When it comes to cybersecurity, in an ideal world it’s important to balance planning for how to minimize risk in the event of an attack while ensuring minimal impact to users and the business. That’s the way it works if all goes according to plan (spoiler alert: it usually doesn’t!)
Certainly nothing went according to plan for the banking industry in recent months. The collapse of three major banks – Silicon Valley, Signature and First Republic – took many by surprise. While there are many factors that went into the collapse, including bad management and loose regulatory oversight, there was a secondary effect of the banks’ collapse that should give all cybersecurity professionals pause. When panic ensued, new avenues of attack opened up for bad actors looking for new phishing attack vectors. For example, a simple email sent to a panicked bank customer without multi-factor authentication (MFA) implemented could result in stolen credentials and a breach.
This begs an important question: How can financial institutions be better prepared the next time new phishing attacks appear during a crisis?
Following the bank run in which SVB customers withdrew $40 billion (one-fifth of SVB’s deposits) in a matter of hours, customers were deluged with phishing attacks in the form of deceptive emails full of fake news – often pointing to hastily registered domains designed to steal credentials. A similar fate befell First Signature (which is even larger than SVB) and Signature when it became clear they were in the same overextended position that SVB was.
The crisis that started with SVB may not be over yet. It has put financial institutions on notice that the strongest form of phishing-resistant MFA should be in place before the next bank run puts the whole industry at risk. Small and regional banks may be even more vulnerable, as upgrades tend to move slower and they may still be using legacy systems for authentication.
In addition to upgrading IAM systems and investing in FIDO-based phishing-resistant authentication technologies, banks and the entire financial services industry can prepare employees and customers in the following ways:
- Remind both employees and customers of the dangers of phishing attacks and what kind of malicious emails they might receive during periods of increased threat. Additional training on different types of phishing attacks — spear-phishing, vishing, or DNS spoofing, for example — is also important.
- Put manual account/payment change procedures in place ahead of time and have a clear customer communication plan about each step. This is especially important for dealing with vendors who may be running the process — no account changes should happen without an actual call and human interaction, either between vendor and customer or vendor and institution.
- Incorporate a Zero Trust security model and tighten security internally across the company for all employees, limiting both physical access to critical systems and data and privileged access.
- Implement phishing-resistant authentication, such as hardware security keys like YubiKeys, to provide higher security, user experience and reliance for customers. Security keys help financial service organizations protect against fraud by stopping account takeovers and targeted attacks by offering high-assurance MFA for employees, contractors and privileged users, so only authorized users have access to critical business and customer data, and critical systems like payroll and trading.
Most banking infrastructures have a mix of legacy on-premises and private or public cloud-hosted services. Regardless of where applications and data reside, banks need to ensure they are protected against unauthorized access. Following these steps will ensure proper cybersecurity in financial services moving forward, and that you can be prepared in the face of another crisis, and improve customer relations by showing them care and forethought has been given to their financial security.
To learn more about how finserv can upgrade to higher-reliance systems, read our whitepaper, “Securing financial services with phishing-resistant MFA.” Read our recent blog about how banks need to act now to avoid non-compliance with new Consumer Financial Protection Bureau (CFPB) guidance here.