It comes as no surprise that financial institutions are one of the top targets of hackers, and one of the most common methods those hackers use is phishing: using emails that initially appear legitimate but are actually malicious.
According to Deloitte, 91% of all cyber-attacks begin with a phishing email to an unexpected victim. The failure of one person in a bank or an office to recognize a phishing attempt could put millions of people at risk.
At NEACH’s Payments Management Conference (PMC) 2022, Alyssa Pugh, CISM, Security+ GRC Content Manager at Tandem, LLC, presented on phishing: what it is, the range of phishing emails, what attracts us to them on a psychological level, and how to defend yourself and your FI against it. Tandem is a cybersecurity and compliance software designed specifically to help organizations improve their information security, stay in compliance, and lower overhead costs.
The many types of phishing
We’ve all likely heard of phishing, but how exactly is it defined? Pugh began her explanation by saying that to understand phishing, we first need to understand social engineering. The definition of that, from the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Booklet, is “a general term for trying to trick people into revealing confidential information or performing certain actions.”
She went on to say that phishing typically shows up via email. (The 2020 Verizon Data Breach Report confirms this, citing that 96% of social attacks arrive via email, and 86% are financially motivated.) Pugh supplied the technical definition of phishing: a digital form of social engineering that uses authentic-looking but bogus email to request information from users or direct them to fake websites that request information.
“Phishing always starts with an attacker—someone who wants something from you. For an organization involved in payments, that thing is money. They do that either through your email address from an information dump online through the Dark Web, or a targeted phishing attack. That’s called spearphishing. They find out some information to make the email more clickable using the information they have about you,” she said.
She continued, “That email usually has one of a few actions, such as clicking on a link or opening an attachment. The link would open a malicious website to steal your password. An attachment would install malware directly onto your computer. Or they will ask you to reply directly with information, like the last time you used the company credit card. And sometimes, they will ask you to forward the email to others. This gets them involved deeper into your organization.”
Examples of effective phishing emails
She presented several phishing emails with themes that had a high “failure rate,” meaning users clicked on them more than others with similar requests, such as:
- Work emails: An email from a presumed company’s human resources department with a vacation policy update, asking users to click on a link to see the vacation schedule and download a form to learn how to obtain additional time off. This succeeds more than an email about something like missing forms for a tax return, Pugh said, because it’s low effort with potentially high reward for the receiver.
- Covid-19: An email from supposed company senior leadership with a link to click on to learn about the company’s remote work policy during Covid-19. This fools more users than an email with tips to halt the spread of the pandemic locally, Pugh said, because it promises us something instead of asking us to do something.
- Email unsubscribing: An email from a work colleague asking you to unsubscribe via clicking a link. This is more successful than an email from an organization you’re not familiar with saying you’re unsubscribed from their emails—but if you’d like to sign up again, just click the link, below. Pugh said because we all get so many emails, we might not even notice if we have or haven’t unsubscribed to them. However, an email from a supposed trusted work colleague provides that authority to make you think it’s legitimate.
- A complaint about you: An official-looking email from a fake agency like the “Consumer Complaint Bureau” stating they have received a formal complaint about you, and please open the link to find out more detail. “This email is designed to make your heart sink by threatening loss of your reputation or your organization’s reputation,” Pugh said.
The psychology behind phishing
So, what makes people click on those links or download those attachments, anyway? Why are they effective? Pugh presented seven principles of persuasion that can guide us in dealing with phishing: scarcity, consistency, authority, social proof, reciprocation, unity, and liking.
- Scarcity: People are concerned when they come across something that makes you feel like you don’t have enough, or you have something to lose. An advertisement insisting you “act now!” provides a sense of urgency and makes you fear missing out. An email about a new form to complete ASAP to ensure you have access to your vacation days will make you want to click on it for fear of being too late. If something evokes emotion, you’ll be susceptible.
- Consistency: As humans, if we say we are going to do something, we are likely to do it. We like consistency, and follow-through. An email from the “Customer Complaint Bureau” preys on our tendency to care about our work and the image we want to project as a consistently excellent worker.
- Social proof: When we see other people do something, we tend to take that at face value. An email from a supposed work colleague asking you to do something provides proof that it’s ok to do it.
- Authority: We determine what’s correct by listening to those with authority. It’s why celebrity endorsements or social media influencers succeed; we want to trust what they are telling us. This tactic is regularly used in phishing, such as emails from fake human resources or senior management.
- Reciprocation, unity, and liking: Pugh grouped these three together because of their overlap. We like people who like us, she said; we even tend to fall for the compliments we know are insincere. That’s why a phishing email that begs us to help others, like keeping the spread of the pandemic contained, or donate here to fund research, could be successful. “Unity sells,” she added.
How FI can be part of the solution
Although safety protocols are built into an FI’s technology infrastructure, it’s often the human element that’s most vulnerable. Staying alert to the clues is imperative for everyone, Pugh said. That said, it can be difficult to identify phishing emails that mimic regular business emails. But we can’t avoid email all together, either. Some people, she added, won’t even trust any emails from senior leadership.
“That’s a dangerous place to get into, and it’s not what we want,” she said. “Instead, how can we keep up?”
She advised defense tactics such as noting if you’re being asked to open an attachment or click on a link. Check out the sender of the email: Even if it’s the name of someone you know, check the email address and the domain to see if it’s one that you’d typically use. Look at the tone of the email: Does it have a lot of typos, spelling, or grammatical errors, or phases you don’t use at your company? And finally, is the topic of a personal nature? If you keep topics of your work and personal emails separate, and you get an email at your work account regarding a personal issue, it might be phishing.
Some organizations allow you to mark the email as phishing, and it will go to your IT department for review. You can also do some research on your own; contact your bank or call up your colleague and ask if they sent that email. Many FIs are holding phishing training sessions to educate employees and customers; that’s been helpful but hasn’t eradicated the problem entirely, Pugh commented.
That said, we’re human. If you do click that link, for example, notify IT right away; they can start taking corrective action immediately, she said. That reduces the risk of your organization becoming a victim and dealing with consequences such as malware and fraud. Don’t be too embarrassed to do it. We all make mistakes. Not saying anything will make it worse.
Despite efforts to reduce phishing attacks, the staggering number of emails sent each day will continue to provide fertile ground for fraudsters wanting to compromise financial organizations. That’s why it’s up to all of us to be aware and do everything we can to help mitigate as much as possible.
It's important to remember, Pugh said, that cybersecurity isn’t an IT person’s issue to manage. It’s everyone’s problem, so everyone needs to be part of the solution.
AUTHOR: Elyssa Morgan, AAP, APRP
Vice President, Membership
As the VP of Membership for NEACH, Elyssa focuses on developing and implementing strategies to stay connected with current membership and educate on the value of membership. Connect with Elyssa to read more of her blogs, articles, and posts.