Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

The attackers then crafted the following email, sending it to personnel at each victim's respective local WNB bank branch.

Good Morning,

Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

Thanks.

Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

Kuehler said WNB assumed responsibility for the loss, which he would describe only as "small," and that the employee had been disciplined. "This particular customer did have [an email history] with an account officer who was doing what she believed is her job: Taking care of customer."

Kuehler added that he's heard from other banks -- particularly other small and regional institutions -- that have also been the subject of such attacks recently.

"The common thread is these are legitimate e-mail accounts that have been hacked," he said. "The hacker then e-mails anyone in the address book that appears to be associated with a bank."

JB Snyder, principal and CEO at Bancsec, a company that specializes in network security and penetration testing for banks, said these attacks -- even ones as sloppily executed as the email above -- work because they target the world's oldest and most reliable security vulnerability: exploiting trust relationships, a.k.a. "social engineering."

"The wild thing is that this simple scheme works more than you’d think," Snyder said. "We’ve proven this with similar social engineering vectors – for example, with one test, we consistently walk out of a bank with up to $50,000 in cash.  The elusive obvious is that a giant percentage of today’s business is conducted via email alone without further verification, so the possibilities are endless."

Email accounts typically are hijacked in one of three ways: through phishing, malware or via brute-force password guessing/reset attacks. To sidestep phishing attacks, avoid clicking links in email (booby-trapped links also frequently lead to malware), and only log in to accounts after loading the login page from a local browser bookmark. Krebs's 3 Basic Rules for Online Safety keep most users out of trouble with malware. For some tips on picking strong passwords, check out this primer.

Raleigh, NC July 15, 2010

To meet the growing cybersecurity challenges and regulatory requirements facing the beleaguered financial industry, a new firm named Bancsec, Inc. is providing consulting services to U.S. community banks ranging from $200 million to over $10 billion in assets. “We are passionate about our mission, which is to help each of our client banks develop and maintain a strong, yet flexible information security posture,” said founder JB Snyder, a nationally-renowned financial information security expert.

To describe its array of services, the firm uses the acronym FISCALS, which stands for Financial Information Security Consulting and Legal Services. Considering this week’s news concerning the creation of the Consumer Financial Protection Bureau (part of the Federal financial reform initiative) and President Obama’s announced agenda to provide economic incentives for boosting private sector cybersecurity, this is a timely launch for Bancsec.

Banks are grateful. Robert Belk, Network Operations Manager of Western National Bank in Midland, Texas, wrote, “In an industry faced with strict privacy and security regulations, ever-changing security threats, and quickly evolving technology, it can be a challenge to keep both electronic funds and customer information safe and secure while having it easily accessible to the customer. That's why it's important to have someone on our side that fully understands these hurdles that banks face. Bancsec's high integrity, dynamic approach and unmatched expertise in these areas are key to having effective, secure solutions that work in the real world.”

Sean K. Clark, another cybersecurity expert, who for the past decade has created and led successful security practices at veteran bank consulting firms, joined Bancsec as Managing Consultant effective July 15. “JB Snyder and I each have 20 years of experience in this industry and a great network of contacts, and we are very excited to be joining forces again,” said Clark. “I have extreme respect for JB’s security consulting and technical expertise. Teaming up with JB allows us to improve the financial security consulting landscape.”

“Sean and I together have found large holes in many of the applications and security tools that have been popular with banks this past decade, and we fostered relationships with hundreds of banks and many security firms nationwide,” said Snyder. “We are now creating all new materials and consulting products, evolving proprietary methodology, and forging strategic partnerships. We are confident that we will emerge as our nation’s best information security consultancy for Community Banking.”

One strategic relationship is with SystemExperts Corporation, headquartered in Sudbury, Massachusetts. Bancsec will utilize SystemExperts’ resources for some of its information security assessments. “For these engagements, we will be able to wrap our regulatory knowledge and banking experience around a consulting product that will have SystemExperts’ strong technical skills at the core,” said Snyder. “Banks will not find any better team in the business when it comes to technical security.”