“You are the weakest link”

A few weeks ago you attended an industry conference, and this morning you receive a message through LinkedIn, or perhaps an email, that runs something like this:

“Hi Mr. Jones: You and I met during the reception at the recent conference. You’ll recall I ran out of cards beforehand, but I promised I’d get in touch when we all got back to work. You can find out more about my company at this link: ________.  I.M. Fake, vice-president.”

Alternatively, “Mr. Fake” may simply send you a LinkedIn request to connect, including in the request the message above.

Do you click the link provided?

Don’t be so trusting

Chances are you will click that link and the worst that will happen is you’ll receive updates about someone you don’t really need to know more about.

But there is also a chance, if you are in a position of influence in your bank, that you never met “Mr. Fake” and that you’ve been stalked online, and now targeted. That innocent-looking blue link—we all see thousands of them in a year at work—could contain malware that is intended to extract critical data from your computer or other device.

Or this could be the beginning of an attempt to obtain your credentials, in order to access important bank systems.

Banks spend a great deal on security systems, but Mark Bell, after a career in intelligence for the U.S. Air Force and in private industry security, says one of banks’ greatest sources of exposure is their people.

“The weakest link is the actual users on a bank network,” says Bell, executive vice-president of operations at Digital Defense, Inc., which provides digital security training, “ethical hacking,” and more. The LinkedIn gambit described is just one of the ways that criminals will use “social engineering” to attack a bank.

How do the bad guys know where you’ve been, to be able to pull a stunt like saying “you’ll remember we met at …”? Chances are you met dozens of people at the conference. But the criminal reaching out to you may have been continents away and was never near the event. You may have posted an update or tweeted or otherwise publicized your attendance at the meeting. So they know where you were—you told them.

Being in a senior leadership position or working in the IT department—likely with access to key systems—all can make a banker a better-than-random target for a fake would-be connection. So it pays to be cautious.

Bell says he never uses links embedded in emails nor the links built into messages like LinkedIn requests to connect. They may be legitimate, but they may not be. As soon as the click is made, you could be downloading malware.

If Bell believes a connection is worthwhile, he’ll search independently of the offered link for that company or individual. In the case of LinkedIn, he’ll open his account and find the person and connect through the LinkedIn site. When you are on the site, you can scan your list of outstanding invitations to connect and, if the same request is there, you can click on the link within LinkedIn’s system knowing that the request was legitimate. (Whether you choose to connect to a stranger or someone you only dimly remember meeting, that’s up to you and your philosophy about LinkedIn connections.)

Not taking such precautions can mean that a potential world of hurt is just one click away.

Communicate and train

Bell says executives and employees in service-oriented businesses like banking make easier targets for fraudsters because they are encouraged, even trained, to be outgoing and friendly and accessible. The bad guys count on that.

Communication with other managers within your bank can help, because it is possible that a fishy email or connection attempt has been tried on more than one staffer. Bell recommends establishing a central email or phone number where anything suspicious can be reported. When multiple bankers report such concerns, the bank can elevate the matter for investigation.

When he was in the service Bell took part in exercises where his unit was tasked with infiltrating a military facility physically and electronically. Physical security had become pretty strong, he says, but the weak links were electronic, and more often than not, exposed because of untrained or overly trusting people, not inadequate systems. Even when training has been provided, testing of that training is essential.

Some companies don’t include top managers and senior leadership in such efforts, which Bell calls a mistake. Anyone in a company can be a target, but the higher someone is on the food chain, the more criminals prize them as an opportunity for compromise.

“An attacker actually assumes that senior staff are not getting trained and tested,” Bell explains.

Don’t fall for dialed-in threats either

While online avenues represent a ripe opportunity, criminals still use the old-fashioned telephone, albeit with some new wrinkles.

Take caller identification screens. Ever get a call at home from “Private Caller” or something else that seems legitimate, only to find yourself talking to a pushy charity or even a robot offering a free cruise or other unlikely but appealing bait?

The risk is just a great on the job. Bell says fraudsters will program their caller ID signals to appear as if they are calling a company from a number in the company’s local area code, or some other source that will give the recipient of the call some confidence.

Even if that is not the tactic chosen, frauds will have done research to make their call seem as legitimate as possible. There are huge amounts of data to be gleaned from company websites that can help a fraudster appear to know what they are talking about.

Where projecting knowledge and confidence alone doesn’t get them ahead, criminals will use pressure and even fear to make the recipient drop their guard.

Frauds know that staff has been trained and tested for customer service, for example, says Bell. Staff may have heard through the grapevine that the bank is using mystery shoppers to test customer service, and no one wants to get a bad report. Unfortunately, Bell says, such concern can make them a better target for criminals.

Where there is resistance to a request that doesn’t seem quite right, criminals will resort to another concern—going over the employee’s head in some fashion. Bell says one common play, when the employee acts carefully, is “If you don’t do this for me, I’ll have to tell my boss.” The implication is that the caller’s boss will call the employee’s boss, and get them into hot water and their resolve may crumble.

Shooting a link or shooting yourself?

Although less commonly used than a few years ago, QR (quick response) codes still are seen on posters, in magazines, on business cards, and more. A mobile app scans and translates the square code into a web address, email address, or other connection.

The internet is full of articles about the risks that a code may not be from a legitimate source. Criminals can use the codes to send the shooter malware or direct the user to an unsafe site. Security companies such as Norton and Kaspersky Lab offer QR readers that check the legitimacy of a QR code before allowing a connection to go through.

The threat here is sufficient that Bell says that his firm will set up fake codes where bank employees will see them, to test if staff is shooting codes that could pose risks.

Goal: Make your bank tougher than average

A bank can install security systems, set rules, provide training, investigate spurts of similar suspicious activity, test vulnerabilities, and more, and yet Bell says that no organization is going to be 100% secure all the time.

“Nobody is ever going to get ahead of the risk,” he says. “It’s a matter of managing your risk.”

Bell says a determined criminal can break nearly any barrier. The point is to make cracking your organization more trouble than it’s worth.

“If you have reduced risk enough,” says Bell, “criminals will move on to the next target.”