Hacked and phished email
accounts increasingly are serving as the staging grounds for bank fraud schemes
targeting small businesses. The scams are decidedly low-tech and often result
in losses of just a few thousand dollars, but the attacks frequently succeed
because they exploit existing trust relationships between banks and their
Last month, scam artists hijacked private email accounts belonging to three
different customers of Western National Bank, a small financial
institution with seven branches throughout Central and West Texas. In each
case, the thieves could see that the victim had previously communicated with
bank personnel via email.
The attackers then crafted the following email, sending it to personnel at
each victim's respective local WNB bank branch.
Can you please update me with the the available balance in my account and
also the information needed to complete an outgoing wire transfer for me
today,i am on my way to my nephew funeral service but i will check my mail
often for your response.
Wade Kuehler, an executive vice president at WNB, said bank personnel
followed up on two of the requests, ignoring the request not to contact the
customer via phone. In both cases, the customers were grateful for the contact,
saying they had not sent such a request.
But the thieves struck paydirt with the third attempt, when a sympathetic
associate at the bank responded to the message with the requested balance
information. The follow-up email from the thieves included instructions to wire
money to an account at another bank, and the assistant helpfully processed the
Kuehler said WNB assumed responsibility for the loss, which he would
describe only as "small," and that the employee had been disciplined.
"This particular customer did have [an email history] with an account
officer who was doing what she believed is her job: Taking care of
Kuehler added that he's heard from other banks -- particularly other small
and regional institutions -- that have also been the subject of such attacks
"The common thread is these are legitimate e-mail accounts that have
been hacked," he said. "The hacker then e-mails anyone in the address
book that appears to be associated with a bank."
JB Snyder, principal and CEO at Bancsec, a company that specializes in network
security and penetration testing for banks, said these attacks -- even ones as
sloppily executed as the email above -- work because they target the world's
oldest and most reliable security vulnerability: exploiting trust
relationships, a.k.a. "social engineering."
"The wild thing is that this simple scheme works more than you’d
think," Snyder said. "We’ve proven this with similar social
engineering vectors – for example, with one test, we consistently walk out of a
bank with up to $50,000 in cash. The elusive obvious is that a
giant percentage of today’s business is conducted via email alone without
further verification, so the possibilities are endless."
Email accounts typically are hijacked in one of three ways: through
phishing, malware or via brute-force password guessing/reset attacks. To
sidestep phishing attacks, avoid clicking links in email (booby-trapped links
also frequently lead to malware), and only log in to accounts after loading the
login page from a local browser bookmark. Krebs's 3
Basic Rules for Online Safety keep most users out of trouble with malware.
For some tips on picking strong passwords, check out this primer.
Raleigh, NC July 15, 2010
To meet the growing cybersecurity challenges and regulatory requirements
facing the beleaguered financial industry, a new firm named Bancsec, Inc. is providing consulting services
to U.S. community banks ranging from $200 million to over $10 billion in assets.
“We are passionate about our mission, which is to help each of our client banks
develop and maintain a strong, yet flexible information security posture,” said
founder JB Snyder, a nationally-renowned financial information security expert.
To describe its array of services, the firm uses the acronym FISCALS, which
stands for Financial Information Security Consulting and Legal Services.
Considering this week’s news concerning the creation of the Consumer
Financial Protection Bureau (part of the Federal financial reform
initiative) and President Obama’s announced
agenda to provide economic incentives for boosting private sector
cybersecurity, this is a timely launch for Bancsec.
Banks are grateful. Robert Belk, Network Operations Manager of Western
National Bank in Midland, Texas, wrote, “In an industry faced with strict
privacy and security regulations, ever-changing security threats, and quickly
evolving technology, it can be a challenge to keep both electronic funds and
customer information safe and secure while having it easily accessible to the
customer. That's why it's important to have someone on our side that fully
understands these hurdles that banks face. Bancsec's high integrity, dynamic
approach and unmatched expertise in these areas are key to having effective,
secure solutions that work in the real world.”
Sean K. Clark, another cybersecurity expert, who for the past decade has
created and led successful security practices at veteran bank consulting firms,
joined Bancsec as Managing Consultant effective July 15. “JB Snyder and I each
have 20 years of experience in this industry and a great network of contacts,
and we are very excited to be joining forces again,” said Clark. “I have extreme
respect for JB’s security consulting and technical expertise. Teaming up with JB
allows us to improve the financial security consulting landscape.”
“Sean and I together have found large holes in many of the applications and
security tools that have been popular with banks this past decade, and we
fostered relationships with hundreds of banks and many security firms
nationwide,” said Snyder. “We are now creating all new materials and consulting
products, evolving proprietary methodology, and forging strategic partnerships.
We are confident that we will emerge as our nation’s best information security
consultancy for Community Banking.”
One strategic relationship is with SystemExperts
Corporation, headquartered in Sudbury, Massachusetts. Bancsec will utilize
SystemExperts’ resources for some of its information security assessments. “For
these engagements, we will be able to wrap our regulatory knowledge and banking
experience around a consulting product that will have SystemExperts’ strong
technical skills at the core,” said Snyder. “Banks will not find any better team
in the business when it comes to technical security.”
AUSTIN, Texas April 5, 2010. Sheshunoff Consulting + Solutions (SCS), leading advisors to the financial institutions industry, announced today it has acquired Brintech, a bank management consulting firm with offices in Austin and Atlanta. The acquisition helps SCS expand its business, extends its reach nationwide, and broadens
its service offerings.
“I am delighted that Brintech is joining us. Collectively, we will change the competitive landscape and increase our share of the financial institution market,” says Gabrielle Sheshunoff, President & Chief Executive Officer of SCS. “And, the opportunity to have additional talent in multiple locations throughout the country means we will be better positioned to serve our clients.”
The acquisition of Brintech strengthens SCS’ position in the financial institutions advisory services market and enables Brintech to be part of an organization targeted for growth. SCS and Brintech will continue to offer profit improvement and revenue enhancement strategy services, risk management services, and information technology services and software solutions. Both companies anticipate their customers will benefit from this union.
Hal Oswalt, Brintech’s President and CEO, will become President of Sheshunoff Consulting + Solutions/Risk Division. “We are looking forward to joining SCS and working together with them to build on each other’s strengths,” says Oswalt. “I have worked with Gabrielle Sheshunoff before as have 11 of my staff and we expect our combined organizations will reinforce our mutual goals of providing superior service to our financial institution clients.”
Mack Wood will continue as Managing Director, Consulting Services. “I am confident that the expertise and industry knowledge that Brintech brings in combination with the talent at SCS will open the door to new and exciting opportunities for all of us,” says Wood.