Ways to Stop 'Trojan horse' Attacks on Community Banks

Community banks have diligently fortified their organizations’ walls against a range of cybersecurity attacks, but it’s not going to matter if they don’t know what their trusted partners could be letting in. 

That’s because despite the strong cybersecurity safeguards of community banks, third-party vendors can open avenues of attack if their security is not also up to snuff. 

Threat actors are “looking for the path of least resistance,” says Rob Farling, risk and compliance banking lead at business and technology consultancy West Monroe in Chicago. “What is an easier way to get that bank customer’s money and information? There’s a decent chance it’s through the vendors.” 

Here’s what community bankers need to know about spotting and stopping these Trojan horse-style attacks.

The threat landscape coming from third-party vendors has changed because banks’ relationships, and volume of relationships, has changed by moving beyond relying solely on core providers for all technology needs, says Tom Wojcinski, partner in the cybersecurity and technology management practice at Wipfli, a consultancy based in Milwaukee. 

Digital transformation, which has often involved expansion into the cloud and partnering with fintechs on new products, has meant that community banks can innovate, be nimbler and offer better services to their customers. 

But these changes have also increased potential attack vectors. According to Verizon’s 2025 Data Breach Investigations Report, 30% of the 12,195 confirmed data breaches came from third-party vendors—double that of 2024. 

Hackers target third-party vendors because they might not be as secure as banks have made themselves. With a successful third-party vendor hack, criminals wouldn’t need to break into the bank. Instead, a vendor is already “[inside] the walls,” says Farling. That means so is the threat actor who can steal information, plant malware or set the stage for a ransomware attack.

Categorize and assess vendor risk

Not every vendor will create the same kind of Trojan horse risk. There’s a difference, for example, between a vendor having a point-to-point, permanent connection between itself and the bank, and a vendor that requires “periodic [connectivity] where you’re just uploading information into their system or downloading into your system,” says Wojcinski. 

Community banks should stratify which vendors present different levels of risk and focus on the vendors that have the greatest access to the bank’s internal systems or that store its most critical information. 

While a bank can’t completely protect itself against an attack on a third-party vendor, it can work to “minimize the risk” with different layers of protection, making sure any intrusion causes as little damage as possible, says Wojcinski.

One tactic includes limiting what a vendor can access inside a bank instead of giving it a constant connection that it doesn’t need. 

Community banks can also look at what data the vendor has and “how are we protecting that?” Wojcinski says. “Do we encrypt it before we send it? Is it in an encrypted [channel]? When a [vendor] sees it, how do they encrypt it, and how far does it stay encrypted in their system?”

When negotiating with new vendors or re-upping contracts, community banks can also make sure their agreement includes “what this software is going to do and what data [it] is going to have and where it is going to be stored,” says Andrew Hettick, information security officer at data security firm CoNetrix, which is based in Lubbock, Texas. “If a vendor does have a breach, you would know exactly what data they have and where it would be vulnerable.” 

Community banks should also be aware of how long a vendor has to notify them of a breach. They should try to shorten that period for critical partners that have access to the most systems and data, he adds.

Use cybersecurity basics to prevent a third-party heist

Potential threats coming in via third parties are a growing type of cybersecurity risk, but the attack types themselves and a bank’s responses are not.

For example, if a vendor provides a service that is critical to a bank’s functions, the bank should game out what it would do if that vendor was taken entirely offline by an attack. If a bank uses one vendor for all its loans, “and [the vendor is] ransomed and taken offline for three weeks, what’s your fallback plan?” asks Wojcinski. Running tabletop exercises that include this type of scenario can help a bank prepare for an attack that might not get far enough to touch its systems but could still affect daily operations.

Vendors should also have multifactor authentication in place and use complex passwords or password managers for those logins, says Tim Rawlins, director and senior advisor at the NCC Group, a global cybersecurity company based in Chicago. And banks need to ask and not just assume vendors do. After all, when the Louvre was robbed in 2025, the password to the museum’s video surveillance system was “Louvre.” 

Communication is key to strong defense. Rawlins recommends that bank executives talk to not just the chief information officer and chief information security officer but also rank-and-file IT and security employees. All input about what they are experiencing and the challenges they face when working with third-party vendors are useful. 

Executives might be surprised at what they hear. Sometimes, the bank might be the security problem, rather than the vendor. This can happen if the vendor must use an older, less-secure version of software because it’s the only thing that will work with the bank’s system. 

“The people inside are going to know we should have upgraded,” Rawlins says, “but we just haven’t been given the budget to do it.”

Review vendor security postures often

Assessing a vendor’s security stance is almost always part of contract negotiations and renewals. A bank’s cybersecurity insurance might also require that its vendors meet specific cybersecurity benchmarks. 

But that can’t be the only time a bank evaluates its vendors’ security posture, says Farling. For low-risk vendors, a yearly check is probably enough. But for high-risk vendors—those that have access to the most sensitive data—banks should take a “continuous approach to monitoring assessment, more than the annual questionnaires,” says Farling. “The risk is too great.” 

Closing these third-party vendor gaps is critical, he adds, not just for the health of the bank and potential compliance and regulatory blowback, but also for the bank’s reputation. Even if the fault lies with a third-party vendor, the bank is going to shoulder the blame. 

“If you’re going to open an account and have a bank hold your money, your assets, your life savings, you are operating under the assumption that the bank is protecting your assets,” says Farling. A cyberattack, no matter where it comes from, “can erode that trust.”

---