Not many banks are willing to go on the local television news station and talk about near-security breaches specifically at their institution. But Talmer Bank and Trust wanted to spread the word about the danger of cyber threats to other businesses as well as to consumers.
So, Greg Bixby, executive managing director and CIO, told attendees at the recent BAI Retail Delivery Systems Conference that the $6.5 billion-assets bank, headquartered in Troy, Michigan, sought out publicity about a breach.
Story of the breach
The news story centered on an email that was sent to the bank’s mortgage division CFO late in the day. It came presumably from the bank’s CEO, asking the division CFO—who was filling in for the vacationing corporate CFO—to immediately request a $20,000 wire transfer payment to a vendor.
Because the division CFO received the email on his iPhone, the domain name of the CEO’s email address wasn’t visible, so he had no way of knowing that the domain name was spelled ‘talmerrbank.com’ with an extra ‘r.’ He forwarded the request to the bank’s wire transfer team.
Luckily the wire transfer staff noticed several red flags about the request, including that the wording in the forwarded email was awkward, as though written by someone who spoke English as a second language. Another red flag was that the wire recipient was an individual rather than a business.
Bixby described another red flag: A request that comes late in the day and imparts a sense of urgency.
“Criminals hope that, in your haste, you’ll make a mistake,” said Bixby.
Talmer Bank subscribes to a service that alerts the bank when a similar domain name is registered—but there is a 24-hour delay. The domain name talmerrbank.com was registered the morning of the day that the fake wire transfer request email was sent out. The criminal took advantage of the short window.
One for the bad guys
Bixby shared another example of cyber fraud at the bank—this one without a happy ending.
An identity thief, posing as a customer, contacted Talmer Bank’s call center, answered the security questions, and requested a change of address. Two weeks later, the customer called back, again answered the security questions, and asked to speak to someone about their home equity line of credit (HELOC).
The call center transferred the customer to the loan servicing center. After asking a few questions about the HELOC, the customer said they lost their HELOC checks. The loan servicing center, unaware that bank policy is to wait 30 days after an address change before issuing new checks, mailed the replacement checks.
A few weeks later, the irate real customer called the bank because their HELOC was suddenly drawn down.
Regulatory pressure builds
Bixby noted that because of security breaches such as the two he described as well as many well-publicized cyber attacks, regulatory agencies are putting increased pressure on banks to step up their cyber security protections both for the bank and any third-parties it does business with.
“We all outsource so it’s critical that our vendors are safe,” noted Bixby. “The regulators are looking to us to put pressure on our vendors.”
The regulators are also concerned about bank response to incidents. “The regulators are not happy with the banking industry’s oversight and follow-through on security incidents,” explained Bixby. “Too many banks consider cyber security an IT issue, when really it’s an issue that permeates all areas of the bank.”
“The regulators are sending a strong message to the banking industry that they will hold bank directors and executives liable for inaction on cyber security,” added Bixby.
For those banks that rely on insurance to cover potential cyber losses, Bixby noted that 80% of insurance cyber claims are rejected. “You think you are covered for this and instead you’re covered for that,” he said. “There are many loopholes and the insurance premiums are skyrocketing. “
And for those banks that are relying on pure luck that a breach won’t happen to them, it’s likely that luck is running out.
“A breach is not a matter of ‘if’ but a matter of ‘when’,” Bixby predicted. “I guarantee something will happen at your bank.”
For Bixby, cyber security is an issue that truly keeps him up at night.
“My nightmare is that I’m sitting at my desk and someone knocks on my door to report that our bank has been compromised and criminals have been in our network for months.”