ABA Banking Journal - May/June 2016 - (Page 49)
The Art of Human Hacking
ach year, millions of dollars
are lost to a type of fraud
that's particularly difficult
to detect and stop, and it's
all based on a criminal's
ability to exploit a basic human
characteristic: the tendency to trust.
It's a practice called "social engineering,"
in which a fraudster successfully
manipulates a victim into taking specific
actions like sending wire transfers or
giving over confidential information
while posing as a trustworthy source.
"Social engineering is fraud by
deception," says Mark Lowers, CEO
of Lowers Risk Group, a firm based in
Purcellville, Va. "It's about playing on the
average individual's sense of decency."
Social engineers use a variety of tactics to
gain information that can help them win
over the trust of their victims. Strategies
can include sophisticated approaches
like phishing or the tried-and-true
methods of dumpster diving, pretext
calling or impersonating a company
employee or business associate. Once
a social engineer has the information
they need to appear legitimate, they
can make contact with their victim
and set the scheme into motion.
Virtually anyone can fall victim to a social
engineering scam, but businesses in
particular have seen an increase in this
type of fraud over the past several years.
"[My] firm has handled dozens of
cases this past year where very wellrun organizations transferred big, sixfigure numbers as a result of [social
BY MONICA C. MEINERT
engineering scams]," Lowers says.
"And they didn't get it back-by the
time they realized, the funds had been
transferred on to multiple other banks."
with their boss' wishes as quickly and
efficiently as possible-which is exactly
what fraudsters are counting on.
Email provides a particularly lucrative
opportunity for social engineers-
according to a 2014 study by McAfee,
97 percent of people globally were
unable to correctly identify phishing
emails. And the FBI reports that in
the U.S. alone, there have been more
than 7,000 victims and $747 million
in losses as a result of business email
compromise-a specific type of social
engineering fraud-since 2013.
With the threat of social engineering
becoming so ubiquitous, it's more
important than ever for banks to have
systems and policies in place to help
detect and deter this type of fraud.
In business email scams, "fraudsters
typically target businesses working
with foreign suppliers or business
that perform wire transfers or ACH
transactions as payments," often
sending phony invoices or requests
for payment, explains Kim Syrop,
SVP and director of fraud and loss
management for Webster Bank,
a $22 billion institution based in
Waterbury, Conn. To the person on
the receiving end, these requests
seem to come from a trusted vendor,
which is how so many unsuspecting
employees have been duped into
facilitating fraudulent transactions.
In other cases, crooks will impersonate
corporate CEOs, creating fake email
addresses or hacking existing email
accounts. From there, Syrop says,
they typically reach out to a lowerlevel employee with wire origination
authority and request a transfer of
funds, often stressing confidentially. The
employee naturally wants to comply
Building the human firewall
Since humans are often described
as the weakest link in the security
chain, Lowers stresses that enterprisewide education is critical for building
a strong defense. "It's not enough
for a workforce to simply have policy
guidelines-they really need to be
educated on how to recognize this
type of fraud," he says. "They need to
become a human firewall." And like
any IT firewall, the human firewall must
be continually tested and updated with
information as new trends emerge.
At Webster Bank, Syrop makes sure
that everyone-not just the fraud
department-stays up to date on current
trends and understands how to spot
red flags. The bank makes a point to
train all business line managers on
fraud prevention, with the expectation
that they will in turn educate both their
employees and their customers.
Both Lowers and Syrop agree that
building a strong fraud culture starts
with bank leadership. "It's all about tone
at the top," Lowers says. "Awareness,
education and culture are key."
MONICA C. MEINERT is assistant editor of the
ABA Banking Journal.
aba.com/BankingJournal | ABA BANKING JOURNAL
Table of Contents for the Digital Edition of ABA Banking Journal - May/June 2016
BANKS & USDA
COVER STORY A SPECIAL REPORT: BANKING ON MILLENNIALS?
BANKER ON THE RANGE
CONTACT-FREE AND EASY
ABA COMPLIANCE CENTER INBOX
FROM THE STATES
CORPORATE SOCIAL RESPONSIBILITY
INDEX OF ADVERTISERS
ABA Banking Journal - May/June 2016