum up an organization’s operating system and then demand money to unstick things, remains at large. 

Phishing attacks are still out there, too, aiming to take over business email accounts, and hackers will trick employees into giving them their credentials so they can break into an organization’s software system. 

Business email compromise (BEC) is another “classic” cybercrime vehicle. BEC is when a bad actor prompts someone to click on a link that brings them into a system, or spoofs an email or text that tricks someone into turning over their login and password. 

“Business email compromises have been out there forever,” Manske notes. 

To complicate matters, all these methods can be connected: Phishing attacks are often how malware is injected into a system, leading to a payment demand. 

The importance of a cyber incident response plan

Community banks should have an incident response plan and run through what they would do in the case of a breach, a natural disaster or anything else that might interrupt business operations, says Mike Manske, director of cybersecurity consulting at West Monroe, a global business and technology consulting firm.

“Do you have the right action plan in place? Have you tested it? Have you done tabletop exercises? What is the business continuity plan?” he says. “Putting those plans in place and then making sure those plans work does become very helpful when there is an incident.”

Plan updates and testing need to be ongoing, because attacks, software and people change. “Sometimes it’s overlooked, because they’ve been done in the past, but continuing to mature capabilities is a key component” of such exercises, Manske says.

Community bankers can stay up to date on current threats by speaking to their peers to see what they’re facing, as well as learning about evolving risks through ICBA’s Cyber & Data Security page and FS-ISAC's weekly risk summary reports.

Tools to stop online and offline fraud

While the basic schemes are the same, technology is helping the bad actors get better at them. 

With generative AI, “there are no more misspellings,” says Manske. “There are deep fakes. All of this stuff makes it a lot harder for someone to pick up that it’s fake.” 

AI isn’t just being used by the bad guys, though. Attackers might be using it to get faster and evolve and adapt, but cybersecurity professionals are also using it to bolster their defenses. While each bank might not be building AI-enabled protections from the ground up, you “want to be a fast follower,” Manske says. 

Community banks are doing just that, whether it’s through partnering with new vendors or working with vendors they already have. 

Threat detection and real-time software monitoring continue to be powerful tools in identifying fraud attempts, says Terri Luttrell, compliance and engagement director at banking software company Abrigo. 

A tool’s built-in AI will flag something it sees trying to break into the system, odd patterns of employee behavior or changes from how a customer normally banks. The software can then let a security team member know something is potentially off and they can act accordingly. 

These detection tools can also alert community bankers when a customer is potentially being scammed, whether that’s by romance scams or “pig butchering” scams, where fraudsters gain trust with victims over time, then lead them to investing in fake cryptocurrency assets or other fake “opportunities.” 

Software can look for those unusual banking patterns, such as when someone who has never sent a wire transfer suddenly does so. While a banker can’t stop someone from sending the money, detecting these kinds of patterns is an opportunity to reach out to the customer and, when appropriate, share resources from law enforcement about such scams, Luttrell says.

Maintaining the in-person touch

Coupling all these tools with preventive education can stop fraud before it even needs to be detected.

Wilson Bank & Trust in Lebanon, Tennessee, sends employees or its law enforcement partners out into its community to educate people on what they should be looking for in terms of fraud, says Elvis Huff, vice president and director of information security at the $5.6 billion-asset community bank. 

“I talk with a number of customers who say, ‘What could they possibly want with me here in rural America?’” he says. “But people have Social Security numbers, personal information, a credit file, which would be of interest to someone, and these panels and sessions let customers know that.” 

Huff has also spoken at workshops hosted by local businesses, universities, Tennessee state legislature and industry partners. 

“It doesn’t matter how small a business you have; you have some form of intellectual property if you have some form of data or you have customer information,” he says.

He found these efforts empower community members, instead of instilling fear. It gives them information and tools to protect themselves and, for business owners, their businesses and clients. 

In these sessions, bankers show customers signs that they’re being targeted by an online assailant, like someone asking for login and password details, payment in cryptocurrency or bitcoin, or gift cards as a form of payment. 

Luttrell adds that community bankers can also meet with customers one on one, even if their accounts are not showing any signs of suspicious activity. If a customer likes coming into the bank branch already, it’s an opportunity to educate, she says. 

“If you’re a community banker, that’s what we want you to do, and be that trusted advisor,” Luttrell explains. 

This is especially key for older customers, as senior citizens are frequent targets of cybercrime and were associated with an estimated $77.7 billion in losses in 2024, according to Nasdaq. 

How to curtail phishing season

AuburnBank in Auburn, Alabama, has long run fake phishes as part of staff training, but in the face of threats enhanced by AI, it has fine-tuned its approach. Fake phishing emails are now more customized and sent at times they’re likely to catch people off guard.

For example, the community bank ran a fake phish that encouraged employees to buy raffle tickets for an Auburn University football game, allegedly sent by a property management company the bank uses. Another time, the bank sent a fake phish during one of its United Way campaigns.

According to Jerry Siegel, senior vice president and chief technology officer, the most “successful” fake phish came during AuburnBank’s insurance open enrollment period. “Why does your insurance company want you to sign up with your username and ID from the bank? Think about it,” he says.

AuburnBank doesn’t punish staffers if they fall for a phish—fake or not. That’s because leaders want people to come forward and report an attack if they think someone got into the system.

The community bank’s C-suite also leads by example. When an executive fell for a phish, he spoke about the experience to the rest of the bank. That kind of top-down approach keeps cyber safety top of mind, Siegel says. If employees see that even executives fall for these scams, it might take the sting out of it happening to them.

Replacing cybersecurity assessment toolkits

While working to keep their banks safe, community bankers have also been working on transitioning to new assessment tools. 

On August 31 of this year, the Federal Financial Institutions Examination Council (FFIEC) retired the Cybersecurity Assessment Tool (CAT). It was released in 2015 as a voluntary assessment tool for financial institutions and designed to help them identify risk and evaluate their cybersecurity preparedness. 

While this is a change, it’s a necessary one, says Anjelica Dortch, vice president of operational risk and cybersecurity policy at ICBA. CAT was developed at a different time, for a different threat landscape. “The retirement of the tool was necessary in order for us to adapt to the ever-evolving cybersecurity landscape,” she says.

ICBA has been helping community bankers make the transition from CAT to better options. Instead of using a one-size-fits-all assessment, it's been helping community banks evaluate what’s best for their needs. 

Through this work, ICBA identified four potential solutions that it sees as the best options for most members: Finosec Cybersecurity Assessment Tool, Center for Internet Security (CIS) Controls, NIST Cybersecurity Framework (CSF) 2.0 and Cyber Risk Institute—Cyber Profile.

“It’s no longer a one-tool-fits-all approach,” Dortch says. “It’s about picking the tool that’s rightsized for your institution’s risk appetite.” 

Wilson Bank & Trust uses the latest and state of the art cybersecurity tools to protect information and data, says Huff, continuously evaluating its tools and techniques to ensure customer information and data are protected.

AuburnBank is currently evaluating two solutions recommended by ICBA. No matter which tool it selects, AuburnBank continues its quest to spot and stop cyber attacks to protect the bank, its customers and its reputation.