TOPICS

Friday, June 25, 2021

Phishing Scams

QUESTION
We had training on protecting our emails from being scammed. 

On the subject of phishing, some of us were disappointed because we learned what phishing is but not how to protect ourselves from it. 

We don’t feel there is an organized effort to doing enough to stop phishing scams. There must be Best Practices, yet we can’t even get the trainer to give us a list of them. 

What are some Best Practices for preventing the phishing of our emails?

ANSWER
Phishing has been trending up for a long time, evincing greater sophistication and ingenuity. Such scams adversely affect business relationships, transactions, customer relations, and cause compromised interactions in the loan flow process. We are heavily dependent on emails to conduct business, yet phishing continues to invade email interactions with increasing frequency 

So, how does a phishing scam work? 

Let’s illustrate using a simple order to change wiring instructions. You can extrapolate this illustration to many other business interactions. So, we’ll use it as a proxy for other areas that phishing scams can compromise. 

Although there are non-email ways of handling the change order, thousands of institutions use email, and email is ripe for attack. To change the wiring instructions, the bad actor first obtains access to the communications containing the instructions. 

The more individuals on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And it only takes one person to open the gate to the scammer. In effect, the thread is only as strong as the weakest link! 

Once the bad actor has access to a target’s email, the attacker learns the details of the pending transaction and mimics the parties’ written communications. The attacker then takes over or “spoofs” certain email addresses and interposes itself in the email traffic, often starting with innocuous communications to build trust. 

Ultimately, the attacker is ready to announce a change in fund transfer details due to a bank “audit” or similar justification or no justification at all. If the attacker’s deception is undetected, the payment will transfer to the attacker’s account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very complicated, if not impossible, to claw the funds back, resulting in a significant financial loss. 

Subsequently, there is often an investigation and a dispute regarding who bears the financial responsibility for the loss. In the meantime, the loss is all too real, fees pile up, the transaction is destabilized, and legal costs skyrocket. 

So, what are some practices to protect yourself from phishing scams? 

If you think that you can cover all possibilities to prevent phishing scams, be advised, that is not possible. The scammers tend to be one step ahead of even IT people. Indeed, whole U.S. government agencies have been hacked via phishing scams! Therefore, no single security tactic is going to thwart all attacks, given that the attackers have many targets to choose from among all of the parties involved in a transaction 

There are few steps you can take to reduce the likelihood of a successful attack. I’m not sure if we can call them Best Practices since dozens of proposed ways are constantly being found to prevent phishing attacks. That said, I think a viable list of Best Practices should contain some of the following safeguards. 

- Maintain strong payment authorization procedures by requiring a review of wire transfers, particularly those above a certain amount, to limit the chance of making a payment to a fraudulent account. I suggest multiple approval thresholds, obtaining verbal confirmations of wires, and educating affected personnel on the prevalence of these scams. The theme here is to be on “high alert” for any change in protocol. 

- Some companies insert the label “EXTERNAL” in all emails from external sources, thereby reminding employees to exercise caution. This label may help to identify a purported internal email coming from a spoofed email address. 

- Develop a checklist of “Red Flag” issues that require further due diligence, such as procedures for wiring to new recipients or previously unused destination accounts or any other change in the standard protocol. 

- Implement Multi-factor Authentication for emails, which can help prevent many, although not all, phishing attacks. Multi-factor Authentication is not foolproof, but it is strong protection. This authentication method requires the user to provide two or more verification factors to access a resource such as an application, an online account, or a VPN. Rather than just asking for a username and password, the user must provide one or more additional verification factors. 

- Periodically train and test employees to identify and report phishing attempts. Teach them to follow “email security hygiene,” such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source. 

- You might want to get cyber insurance because it may include, among other things, the coverage for misdirected funds transfers, loss of business due to a cyber event. 

If you are snared in a phishing scam, it’s a good idea to consider the following actions: 

- Change account passwords for all employees on the impacted email chain and, if possible, everyone in the entire company; 

- Check relevant email accounts for any auto-forwarding rules, which attackers may create, given that they can remain running even after passwords are reset; 

- Contact counsel familiar with cyberattacks to determine appropriate steps to investigate and contain the incident, including, if needed, retaining a forensic consultant and, where possible, coordinating with other financial institutions to attempt to block the transfer of funds. 

- Contact law enforcement to assist in the recovery of the funds. While recovery can be challenging if funds have already been transferred, agencies such as the FBI do try to help; and, 

- If any accounts have been compromised, determine whether any other information was affected, such as personal information for which there could be a breach notification obligation.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group